Improving Threat Detection Capabilities in Windows Endpoints with Osquery

Good visibility of system events is one of the important requirements in detecting malicious attacks. For Windows systems, Sysmon and Event Trace for Windows (ETW) are popular to obtain logs of system activities. However, both of them do not provide 'evented' activity logs which can result...

Full description

Saved in:
Bibliographic Details
Published in2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS) pp. 432 - 435
Main Authors Bakshi, Akshay, Sawant, Tanish, Thakare, Prasad, Dandawala, Azeez, Hanawal, Manjesh K., Kabra, Atul
Format Conference Proceeding
LanguageEnglish
Published IEEE 03.01.2023
Subjects
Operating systems
Osquery
Process Hollowing
Windows
Online AccessGet full text

Cover

More Information
Summary:Good visibility of system events is one of the important requirements in detecting malicious attacks. For Windows systems, Sysmon and Event Trace for Windows (ETW) are popular to obtain logs of system activities. However, both of them do not provide 'evented' activity logs which can result in failed detections, especially when malicious attacks are of short span. In evented-activity-logs, operating system information is aggregated asynchronously at event time and make them available at the query time hence providing better contextual information about events. In this work, we build on the open-source log collection tool Osquery and enhance it to collect evented-activity-logs. Using our custom Osquery we demonstrate the detection of attacks based on process hollowing techniques that Microsoft Defender fails to detect.
ISSN:2155-2509
DOI:10.1109/COMSNETS56262.2023.10041379