Osquery is one of the most powerful threat hunting frameworks around, and is now included with Emsisoft’s EDR solution as the first component of our new Threat Hunting panel.
What is osquery?
Osquery is an open-source query interface for indicators of compromise (IOCs) that enables you to easily query endpoints as if they were SQL databases of information, meaning you no longer need to run multiple system tools separately to get critical threat-related information. Better still, with the new Emsisoft Threat Hunting panel you can query all devices in your network at once within seconds, making it easier and faster than ever to identify and eliminate threats.
Threat hunting is all about checking your endpoints for activity and changes that are not supposed to be there. As a security analyst, you need to separate the unusual from the usual and filter out the noise of everyday activities in search of potentially malicious activity. The new Threat Hunting panel helps you achieve exactly that.
Pre-defined threat hunting queries to search for IOCs
The new panel comes with dozens of ready-to-use queries optimized for threat hunting, which you can edit to your requirements and save for frequent use.
Example IOCs:
- Check which networking ports are open and which processes opened them, filtering out regular web browsing activity.
- Check if any active processes have had their underlying EXE file on disk removed.
- See what’s in your devices’ Downloads folders.
- List all programs that start automatically at boot time.
- See which services are running.
- Check which processes take up most memory.
- Verify all user-installed and self-signed certificates.
- See all scheduled tasks.
- See which programs and browser extensions are installed in Chrome, Firefox and Edge.
- Check the DNS cache and the hosts file for suspicious hosts.
- Check the status of system features like BitLocker, Windows Defender Firewall and Security Center.
- Get basic operating system information including build version, installed patches, uptime, etc.
Queries are performed in real-time across all online devices, and the results are displayed within seconds.
Availability
The new threat hunting feature is exclusively available for Emsisoft Enterprise Security users.
Compare Emsisoft license plans here
Note: If you’re a user of the Anti-Malware Home, Business Security or a legacy Emsisoft Anti-Malware edition and would like to use the new threat hunting features, please consider an upgrade to the Emsisoft Enterprise Security license plan. Check out the ‘Settings’ panel in your workspace for available upgrade options or get in touch with our support team.
All 2022.5 improvements in a nutshell
Device protection (desktop)
- Several minor tweaks and fixes.
Management console (web app)
- New EDR Threat Hunting panel.
- Improved deployment dialog, added support for CMD and PowerShell v5/v7.
- Several minor tweaks and fixes.
How to obtain the new version
As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default.
Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a great and well-protected day!