Malware Analysis using Osquery Part 1

July 31, 2018 | Javier Ruiz

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Tools like Sysmon and Osquery are useful in detecting anomalous behavior on endpoints. These tools give us good visibility of what’s happening on endpoints by logging multiple types of events, which we can forward to a SIEM or other correlation system for analysis.

In this blog series, we’ll analyze different malware families, looking at the types of events generated on the endpoint and how we can use Osquery to detect them.

Let's start!

Let’s start by analyzing the famous Emotet Banking Trojan, which is a continuous threat that targets a lot of countries and company sectors (The Evolution of Emotet). The dropper spreads through email phishing and downloads the malware using a malicious Office macro.

analyzing emotet banking trojan with osquery

File samples:

As we can see in the sandbox report, the Office macro executes PowerShell with an encoded command to download the payload.

PowerShell with encoded command to download payload

If we run the sample in our environment with Osquery installed, we can build a query to retrieve events generated by PowerShell from the powershell_events table. Osquery reads the Microsoft-Windows-PowerShell eventlog channel, so you need to enable Script block logging.

We can see the encoded PowerShell command and also the script text code generated after decoding the command.

Osquery to retrieve events generated by PowerShell

Once PowerShell is downloading the payload, Osquery can log socket connections opened by any process. We can do an easy JOIN between process_open_socket table and processes table to see which processes are making network connections.

Osquery logging socket connections

It’s interesting to see which files have been written on disk during the payload download. To do so, we can query the file table that stores some useful fields (file table schema). This table needs a WHERE condition to return results, so we can add some filters like Users directory and files created in the last 100 seconds for example.

files written on disk during payload download

The downloaded file from PowerShell is a Emotet dropper that extracts the final payload and executes it (squarectx.exe). Now, let’s query the system running processes. Similar to above, we can do a JOIN with users table to see the username column. Some rows have been omitted for a cleaner view.

Emotet dropper downloaded

Now we know that Emotet malware is running in our environment and probably is doing malicious things, so let’s look for signs of malware activity. For that, we reuse the query we used above to see network connections from system processes. Here, we can detect communication to the Command and Control server.

Emotet malware use OSquery to learn more

As we have seen, it is possible to analyze malware and extract valuable information using tools like Osquery that give us rich visibility of systems events.

How AlienVault uses Osquery

Osquery allows you to retrieve a wealth of events and useful information from your endpoints. This can be extremely helpful for investigating security incidents as well as threat hunting activities on your critical assets.

AlienVault leverages Osquery through the AlienVault Agent to enable threat hunting in both USM Anywhere and the Open Threat Exchange.  

The AlienVault Agent is a lightweight, adaptable endpoint agent based on Osquery and maintained by AlienVault. In USM Anywhere, the AlienVault Agent enables continuous endpoint monitoring, using the built-in AlienVault threat intelligence to automate endpoint queries and threat detection alongside your other network and cloud security events. This allows USM Anywhere to deliver endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities that are essential for complete and effective threat detection, response, and compliance.

Try it for yourself in the USM Anywhere Online Demo.

In April, AlienVault introduced the Endpoint Threat Hunter  – a free threat-scanning service in Open Threat Exchange® (OTX™) based on the AlienVault Agent. OTX Endpoint Threat Hunter allows anyone to determine if their endpoints are infected with the latest malware or other threats by manually scanning their endpoints for the presence of indicators of compromise (IoCs) that are catalogued in OTX.

Get started with OTX Endpoint Threat Hunter Free:

Here is an example of how we detected Emotet infection on an analysis system using OTX Endpoint Threat Hunter.

Osquery helpful in malware detectionIn the next posts of this blog series, we will see other malware families and explore how to detect activity like system persistence and many others techniques.

Stay tuned!



select time, script_text from powershell_events;

select, process_open_sockets.remote_address, process_open_sockets.remote_port from process_open_sockets LEFT JOIN processes ON = WHERE process_open_sockets.remote_port != 0 AND != '';

select path, size, from file where path like 'C:\Users\%%' and mtime > (select local_time from time) - 100 and filename != '.';

select, users.username, processes.path from processes LEFT JOIN users ON processes.uid = users.uid WHERE processes.path != '';






DNS requests      



Javier Ruiz

About the Author: Javier Ruiz
Javier Ruiz is a Security Researcher working in Alienvault Labs team. He is very passionate about the InfoSec world and loves to do investigation and contribute to the community. Prior to working in security roles he studied Telecommunication Engineering and also has a masters degree in cybersecurity. His main passion is focused on analyzing malware, reverse engineering and learning about new ways of attacking endpoint systems.
Read more posts from Javier Ruiz ›


Watch a Demo ›