Osquery Cheat Sheet – Process Interrogation & Persistence Techniques

It can be difficult to remember which tables and queries to use when utilizing osquery during an investigation. This is why I created a reference handout, as a quick way to remind myself of key tables & queries to use during investigations – it covers process interrogation and uncovering common persistence mechanisms.

Download Link: Osquery-Handout

Persistence Techniques – Once an intruder gains an initial foothold on a system, they will need to establish some type of persistence so that they can return to the system even after it has been restarted. There are many different techniques to accomplish this – the chart in the handout outlines some of the most common, as well as how to uncover them using osquery.

Process Interrogation – Examination of running processes can reveal much when trying to understand what is happening on a suspect system. Use the chart in the handout to gain a better understanding of how to utilize osquery to slice and dice the processes on your system, looking for suspicious activity. The example queries focus on a modern Windows system and a few of its key system processes – svchost.exe and lsass.exe.

If you want to learn more about how to practically use osquery for security analysis, take a look at my recently released course: learnosquery.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close