DEF CON 29 Blue Team Village - Sebastian Provost - Yeet the leet with Osquery

This talk will show the audience how they can use Osquery to complement the functionality of EDR/MDR/XDR systems to improve overall security on endpoints. After introducing the audience to Osquery, what it is and what it can be used for, I'll introduce two C2 frameworks that can be found on github and others. Payloads generated by those frameworks will be used throughout the talk as examples to show the power of Osquery and how it can be used to detect those payloads and their actions. Combined with an intro to reverse shells and how to detect them, you should have an idea on how you can start using Osquery in your own environment. By the end of the talk, I'll give you a quick introduction on how you can setup alerting pipelines to empower yourself and/or your Security Operations team. I'll show some examples by using Splunk and Elasticsearch.