Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Amit Malik

Amit Malik

Amit is a Principal Researcher at Uptycs. He has specialization in threat detection, threat intelligence and security architecture.Prior to Uptycs, he has worked with leading cyber security companies like Mcafee, Fireeye and Netskope.He holds multiple patents in the area of threat detection and analysis.He actively contributes in security communities through blogs, trainings and tools.

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Recently a heap-based buffer overflow vulnerability was discovered in the sudo utility by Qualys. Sudo is a command-line utility that allows a user to run commands in the context of other users with proper authentication. The vulnerability lets any user escalate the privileges to the root user. Qualys has shared technical details in their blog post, so in this post I’ll focus on how osquery and Uptycs can be used to detect the exploit and unpatched systems

Lateral movement correlation within Uptycs EDR

Lateral movement correlation within Uptycs EDR

One of the nice features of Uptycs’ EDR functionality is its ability to correlate lateral movement activity during the progression of an attack across the systems within an organization’s infrastructure.

Detecting the SolarWinds supply chain attack using osquery and Uptycs

Detecting the SolarWinds supply chain attack using osquery and Uptycs

On December 13, FireEye shared details on the SolarWinds supply chain attack, dubbed SUNBURST. The next day, Volexity shared additional information on the lateral movement and exfiltration activities of the attackers.

Uptycs EDR for Linux: Detection and visibility all the way through

Uptycs EDR for Linux: Detection and visibility all the way through

Despite the fact that Linux server endpoints comprise 90% of cloud workloads and a majority of on-premises enterprise workloads, they don’t usually get as much attention as productivity endpoints. Most EDR solutions focus on end users and don’t meet the unique requirements for production Linux servers, such as the need for 100% uptime and low resource consumption.

macOS Bundlore: Is New Code Being Tested in Old Adware?

macOS Bundlore: Is New Code Being Tested in Old Adware?

macOS Bundlore is one of the most popular macOS adware installers. It either comes bundled with pirated applications, or from the web, prompting users to install or update Flash. Though the majority of browsers now have limited support for Flash, it is still a favorite mechanism for infecting systems. 

Detecting Docker container malware using osquery

Detecting Docker container malware using osquery

In recent times we are seeing an increased number of Docker container malware. Attackers scan the internet to identify the misconfigured Docker engine API installations to install the malicious images or run commands to install the malware. Access to the Docker engine API can provide an attacker fine control over the Docker installation enabling him/her to create, delete, dump and run commands in the containers, although the majority of the malware seen to-date are either using system resources for crypto mining or denial of service attacks. In general, the container is an encapsulated environment to run the application so it can be used for any activity from proxies to botnet services and can easily become part of attacker infrastructure to distribute malware.

Page 1 of 2: