It can be difficult to remember which tables and queries to use when utilizing osquery during an investigation. This is why I created a reference handout, as a quick way to remind myself of key tables & queries to use during investigations – it covers process interrogation and uncovering common persistence mechanisms.
Download Link: Osquery-Handout
Persistence Techniques – Once an intruder gains an initial foothold on a system, they will need to establish some type of persistence so that they can return to the system even after it has been restarted. There are many different techniques to accomplish this – the chart in the handout outlines some of the most common, as well as how to uncover them using osquery.
Process Interrogation – Examination of running processes can reveal much when trying to understand what is happening on a suspect system. Use the chart in the handout to gain a better understanding of how to utilize osquery to slice and dice the processes on your system, looking for suspicious activity. The example queries focus on a modern Windows system and a few of its key system processes – svchost.exe and lsass.exe.
If you want to learn more about how to practically use osquery for security analysis, take a look at my recently released course: learnosquery.com
Defensive Depth 