Detecting new malware with osquery

Presented at THOTCON 0xA (2019), May 3, 2019, 2:30 p.m. (25 minutes).

Osquery is a very popular tool, especially on Mac and Linux systems. While it is perhaps more mature on those platforms, it is still extremely useful in Windows environments, and we know workstations get attacked by malware often. In this talk, we will look at ways osquery can let us detect new malware, on Mac, but also on Windows, and in Docker environments. Specifically, we will look at: monitoring startup items and processes, identifying suspicious files, carving those files, monitoring lateral movement, detecting suspicious PowerShell keywords, extracting information from weird crashes, using osquery to ship only relevant Windows Event Logs from workstations, and bringing it all back together to detect situations that might be caused by malware. In order to ensure bingo cards get filled, the words MACHINE and LEARNING will most likely be yelled at some point.


Presenters:

  • Guillaume Ross
    Guillaume has been a consultant helping companies secure their stuff, managed blue teams, and researches IT defense problems.

Similar Presentations: