Introducing osquery_hunter
When you're working a security incident and don't have an EDR agent or enterprise console to lean on, you still need a quick way to understand what's running on a Windows host.
That’s where osquery_hunter comes in — a simple Python-based helper that uses osquery to collect process and network data, then flags unsigned or suspicious binaries for rapid triage.
What It Does
- Lists all active processes and network sockets using osquery.
- Flags executables not simultaneously trusted in the local Windows trust store and Microsoft-signed.
- Displays potential LOLBIN (Living off the Land) usage.
- Helps identify unsigned or third‑party binaries still active in memory.
- Perfect for quick DFIR triage, incident response, and blue‑team checks.
Requirements
- Python: 3.10+ (tested on 3.11)
- osquery: version 5.19.0 (Windows x64)
Official download: https://osquery.io/downloads/
Verified SHA256 (osqueryi.exe):
EDA5AC01F705F976957ABD8C9D14BBD355616EBEF6C5B45F28A2AE44F53E207D
Quick Start
# 1. Create and activate a virtual environment (optional)
python -m venv .venv
. .\.venv\Scripts\Activate.ps1
# 2. Install dependencies
pip install -r requirements.txt
# 3. Run the script
python .\osquery_hunter.py
If osqueryi.exe isn’t on PATH, point to it directly:
$env:OSQUERYI_PATH = "C:\Program Files\osquery\osqueryi.exe"
Why This Project Exists
In many environments, especially air‑gapped or restricted systems, analysts don’t have EDR coverage everywhere.
osquery_hunter gives you a portable way to inspect process behavior and verify binary signatures using native Windows APIs and osquery data.
It’s open source and fully auditable — designed to complement, not replace, commercial tools.
Repository
👉 GitHub: ItsmeGSG/osquery_hunter
Closing Thoughts
The best DFIR tools are often the simplest.
osquery_hunter started as a lab helper and evolved into a compact, no‑dependency triage companion that gives you insight into what’s really happening on a Windows box.
Give it a star ⭐ on GitHub if you find it useful or extend it for your environment!
MIT Licensed — developed for educational and defensive security purposes.
Top comments (4)
Fantastic work sir !! This is exactly the kind of pragmatic, no-friction tool teams need when EDR isn’t available. The focus on native signature checks and quick LOLBIN detection will make triage actionable in minutes, especially on air-gapped or restricted hosts. A couple of ideas one might consider: optional YARA integration (or Sigma rule hooks) and a simple JSON/CSV export for easy ingestion into SIEMs/playbooks. Thanks for making it public !!
Will improve the tool with your ideas. Thank you!!
Exceptionally well written and insightful, didn’t knew about it, will definitely try. Thank you sir for sharing.
Welcome Saurabh