![]() ![]() Nomad is easy to operate and scale and has native Consul and Vault integrations. Nomad is an easy-to-use, flexible, and performant workload orchestrator that can deploy a mix of microservice, batch, containerized, and non-containerized applications. Production-Grade Container Scheduling and Management Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. unofficial mirror of Ubuntu's cloud-init Enable Self-Service Operations: Give specific users access to your existing tools, services, and scripts OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Unified XDR and SIEM protection for endpoints and cloud workloads. Wazuh - The Open Source Security Platform. Note: I will share "nf" file and queries related to Linux as I get some time to complete them.When comparing SaltStack and OSQuery you can also consider the following projects: look for any suspicious domain connection.File Profilig - Files with mtimeDrivers with no service associated with sign status.Drivers without manufacturer name with sign status.dlllist equivalent ( with a specific pid ).pstree equivalent ( Grandparent, Parent & Child).Memory Analysis Note:I have made an effort to create the queries equivalent to Volatility Plugins ![]() Identifying the processes that makes the remote network connections and look for any suspicious connections.Identifying the excessive resources usage by a suspicious process - Excessive Memory Usage (In Bytes).WMI Process Interrogation (Parent / children of PowerShell).PowerShell Process Interrogation (Parent / children of PowerShell).Identify if the binary is signed or not.Identifying suspicious dlls loaded by any service with user_account associated with it (with hash value).Any processes spawning out of wow64 directory.Identify the processes with open pipes (look for suspicious pipe and/or process).Identifying the programs that are running from "TEMP" locations.Identifying Suspicious Processes (processes) with usernames (users).Identify the parent & Grantparent processes for all OR a given process - look for any suspicious parent, child relationships.Image File Execution Options Injection (IFEO)(debugger/GolbalFlag).WMI Event Consumers (commandline & script).look for suspicious dlls loaded by any service (with associated username & hash value of the dll).Service Creation / Modification (auto_start).Please have a look at the repo(windows) for the details. The following are the key highlights under each category. Persistence and Process Interrogations queries map to the multiple tactics & techniques/sub-techniques of MITRE ATT&CK framework. The objective of this repo is to share 100+ hunting queries (osquery) that will help cyber threat analysts (hunter/investigator) in their hunting or investigation exercises.īroadly, I have covered persistence, process interrogation, memory analysis, driver profiling, and other misc categories. Threat Hunting & Incident Investigation with Osquery
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |