Osquery example select how to#
In the previous blog post, we saw how to analyze a malware infection, stage by stage. As you can see we have detected the service “Check for updates” executing a malicious PowerShell script.īy using Osquery we can detect a lot of mechanisms and techniques frequently used by malware threats. After running a malware sample that installs a malicious service to gain persistence, we can build a query to return these results and see all details about the new service. The services table allows us to see which services have been installed in the system. Osquery can give us this information by querying the scheduled_tasks table. As you can see in the table below, two new scheduled tasks have been created after running the sample. These actions are often performed by malware, and Osquery has tables to query them.
Osquery example select install#
The query will return all files modified by the ransomware, and as we can see, they all have a new file extension “.SHRUG”.Īnother common way to gain persistence on Windows systems is to create scheduled tasks or install new services. Fortunately, this activity causes the files to change their modification timestamp, allowing us to query all files that have been modified recently. In this case, we can see in the previous image how it starts encrypting the whole “C:\” directory. This connection can be discovered by running a query similar to that one used in the Part 1 blog post to see the communication to the Command and Control server.įinally, as ransomware usually does, it tries to encrypt all of the user’s personal documents. Querying the previous key path, we obtain the installation parameters used by the ransomware to store data like installation date, victim identifier, and also the key and the Initialization Vector (IV) used for encrypting files.Īfter the registry installation, Shrug ransomware sends some data to the domain stored in the address variable. To see if any values have been added into that key, we can use the key path to search the registry table. By running a query to search for any new keys created in the HKEY_USERS hive in the last 100 seconds, as we did previously for files, we can see the new “Shrug” key. This time we can use the registry table to see if any new entry has been created in the registry. If not, it creates a new registry key with the same name to write the installation parameters. This file first checks if the system is already infected. NET framework, so we can open it again with the debugger and see some interesting parts. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query. This second table contains a set of predefined paths that the system uses to run programs automatically at startup.
We can also use the ‘startup_items’ table. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We are just searching for files written on Users directories in the last 100 seconds.Īdditionally, we can search for the new entry created in the registry hive. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. This is a common persistence mechanism that malware droppers use in order to stay in the system. The malware will be executed every time the user logs on. NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersionRun” registry key for the user space pointing to that file. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. NET framework, in particular a sample of Shrug ransomware. In this case, we will analyze a piece of malware built using the. To do so, we will continue using Osquery to explore the registry and startup_items tables.
In this post, we are going to see another common technique that malware uses persistence. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload. In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior.
0 kommentar(er)
