hey all - I am giving away a free seat in my online Osquery for Security Analysis course (LearnOsquery.com) Just thumbs up this post and reply to tell me your favorite host artifact when working an investigation. Do that by 9 PM ET Friday and you'll be entered to win!

The powershell operational log is pretty magical when configured sanely. Script block logging ++

shellbags, because they have the best artifact name

On macOS I like looking at file metadata (mdls); on Windows, looking at file timestamp anomalies to see if a program or file was backdated to avoid detection.

I've used OSQuery to find people avoiding our corporate monitoring systems(Disabling jamf, adding fake hosts entries for log shipping)

carves for the win! A huge advantage while doing IR

It's probably too late, but listing interesting file extensions in webroots/ftproots and smb shared directories is giving me nice results for detecting sensitive data shared by sysadmins violating company policy.

Hi @defensivedepth, did you announce a winner?

Yes, last night....https://twitter.com/chrissanders88/status/1117847833447501825 Thanks for submitting an entry and better luck next time! 🙂 @Michael Bailey @John Coast @harveywells @atom @reynas @srozb

🎉Congrats Sirius_Malware 🎉