valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-08 10:23:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6fab8b6083
osquery-1/docs/wiki/deployment/anomaly-detection.md
Seshu Pasam 6fab8b6083 logging: adding "counter" to differentiate initial results (#3651) 
When setting up alerts for differential logs data you might want to skip the
initial added records. counter can be used to identify if the added records
are all records from initial query of if they are new records. For initial
query results that includes all records counter will be "0". For subsequent
query executions counter will be incremented by 1. When epoch changes, counter
will be reset back to "0".
2017-09-07 15:01:15 -07:00

2.8 KiB
Raw Blame History

An osquery deployment can help you establish an infrastructural baseline, allowing you to detect malicious activity using scheduled queries.

This approach will help you catch known malware (WireLurker, IceFog, Imuler, etc.), and more importantly, unknown malware. Let's look at MacOS startup items for a given laptop using osqueryi:

$ osqueryi
osqueryi> SELECT * FROM startup_items;
+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
+--------------+----------------------------------------------------------+

We see some pretty standard applications that run at boot, like iTunes and Dropbox.

Now imagine this same system is compromised at a later date.

We can use osquery's log aggregation capabilities to easily pinpoint when the attack occurred and what was installed.

Looking at the logs

Using the log aggregation guide, you will receive log lines like the following in your datastore (ElasticSearch, Splunk, etc.):

{
    "name": "startup_items",
    "action":  "added",
    "columns": {
      "name":  "Phone.app",
      "path":  "/Applications/Phone.app"
    },
    "hostname":  "ted-osx.local",
    "calendarTime":  "Fri Nov  7 09:42:42 2014",
    "unixTime":  "1415382685",
    "epoch": "314159265",
    "counter": "1"
}

It's clear that a suspicious application called "Phone" was added to this host's set of startup items on Nov 7th at 09:42 AM.

Case-study: WireLurker

In November 2015, Palo Alto Networks discovered a new piece of macOS malware called Wirelurker.

If you have osquery deployed, you can search for their static IOCs (indicators of compromise):

SELECT *
  FROM launchd
  WHERE path = '/Library/LaunchDaemons/com.apple.machook_damon.plist'
  OR path = '/Library/LaunchDaemons/com.apple.globalupdate.plist';

Better yet, you can generically detect WireLurker or other persistent malware using launchd and the following scheduled query, which will keep track of new, unique additions to your infrastructure:

SELECT path, label, program_arguments, inetd_compatibility, root_directory
  FROM launchd;

This method has the distinct advantage of detecting malicious applications like WireLurker based on their behaviors rather than specific IOCs.