Threat Hunting with Osquery: Asking the Endpoint the Right Questions

  • Cybermap - Threat Hunting with Osquery: Asking the Endpoint the Right Questions
  • Reading Time: 4 minutes

👁️

12

People viewed this post

Back to all posts

Hmmm… the biggest shifts in my cybersecurity journey so far have happened after completing several endpoint monitoring investigations with Sysmon.

At that point, I had spent time tracing malware execution, identifying persistence mechanisms, investigating network connections, and reconstructing attacker activity from logs.

Then I encountered Osquery.

At first, I assumed Osquery was simply another endpoint monitoring tool.

I was wrong.

Instead of showing me alerts, Osquery taught me something different.

It taught me how to ask the endpoint questions.

And surprisingly, that turned out to be one of the most valuable threat hunting skills I have learned so far.

What Makes Osquery Different?

Most security tools begin with an alert.

For example:

  • Malware detected
  • Suspicious PowerShell execution
  • New scheduled task created
  • Network connection to a known malicious IP

An analyst investigates after receiving an alert.

Osquery works differently.

Instead of waiting for alerts, analysts can directly query endpoints and retrieve information from the operating system itself.

Think of it like SQL for operating systems.

For example:

SELECT * FROM processes;

or

SELECT * FROM services;

or

SELECT * FROM registry;

The endpoint becomes a searchable database.

This completely changed how I viewed endpoint investigations.

Learning the Osquery Schema

One of the first challenges I encountered was understanding tables.

Initially, the sheer number of tables felt overwhelming.

Processes.

Registry.

Programs.

Services.

Users.

Startup locations.

Browser extensions.

The list seemed endless.

My first lesson was understanding that every table represents a different source of evidence.

Instead of memorizing tables, I focused on understanding what question each table could answer.

For example:

Programs Table

Question:

What software is installed on this host?

Answer:

SELECT * FROM programs;

Users Table

Question:

Who uses this system?

Answer:

SELECT * FROM users;

Services Table

Question:

What services are currently running?

Answer:

SELECT * FROM services;

Registry Table

Question:

What registry values exist?

Answer:

SELECT * FROM registry;

Once I started approaching Osquery this way, the platform became much easier to understand.

Investigation 1 – Discovering Installed Software

One of the first practical tasks involved identifying installed software on a Windows endpoint.

Using Osquery, I queried the programs table and quickly discovered various installed applications.

This immediately demonstrated a practical use case.

Suppose a threat intelligence report identifies a vulnerable application.

Instead of manually searching every endpoint, analysts can simply query:

SELECT * FROM programs;

and determine whether the software exists.

This may sound simple, but at scale it becomes extremely powerful.

Investigation 2 – Hunting Process Execution Evidence

One of my favorite discoveries was the userassist table.

I learned that Windows records evidence of executed programs within UserAssist artifacts.

This allowed me to identify programs that had been executed on the system.

The table responsible for this evidence was:

userassist

This was particularly useful because it provided insight into user activity beyond what traditional logs immediately revealed.

Investigation 3 – Identifying a Disk Wiping Utility

During one investigation, I was tasked with identifying a program that had been executed to remove traces from the disk.

Rather than searching manually across the system, I used Osquery to examine execution evidence.

The suspicious application was:

DiskWipe.exe

This immediately raised concerns because disk wiping tools are commonly associated with anti-forensics techniques.

In a real-world investigation, this would warrant further review to determine whether the activity was legitimate or malicious.

Investigation 4 – Finding a VPN

Another task involved identifying VPN software installed on the endpoint.

Again, rather than manually browsing installed applications, I simply queried installed programs.

The VPN identified was:

ProtonVPN

This highlighted another useful threat hunting scenario.

Analysts can quickly determine:

  • What software is installed
  • Whether unauthorized VPN software exists
  • Whether policy violations have occurred

without physically accessing the endpoint.

Investigation 5 – Service Enumeration

One task required identifying the number of running services on the endpoint.

The answer revealed:

215 Running Services

While the task itself was simple, it reinforced an important concept.

Every running service represents:

  • Potential attack surface
  • Potential persistence mechanism
  • Potential evidence source

Services often become valuable indicators during investigations.

Investigation 6 – Hunting Startup Persistence

One of the most practical exercises involved identifying programs that automatically execute when a user logs in.

Using the autoexec table, I discovered a suspicious batch file:

batstartup.bat

Further investigation revealed the complete location:

C:\Users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\batstartup.bat

This was an excellent reminder that attackers frequently abuse startup locations to maintain persistence.

Finding persistence often begins with asking simple questions.

What starts automatically?

What should not be there?

Who created it?

Osquery provided those answers quickly.

Challenges I Faced

My biggest challenge was resisting the urge to search randomly.

Coming from Sysmon investigations, I initially wanted to examine everything.

Osquery forced me to slow down.

The key lesson became:

Do not start with data.

Start with a question.

For example:

What software is installed?

What services are running?

What users exist?

What startup programs exist?

What registry keys exist?

Once I learned to frame investigations as questions, the answers became easier to find.

SOC Analyst Report Notes

Executive Summary

Osquery was utilized to perform endpoint visibility and threat hunting activities across a Windows host.

Multiple endpoint artifacts were examined including installed software, user execution history, running services, registry values, and startup persistence mechanisms.

Findings

  • UserAssist artifacts revealed evidence of executed applications.
  • DiskWipe.exe execution identified.
  • ProtonVPN software installed on the endpoint.
  • 215 running services identified.
  • Startup persistence mechanism discovered through batstartup.bat.
  • Startup file located within user Startup folder.

Recommendations

  • Monitor UserAssist artifacts during investigations.
  • Review execution of disk wiping utilities.
  • Audit VPN software installations.
  • Periodically review startup locations for persistence.
  • Use Osquery for proactive threat hunting across endpoints.

Final Thoughts

Before learning Osquery, I viewed endpoint investigations primarily through logs and alerts.

Sysmon showed me what happened.

Osquery helped me understand what currently exists.

That distinction is important.

Logs tell the story of past activity.

Osquery allows analysts to interrogate the endpoint directly.

Together, they provide a powerful combination for Endpoint Security Monitoring and Threat Hunting with Osquery.

The most valuable lesson from this exercise was learning to ask better questions.

Because in threat hunting, the quality of the answer often depends on the quality of the question.

See the next story in line on Endpoint Security Monitoring: Wazuh De Great: Telemetry Behind EDR Alerts

Visit my everyday Cyber Playground

  • Related post tags:

Enjoyed this?

Explore more intriguing topics and take a look at my cybermap for more.

Explore Lab & Incidents

© 2026 Favour Gabriel. All rights reserved.