What is QueryLab?
What is QueryLab?
QueryLab is a collaborative project between defenders and pen testers/red teamers. This project allows pen testers/red teamers to test their malware against OSQuery within their own environment. This project has spent time curating OSquery rules to detect malware, check out Test cases. Below we provide two options to test your malware against OSquery.
Why QueryLab?
Traditional sandboxes have the following issues:
- No network connectivity
- Won’t allow C2 communication
- No way to test exfil
- One sandbox machine doesn’t allow for analysis of lateral movement
- The sandboxed machine is pinned to a particular OS/service version
- Can’t test OS version specific exploits
- Have to upload binary for analysis
- Sanboxes run for a specified time span: ~5mins
- No long term campaigns
QueryLab allows you to detonate your malware on your own hardware and customized environment:
- Allow network connectivity at your discretion
- Test lateral movement
- Not pinned to a OS version/service version
- This architecture doesn’t require an upload
- Run long term campaigns
Option 1 - Community
Kolide is the tool of choice for OSquery agent management. We have generated OSquery installs that will install OSquery and call back to a Kolide instance. If you choose this option, a report will be generated by the project maintainers about what they discovered. The malware authors have the choice to request additional detections to be added to there case.
The hope with this option is to increase the efficacy of OSquery to detect malware. Before accepting this option please read our consent to research page.
Option 2 - Paranoid
This project understands that the development time to create malware can be lengthy. Therefore, OSQuery configs are provided so that individuals can detonate their own malware and analyze it themselves.