Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Doug Wilson

Doug Wilson

Douglas (Doug) Wilson is the Director of Security at Uptycs. He has spent a large amount of his career advocating for open tools, organizations, and standards. He was formerly the spokesperson for OpenIOC, and helped to found and run OWASP DC. He has over 18 years of experience in a variety of Information Security and Technology positions. When not attached to a computer or traveling, he can be found at Scotch tastings, riding his bike around DC, and reliving his youth through cheering on the DC Breeze Pro Ultimate team.

How to unistall osquery from macOS in 4 steps [Video]

How to unistall osquery from macOS in 4 steps [Video]
Need to manually uninstall osquery on macOS? If you no longer want to use osquery on your Mac, or if you need to manually clear out the installation because you're having problems with the end-point and you want to reinstall from scratch, follow the four steps outlined below. We've also included the terminal command in text format so you can easily copy and paste. 
 
Prefer video? Click here to skip ahead to a ~3 minute video and all commands required to uninstall osquery from your macos using Uptycs.

Finding OSX/CreativeUpdater malware with osquery

Finding OSX/CreativeUpdater malware with osquery

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the MacUpdate.com website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

Finding OSX/MaMi with osquery

Finding OSX/MaMi with osquery

Seeing on Twitter that Patrick Wardle (a must follow for macOS security!) may have found his first piece of macOS malware for 2018, I eagerly flipped to his blog. Given that this is “new” malware on macOS, there is likely going to be a window between discovery and protection via A/V software.

Quick Update to #iamroot issues

Quick Update to #iamroot issues

Further updates in the #iamroot saga have shown a confusing set of responses from Apple that invalidate some of what I posted earlier, and also may give a false sense of security if users have not installed updates in the proper sequence and then restarted.

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Update: Following this article's original publication, Apple released a somewhat confusing set of security updates, which invalidates some of the original content I had shared. I have posted a follow-up here and updated the version number in the determination query in this article.

Tuesday’s event of a vulnerability in macOS High Sierra (tagged #iamroot by some) was a great chance to explore the utility of using osquery in response to a previously unknown security threat. [See this post for other macos malware identification tips]

How to find malware on macs using osquery

How to find malware on macs using osquery

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

Page 2 of 3: