Osquery-memory-forensics

For several years I have always wanted to write an Osquery extension to perform memory dumps and analysis. I never got the time to do a deep into my idea but since I have been creating some Osquery-go extensions lately I decided to take a whack at my idea. This blog post will provide a high overview of the architecture of this Osquery extension, how to generate memory dumps with Osquery, and how to remotely analyze these memory dumps with Osquery. Follow me another threat detection engineering experience with osquery-go.

• Dumping and analyzing memory with Osquery and Kolide

Setup dev env

1. go mod init github.com/CptOfEvilMinions/osquery-memory-forensics
2. go get

Compile osquery_dump table

Download bins and make

1. Download ProcDump
2. Download DumpIt
3. Copy binaries to bins/dump as procdump.exe and dumpit.exe

Make go-bindata

1. go get -u github.com/go-bindata/go-bindata/...
2. go install github.com/go-bindata/go-bindata/...
3. ~/go/bin/go-bindata -o assets/dump/bindata.go -pkg dump bins/dump/...
4. ls -lh assets/dump/bindata.go

Compile

1. GOOS=windows go build -o osquery_memory_forensic_dump.exe cmd/dump/osquery-memory-forensics-dump.go

Compile osquery_analyze table

Download bins

1. Download Volatility v3
2. Copy binary do bins/analyze as volatility.exe

Make go-bindata

1. Copy binary do bins/analyze as volatility.exe
2. ~/go/bin/go-bindata -o assets/analyze/bindata.go -pkg analyze bins/analyze/...
3. ls -lh assets/analyze/bindata.go

Compile

1. GOOS=windows go build -o osquery_memory_forensic_analyze.exe cmd/osquery-memory-forensics-analysis/osquery-memory-forensics-analyze.go

Using a different memory dumper (osquery_memory_forensics_dump)

1. Modify pkg/dumpers/dumpers.go

Using a different memory analysis framework (osquery_memory_forensic_analyze)

1. Copy new binary to bins/analyze
2. Follow instructions above to make new go-bindata
3. Modify pkg/volatility/volatility.go to support your tool with the proper commands

References

• Combine absolute path and relative path to get a new absolute path
• Go by Example: Epoch
• PsExec gets stuck on licence prompt when running non-interactively
• Package strconv
• ProcDump v9.0
• Go and file perms on Windows
• Hash checksums: MD5, SHA-1, SHA-256
• Github - getlantern/byteexec
• package byteexec
• Embedding data in Go executables
• Github - go-bindata/go-bindata
• StackOverFlow - How can I get the user's AppData folder path with golang?
• Golang hash sum and checksum to string tutorial and examples
• Package sha256
• Go: Read a whole file into a string (byte slice)
• Self-hosting Sentry With Docker and Docker-compose
• Kolide - Configuring The Fleet Binary
• DockerHub - MySQL
• DockerHub - Kolide
• Go Date and Time Formatting
• NGINX as a WebSocket Proxy
• DockerHub - NGINX
• Powershell Set-Content
• WinPmem