Skip to content

anomaly detection using osquery

Jump to bottom Edit New page
theopolis edited this page Nov 8, 2014 · 13 revisions

Introduction

One application of the visibility provided by osquery is malfeasant anomaly detection. A deployment of osquery will immediately establish a baseline of information provided by the configured/scheduled queries.

Let's use a simple select all in oqueryi:

SELECT * FROM startup_items;

+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
+--------------+----------------------------------------------------------+

The first time this runs on my test system I'll see expected results, but from an enterprise of 1000+ hosts expected is loosely defined.

Now, let's act "maliciously" and add a new item to the startup list and run the query again:

SELECT * FROM startup_items;

+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
| Wireshark    | /Applications/Wireshark.app                              |
+--------------+----------------------------------------------------------+

Looks like a pesky /Applications/Wireshark.app was added. So how do we see this at scale? If this query is running as a scheduled query then osqueryd will log (to whatever logging plugin you have configured) the differential event.

Logging Anomalies

See Log Aggregation for a short overview of collecting osquery logs.

{
    action:  added 
    calendarTime:  Fri Nov  7 09:42:42 2014 
    columns: { 
      name:  name 
      path:  /Applications/Wireshark.app 
   } 
    hostname:  awesome-laptop.local 
    name:  startup_items 
    unixTime:  1415382685 
}

Now consider the recent WireLurker malware. Instead of searching for known launchd IOCs (which you can definitely do with osquery) Palo Alto's WireLurkerDetector:

/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple.globalupdate.plist

We can schedule a query: SELECT path, label, program_arguments, inetd_compatibility, root_directory FROM launchd; and alert on differential additions. Where the original baseline: select count(*) from launchd; may return hundreds of items, the differentials going forward should be far fewer.

Add a custom footer

http://osquery.rtfd.org

Clone this wiki locally