The threat actor also utilized open-source tools like ossec-win32 and OSQuery to query additional endpoint information.