DFIR SSM Cheat Sheet


(Akrug) #1

It would appear that a number of folks are using the Amazon Systems Manager in concert with osquery (implemented purely as a binary).

Running commands like the following using SSM documents. Rapid7 put together a pretty great article of some likely good queries. I’d like to put together a comprehensive cheat sheet for Windows and Linux along with some sample write ups on what this could be good for hunting.

osqueryi --json "SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;"

(Akrug) #2

Rapid 7 article for posterity: https://blog.rapid7.com/2016/05/09/introduction-to-osquery-for-threat-detection-dfir/