This can get really tricky, especially when considering hashes of C:\Windows\system32\%% files, considering the hash values can vary drastically even on the same patch version of the system, just fyi. Once you've built out a hefty list of JSON blobs with data from the baseline system, you can then run the same queries against the compromised system and "diff" the json outputs looking for differences. I'd also recommend adding in the queries mentioned above. Osquery allow us to monitor various aspects of an operating system adopting a tabular abstraction, using a SQL syntax similar to the one used on sqlite databases. Note this definitely isn't an exhaustive list, but just some things that might be good to check. 5431 - Add Windows product version information to file table 5400 - logicaldrives table has. PS C:\Users\thor\Desktop> osqueryi -json -A certificates 3307 Various improvements to the pythonpackages table. PS C:\Users\thor\Desktop> osqueryi -json -A scheduled_tasks PS C:\Users\thor\Desktop> osqueryi -json "select f.filename, f.path, h.md5, h.sha256 from file f, hash h where h.path = f.path and f.path like 'C:\Windows\system32\%%' " We can also use osquery to detect the registry change by querying the registry osquery table. PS C:\Users\thor\Desktop> osqueryi -json "select f.filename, f.path, h.md5, h.sha256 from file f, hash h where h.path = f.path and f.path like 'C:\Windows\%' " Identifying any files dropped within the Users directory. PS C:\Users\thor\Desktop> osqueryi -json -A startup_items PS C:\Users\thor\Desktop> osqueryi -json -A users PS C:\Users\thor\Desktop> osqueryi -json -A programs What I'd recommend doing would be to get some json dumps of the tables you think might matter for your specific investigation, so perhaps something like: PS C:\Users\thor\Desktop> osqueryi -json -A drivers Lookups and click the Add new link for Lookup Table Files. Getting a baseline of what a known good Windows 7 system looks like is gunna depend a lot on what you care about. Queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. The queries are run on tables which abstracts various operating system aspects, such as processes and services. I do that because osquery doesn't allow it. This should be do-able, but your question is pretty broad. Osquery allow us to monitor various aspects of an operating system adopting a tabular abstraction, using a SQL syntax similar to the one used on sqlite databases. Our team runs osquery daemon on the computers with installed Cent OS. I thought about using a virtual machine with Mac OS, but I found an interesting way to retrieve the information I want: if I download a file using Google Chrome, I can retrieve ReferrerURL and HostURL from the Zone.Identifier file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |