Introducing osquery_hunter
When you're working a security incident and don't have an EDR agent or enterprise console to lean on, you still need a quick way to understand what's running on a Windows host.
That’s where osquery_hunter comes in — a simple Python-based helper that uses osquery to collect process and network data, then flags unsigned or suspicious binaries for rapid triage.
What It Does
- Lists all active processes and network sockets using osquery.
- Flags executables not simultaneously trusted in the local Windows trust store and Microsoft-signed.
- Displays potential LOLBIN (Living off the Land) usage.
- Helps identify unsigned or third‑party binaries still active in memory.
- Perfect for quick DFIR triage, incident response, and blue‑team checks.
Requirements
- Python: 3.10+ (tested on 3.11)
- osquery: version 5.19.0 (Windows x64)
Official download: https://osquery.io/downloads/
Verified SHA256 (osqueryi.exe):
EDA5AC01F705F976957ABD8C9D14BBD355616EBEF6C5B45F28A2AE44F53E207D
Quick Start
# 1. Create and activate a virtual environment (optional)
python -m venv .venv
. .\.venv\Scripts\Activate.ps1
# 2. Install dependencies
pip install -r requirements.txt
# 3. Run the script
python .\osquery_hunter.py
If osqueryi.exe isn’t on PATH, point to it directly:
$env:OSQUERYI_PATH = "C:\Program Files\osquery\osqueryi.exe"
Why This Project Exists
In many environments, especially air‑gapped or restricted systems, analysts don’t have EDR coverage everywhere.
osquery_hunter gives you a portable way to inspect process behavior and verify binary signatures using native Windows APIs and osquery data.
It’s open source and fully auditable — designed to complement, not replace, commercial tools.
Repository
👉 GitHub: ItsmeGSG/osquery_hunter
Closing Thoughts
The best DFIR tools are often the simplest.
osquery_hunter started as a lab helper and evolved into a compact, no‑dependency triage companion that gives you insight into what’s really happening on a Windows box.
Give it a star ⭐ on GitHub if you find it useful or extend it for your environment!
MIT Licensed — developed for educational and defensive security purposes.
Top comments (3)
Fantastic work sir !! This is exactly the kind of pragmatic, no-friction tool teams need when EDR isn’t available. The focus on native signature checks and quick LOLBIN detection will make triage actionable in minutes, especially on air-gapped or restricted hosts. A couple of ideas one might consider: optional YARA integration (or Sigma rule hooks) and a simple JSON/CSV export for easy ingestion into SIEMs/playbooks. Thanks for making it public !!
Exceptionally well written and insightful, didn’t knew about it, will definitely try. Thank you sir for sharing.
Welcome Saurabh