Improving Threat Detection Capabilities in Windows Endpoints with Osquery

Good visibility of system events is one of the important requirements in detecting malicious attacks. For Windows systems, Sysmon and Event Trace for Windows (ETW) are popular to obtain logs of system activities. However, both of them do not provide `evented' activity logs which can result in failed detections, especially when malicious attacks are of short span. In evented-activity-logs, operating system information is aggregated asynchronously at event time and make them available at the query time hence providing better contextual information about events. In this work, we build on the open-source log collection tool Osquery and enhance it to collect evented-activity-logs. Using our custom Osquery we demonstrate the detection of attacks based on process hollowing techniques that Microsoft Defender fails to detect.