Skip to content

anomaly detection using osquery

Jump to bottom Edit New page
marpaia edited this page Nov 11, 2014 · 13 revisions

Introduction

One application of the visibility provided by osquery is malfeasant anomaly detection. A deployment of osquery will immediately establish a baseline of information provided by the configured/scheduled queries.

Let's use a simple select all in oqueryi:

SELECT * FROM startup_items;

+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
+--------------+----------------------------------------------------------+

The first time this runs on my test system I'll see expected results, but from an enterprise of 1000+ hosts expected is loosely defined.

Now, let's act "maliciously" and add a new item to the startup list and run the query again:

SELECT * FROM startup_items;

+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
| Wireshark    | /Applications/Wireshark.app                              |
+--------------+----------------------------------------------------------+

Looks like a pesky /Applications/Wireshark.app was added. So how do we see this at scale? If this query is running as a scheduled query then osqueryd will log (to whatever logging plugin you have configured) the differential event.

Logging Anomalies

See the Log Aggregation Guide for a short overview of collecting osquery logs. As a brief example, consider the following osqueryd log item:

{
    "name": "startup_items",
    "action":  "added", 
    "columns": { 
      "name":  "Wireshark.app", 
      "path":  "/Applications/Wireshark.app"
    },
    "hostname":  "awesome-laptop.local", 
    "calendarTime":  "Fri Nov  7 09:42:42 2014",
    "unixTime":  1415382685 
}

WireLurker

Let's consider the recent WireLurker malware. Instead of searching for known launchd IOCs (which you can definitely do with osquery), Palo Alto's WireLurkerDetector:

/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple.globalupdate.plist

We can schedule a query: SELECT path, label, program_arguments, inetd_compatibility, root_directory FROM launchd; and alert on differential additions. Where the original baseline: select count(*) from launchd; may return hundreds of items, the differentials going forward should be far fewer.

Add a custom footer

http://osquery.rtfd.org

Clone this wiki locally