Is your Mac fleet secure? Tackling the myth of inherent mac security

Posted by Matt Hathaway on 4/19/18 3:38 PM

There’s a dangerous myth among some Mac users that, unlike Windows, the platform is impervious to malware. Since nothing is bulletproof, it would be dangerous to assume Mac fleet security, so let’s recognize why Macs have historically been low risk and why that looks to be changing.

Read More

Topics: macOS, mac edr

SQL introduction for osquery

Posted by Doug Wilson on 4/12/18 7:39 AM

SQL (Standard Query Language) will be in its mid-forties later this month having been introduced by its creators Donald Chamberlin and Raymond Boyce in the 1970s. Given its age, it isn’t so hard to understand how the 2017 Stack Overflow Developers Survey uncovered that SQL is the second-most common programming language, used by 50% of developers and beaten only by JavaScript. 

Read More

Topics: osquery tutorial, osquery, video

Infrastructure Management Has Evolved - Has Your Continuous Monitoring?

Posted by Matt Hathaway on 4/3/18 9:18 AM

Despite there being hundreds of software solutions focused on monitoring, today’s operations professionals lack the assessment and detection coverage they need in their CI/CD infrastructure. Software applications have reached an inflection point in the pace at which businesses are evolving their operations, and so a new approach is needed for continuous monitoring.

Read More

Topics: osquery, continuous deployment, CI/CD

6 Tasks for Basic macOS system monitoring with osquery [Video]

Posted by Doug Wilson on 3/29/18 9:45 AM

Osquery offers introspection capabilities for macOS that were previously difficult to achieve. Osquery uses a universal agent to collect and return a nearly unlimited amount of endpoint data that can then be queried like a database using SQL. For macOS system administrators, this opens up a world of quickly accessible system monitoring capabilities that we'll explore here today.    

In this post and video (click here to skip ahead to the video), we'll review some of the basic tasks for macOS system monitoring with osquery (osquery can be used for Linux and Windows as well, but because macOS was previously so underserved, I'm focusing there. Most commands we'll review will be the same or similar for other systems).

What we'll cover: 

Read More

Topics: osquery tutorial, osquery, macOS, video

How to unistall osquery from macOS in 4 steps [Video]

Posted by Doug Wilson on 3/22/18 9:52 AM
Need to manually uninstall osquery on macOS? If you no longer want to use osquery on your Mac, or if you need to manually clear out the installation because you're having problems with the end-point and you want to reinstall from scratch, follow the four steps outlined below. We've also included the terminal command in text format so you can easily copy and paste. 
 
Prefer video? Click here to skip ahead to a ~3 minute video and all commands required to uninstall osquery from your macos using Uptycs.
Read More

Topics: osquery tutorial, osquery, macOS

Finding OSX/CreativeUpdater malware with osquery

Posted by Doug Wilson on 2/5/18 11:05 AM

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the MacUpdate.com website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

Read More

Topics: osquery, macOS, malware

Finding OSX/MaMi with osquery

Posted by Doug Wilson on 1/12/18 12:27 PM

Seeing on Twitter that Patrick Wardle (a must follow for macOS security!) may have found his first piece of macOS malware for 2018, I eagerly flipped to his blog. Given that this is “new” malware on macOS, there is likely going to be a window between discovery and protection via A/V software.

Read More

Topics: osquery, macOS, malware

Implementing TLS Persistent Transport Support in osquery 

Posted by Uma Reddy on 1/9/18 2:14 PM

Uptycs has submitted two pull requests to add HTTP(s) proxy & TLS persistent transport support to osquery. Both have now been merged in support for Beast (more on that later) and Persistent Transport Support).

Read More

Topics: osquery, TLS, system architecture

Quick Update to #iamroot issues

Posted by Doug Wilson on 12/6/17 3:42 AM

Further updates in the #iamroot saga have shown a confusing set of responses from Apple that invalidate some of what I posted earlier, and also may give a false sense of security if users have not installed updates in the proper sequence and then restarted.

Read More

Topics: osquery, #iamroot

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Posted by Doug Wilson on 11/29/17 2:59 PM

Update: Following this article's original publication, Apple released a somewhat confusing set of security updates, which invalidates some of the original content I had shared. I have posted a follow-up here and updated the version number in the determination query in this article.

Tuesday’s event of a vulnerability in macOS High Sierra (tagged #iamroot by some) was a great chance to explore the utility of using osquery in response to a previously unknown security threat. [See this post for other macos malware identification tips]

Read More

Topics: osquery, macOS, #iamroot, malware

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Subscribe for New Posts

Find Uptycs Everywhere

Recommended Reads