
Amit Malik
Amit is a Principal Researcher at Uptycs. He has specialization in threat detection, threat intelligence and security architecture.Prior to Uptycs, he has worked with leading cyber security companies like Mcafee, Fireeye and Netskope.He holds multiple patents in the area of threat detection and analysis.He actively contributes in security communities through blogs, trainings and tools.
Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs
Recently a heap-based buffer overflow vulnerability was discovered in the sudo utility by Qualys. Sudo is a command-line utility that allows a user to run commands in the context of other users with proper authentication. The vulnerability lets any user escalate the privileges to the root user. Qualys has shared technical details in their blog post, so in this post I’ll focus on how osquery and Uptycs can be used to detect the exploit and unpatched systems
Tagged as: threat hunting, vulnerability assessment, threat management, EDR
Lateral movement correlation within Uptycs EDR
One of the nice features of Uptycs’ EDR functionality is its ability to correlate lateral movement activity during the progression of an attack across the systems within an organization’s infrastructure.
On December 13, FireEye shared details on the SolarWinds supply chain attack, dubbed SUNBURST. The next day, Volexity shared additional information on the lateral movement and exfiltration activities of the attackers.
Tagged as: osquery, incident investigation, Detection, EDR
Uptycs EDR for Linux: Detection and visibility all the way through
Despite the fact that Linux server endpoints comprise 90% of cloud workloads and a majority of on-premises enterprise workloads, they don’t usually get as much attention as productivity endpoints. Most EDR solutions focus on end users and don’t meet the unique requirements for production Linux servers, such as the need for 100% uptime and low resource consumption.
Tagged as: linux security, MITRE ATT&CK, Detection, EDR
macOS Bundlore: Is New Code Being Tested in Old Adware?
macOS Bundlore is one of the most popular macOS adware installers. It either comes bundled with pirated applications, or from the web, prompting users to install or update Flash. Though the majority of browsers now have limited support for Flash, it is still a favorite mechanism for infecting systems.
Tagged as: osquery tutorial, macOS, threat intelligence
Detecting Docker container malware using osquery
In recent times we are seeing an increased number of Docker container malware. Attackers scan the internet to identify the misconfigured Docker engine API installations to install the malicious images or run commands to install the malware. Access to the Docker engine API can provide an attacker fine control over the Docker installation enabling him/her to create, delete, dump and run commands in the containers, although the majority of the malware seen to-date are either using system resources for crypto mining or denial of service attacks. In general, the container is an encapsulated environment to run the application so it can be used for any activity from proxies to botnet services and can easily become part of attacker infrastructure to distribute malware.
Tagged as: osquery, cloud monitoring, Docker Security, containers
Subscribe for new posts
Popular Posts
- Building Your Cyber Security Strategy: A Step-By-Step Guide
- 8 Docker Security Best Practices To Optimize Your Container System
- SOC 2 Compliance Requirements: Essential Knowledge For Security Audits
- Intro to Osquery: Frequently Asked Questions for Beginners
- Warzone RAT comes with UAC bypass technique