#OSQUERY SERVER COMPONENTS HOW TO#
In the next section, we will see how to detect these malicious registry changes using osquery. Some malware will attempt to make changes to the registry. Determining the Command and Control in communication This command and its output are shown below:įigure 5. We can also use the same command we used above to query the network connections and see which Command and Control server the malicious process is communicating with. Identifying the malicious running process Select processes.pid, ername, processes.path from processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != ” įigure 4. We can do a query to identify the running processes, in which we identify the running malicious process. Exposing files written to disk within the last 100 secondsĪs you can see, the file squarectx.exe is extracted and executed. Select path, size, from file where path like ‘C:Users%%’ and mtime > (select local_time from time) – 100 and filename != ‘.’ įigure 3. We can also use a query that identifies anything within the Users directory that was written to disk within the last 100 seconds and after the payload’s download. As can be seen, PowerShell connects to two remote IPs at port 80. The query above shows the JOIN statement we used between the process_open_socket and processes tables.
Exposing processes performing network communication Select processes.name, process_open_sockets.remote_address, process_open_sockets.remote_port from process_open_sockets LEFT JOIN processes ON process_open_sockets.pid = processes.pid WHERE process_open_sockets.remote_port != 0 AND processes.name != ” įigure 2. We can also use osquery to log socket connections for each process, performing network communications as shown below: The two lines below the PowerShell command above are the script texts that we get once the PowerShell command above gets decoded. Exposing PowerShell scripts used during malware execution Select time, script_text from powershell_events įigure 1. Once the malware is run in our sandbox environment, we can view the PowerShell events using the following osquery command: We will also need to enable script block logging in order to read the PowerShell event log channel. We will then make osquery queries to retrieve the events generated by PowerShell from the powershell_events table.
#OSQUERY SERVER COMPONENTS WINDOWS 7#
We will create a Windows 7 environment on VirtualBox and intentionally infect it with Emotet. You can also find the VirusTotal malware summary here. The sandbox report detailing the activities of Emotet can be found here. The way Emotet spreads is by email, where the malicious dropper runs and downloads the virus through a malicious Word macro. In this case, we will be working with the famous Emotet banking Trojan. We will need to obtain a malware sample to work with. We will also, where necessary, leverage on other tools to support osquery. For us to bring to perspective the power of osquery, we will need to analyze the activities of a malware sample and look at how various malicious activities such as persistence and the installation of root certificates are achieved.
0 kommentar(er)
