In this article, we take a look at osquery and how it can be used to query the security, reliability and compliance information of systems within your network environment. This is not a complete beginner’s tutorial to cover the basic installation process; rather, it serves as an overview of the capabilities of the tool for security professionals.
For us to bring to perspective the power of osquery, we will need to analyze the activities of a malware sample and look at how various malicious activities such as persistence and the installation of root certificates are achieved. We will also, where necessary, leverage on other tools to support osquery.
Obtaining the malware sample
We will need to obtain a malware sample to work with. In this case, we will be working with the famous Emotet banking Trojan. The way Emotet spreads is by email, where the malicious dropper runs and downloads the virus through a malicious Word macro. The sandbox report detailing the activities of Emotet can be found here. You can also find the VirusTotal malware summary here.
We will create a Windows 7 environment on VirtualBox and intentionally infect it with Emotet. We will then