Skip to content

anomaly detection using osquery

Jump to bottom Edit New page
theopolis edited this page Nov 11, 2014 · 13 revisions

Introduction

An osquery deployment can help you establish a infrastructural baseline, allowing you to detect malicious anomalies via scheduled queries.

This will help you catch known bad (WireLurker, IceFog, Imuler, ...), and more importantly, unknown bad.

As an illustrative example, let's look at MacOSX startup items for a given laptop using oqueryi:

SELECT * FROM startup_items;

+--------------+----------------------------------------------------------+
| name         | path                                                     |
+--------------+----------------------------------------------------------+
| Quicksilver  | /Applications/Quicksilver.app                            |
| iTunesHelper | /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app |
| Dropbox.app  | /Applications/Dropbox.app                                |
+--------------+----------------------------------------------------------+

We see some pretty standard applications that run at boot, like iTunes and Dropbox.

Now imagine this same system is compromised at a later date.

We can use osquery's log aggregation capabilities to easily pinpoint when the attack occurred and what was installed.

Looking at the logs

Using the Log Aggregation Guide, you will receive log lines like the following in your datastore (ElasticSearch, Splunk, whatever):

{
    "name": "startup_items",
    "action":  "added", 
    "columns": { 
      "name":  "Phone.app", 
      "path":  "/Applications/Phone.app"
    },
    "hostname":  "ted-osx.local", 
    "calendarTime":  "Fri Nov  7 09:42:42 2014",
    "unixTime":  1415382685 
}

It's clear that a suspicious application called "Phone" was installed on Nov 7th at 09:42 AM.

Case-study: WireLurker

In November, Palo Alto Networks discovered a new piece of OSX malware called Wirelurker.

If you have osquery deployed, you can search for their static IOCs (indicators of compromise):

SELECT * FROM launchd
  WHERE path='/Library/LaunchDaemons/com.apple.machook_damon.plist'
    OR path='/Library/LaunchDaemons/com.apple.globalupdate.plist';

Better yet, you can generically detect Wirelurker or other malware that persist via launchd with the following scheduled query, which will keep track of new, unique additions to your infrastructure:

SELECT path, label, program_arguments, inetd_compatibility, root_directory
  FROM launchd;
Add a custom footer

http://osquery.rtfd.org

Clone this wiki locally