The goal of this home lab is to familiarize yourself with Osquery and its capabilities for threat detection and investigation. By setting up a lab environment, you'll gain hands-on experience with querying system information and using it to identify potential security threats. Osquery is an open-source tool that allows you to query your devices (Windows, macOS, Linux) for various system information in a SQL-like language. It provides deep visibility into your systems, which makes it an excellent tool for threat hunting and investigation.
This Home-Lab covers:
- Requirement
- Lab Diagram
- Setting up Osquery Lab
- Excercises- Persistence
- Exercises-Memory Analysis
- Exercises- Process Interrogation
- Hardware:
- Computer with at least 16GB RAM and dual-core processor
- VM/ISO Image:
- Windows 11 OVA image
- Ubuntu Server 22.04 OVA image
- Wazuh OVA image
- Install Osquery on Windows 11 machine
- Install Osquery on Ubuntu Server
- Registry Run Keys / StartUp Folder: Examines registry keys and startup folders to identify programs set to run automatically when the system starts up.
- RunKeys (with hashvalue): Queries registry keys associated with automatic execution and retrieves hash values of the files linked to these keys.
- Security Support Provider: Investigates the Security Support Provider (SSP) configurations, which are crucial for authentication mechanisms in Windows systems.
- Service Creation / Modification (auto_start): Monitors changes to Windows services, particularly focusing on modifications related to automatic start settings.
- Look for suspicious DLLs loaded by any service (with associated username & hash value of the DLL): Identifies services loading suspicious DLLs, providing details such as associated usernames and hash values of the DLLs.
- WMI Event Consumers (command line & script): Investigates Windows Management Instrumentation (WMI) event consumers, which can include command lines or scripts triggered by events.
- WMI Process Interrogation: Queries WMI for information about running processes, allowing investigation into process-related activities.
- Application Shimming: Looks for instances of application shimming, a technique used to intercept calls between applications and the Windows operating system.
- Print Processors - Reg Keys: Examines registry keys related to print processors, which are responsible for converting print data into a format suitable for printing.
- Look for suspicious print drivers: Identifies potentially malicious print drivers installed on the system, which could be used to compromise print services.
- Image File Execution Options Injection (IFEO)(debugger/GlobalFlag): Investigates Image File Execution Options (IFEO) registry keys for evidence of debugger or GlobalFlag manipulation, commonly used in injection attacks.
- PowerShell Process Interrogation: Queries PowerShell processes to gather information about their execution and potential usage in malicious activities.
- pslist equivalent: Retrieves a list of running processes similar to the pslist command, providing details such as process ID, parent process ID, user, and executable path.
- pstree equivalent (Parent & Child): Generates a hierarchical view of processes, displaying parent and child relationships similar to the pstree command.
- pstree equivalent (Grandparent, Parent & Child): Expands upon the pstree equivalent by including grandparent, parent, and child relationships, offering a more comprehensive view of process ancestry.
- dlllist equivalent (with a specific PID): Lists the dynamic-link libraries (DLLs) loaded by a specific process ID, similar to the dlllist command in memory analysis tools.
- dlllist - load all the DLLs: Retrieves a list of all loaded DLLs across all running processes, providing insight into shared libraries in memory.
- getsids equivalent: Retrieves security identifiers (SIDs) associated with processes, akin to the getsids command in memory analysis tools, aiding in identifying process ownership.
- svcscan equivalent: Scans for Windows services running on the system, akin to the svcscan command, assisting in the identification of services and their configurations.
- netscan equivalent: Conducts a scan of network-related information such as open ports, listening sockets, and established connections, similar to the netscan command in memory analysis tools.
- Code Injection: Detects instances of code injection, a common technique used by malware to execute arbitrary code within legitimate processes, thereby evading detection.
- malfind (not exactly) equivalent: Although Osquery doesn't have a direct equivalent to malfind, it can be used in combination with other queries to identify suspicious memory regions or artifacts indicative of malware presence.
- Parent & Grandparent Process Identification: Identifies parent and grandparent processes, aiding in the detection of suspicious process relationships.
- Suspicious Processes with Usernames:: Associates processes with usernames to detect suspicious activity under unauthorized accounts.
- Programs Running from "TEMP" Locations: Identifies processes running executables from temporary locations, often used by malware for evasion.
- Processes with Open Pipes: Detects processes with open pipes, indicative of potential inter-process communication or malicious activity.
- Processes Originating from wow64 Directory: Monitors processes originating from the wow64 directory, which may indicate compatibility layers or potential threats.
- Suspicious DLLs Loaded by Services with User Accounts: Detects services loading suspicious DLLs and associates them with user accounts, aiding in identifying malicious services.
- Binary Signature Verification: Checks if binaries are digitally signed, helping to identify potentially malicious or tampered executables.
- PowerShell & WMI Process Interrogation: Investigates parent and child processes related to PowerShell and WMI, common targets for malicious activity.
- Excessive Memory Usage Detection: Monitors processes for excessive memory usage, which may indicate memory-resident threats.
- Remote Network Connection Monitoring: Identifies processes making remote network connections and examines them for suspicious behavior.