Modern DFIR has moved from full-disk imaging to distributed, query-driven investigations that interrogate endpoints in real time using tools like Osquery and Elastic Security to get answers before attackers move laterally. The article demonstrates this at scale by reconstructing a phishing-delivered Mimikatz execution using browser history, Shimcache, Shellbags, and Prefetch artifacts without a disk image. #Mimikatz #Osquery
Keypoints
- Traditional disk-image-first forensics is no longer practical for dynamic, large-scale environments where endpoints are ephemeral and attackers move in minutes.
- Distributed, query-driven forensics (centered on Osquery) lets investigators ask targeted questions across the fleet and retrieve only the artifacts that matter in real time.
- Elastic integrates Osquery with Elastic Defend and Elastic Security to eliminate tool-switching, store results in Elasticsearch mapped to ECS, and provide curated forensic queries and packs.
- Elastic extends Osquery with additional forensic coverage (browser history, AmCache, jumplists) and contributes enhancements like YARA memory scanning and OpenHandles back to the community.
- A demonstrated investigation traced a phishing email to a downloaded discount.zip that contained Mimikatz, using browser history, file queries, Shellbags, Shimcache, UserAssist, and Prefetch to reconstruct a 26-minute human-in-the-loop attack chain.
- Osquery packs can be operationalized as scheduled detections (logs-osquery_manager.result*), enabling a feedback loop from forensic queries to SIEM rules and automated hunts across the environment.
- Combining detection (Elastic Defend) with Osquery enables rapid transition from alert to deep forensic reconstruction and immediate response actions like isolation or memory-dump collection for further analysis.
MITRE Techniques
- [T1566 ] Phishing – Initial access vector used to deliver the payload via a malicious link (‘”a phishing email offering a “100% discount” through a shared download link.”‘)
- [T1204 ] User Execution – The attack required the user to manually execute the payload, evidenced by GUI artifacts (‘”the final execution of MIMIKATZ.EXE.”‘)
- [T1003 ] OS Credential Dumping – Mimikatz was identified and used for credential access (‘”the payload is identified as Mimikatz, a well-known tool used for credential access.”‘)
- [T1547.001 ] Registry Run Keys and Startup Folder (Persistence) – Registry artifacts were queried to reveal persistence mechanisms (‘”registry keys that expose persistence mechanisms”‘)
- [T1053 ] Scheduled Task/Job – Scheduled tasks were identified as potential attacker footholds during forensic queries (‘”scheduled tasks that reveal attacker footholds”‘)
- [T1021 ] Remote Services (Lateral Movement) – Investigations and hunts looked for indicators and signs of lateral movement across the environment (‘”detect signs of lateral movement”‘)
- [T1055 ] Process Injection / In-memory activity – Memory and in-memory activity were examined and a memory dump was suggested for deeper analysis of in-memory activity (‘”in-memory activity that may not be visible through traditional artifacts”‘)
Indicators of Compromise
- [File names ] Attack artifacts and execution evidence – discount.zip, MIMIKATZ.EXE
- [Prefetch / Executable names ] Evidence of program launches used to build timeline – OLK.EXE, MSEDGE.EXE (and MSEDGEWEBVIEW2.EXE)
- [Browser history / URLs ] Initial vector context from browser artifacts – phishing download link referenced in browser history (no explicit domain provided)
- [File hashes ] Reputation and triage context – file hash of discount.zip checked against VirusTotal (specific hash not provided in the article)
- [Logs / Index patterns ] Osquery telemetry storage used for detection and search – logs-osquery_manager.result* (indexed Osquery results)
Read more: https://www.elastic.co/security-labs/dfir-osquery-elastic-security