Hunting for Evil Launch Daemons - Identifying Suspicious Behavior with Osquery

Posted by Guillaume Ross on 12/18/18 10:05 AM

Last week, Malwarebytes posted an article highlighting new malware discovered by John Lambert (Microsoft), Patrick Wardle (Objective-See and Digita Security) and Adam Thomas (Malwarebytes), and sure enough, persistence using launchd is still a common thing.

Read More

Topics: osquery, macOS, open-source

Is your Mac fleet secure? Tackling the myth of inherent mac security

Posted by Matt Hathaway on 4/19/18 3:38 PM

There’s a dangerous myth among some Mac users that, unlike Windows, the platform is impervious to malware. Since nothing is bulletproof, it would be dangerous to assume Mac fleet security, so let’s recognize why Macs have historically been low risk and why that looks to be changing.

Read More

Topics: macOS, mac edr

6 Tasks for Basic macOS system monitoring with osquery [Video]

Posted by Doug Wilson on 3/29/18 9:45 AM

Osquery offers introspection capabilities for macOS that were previously difficult to achieve. Osquery uses a universal agent to collect and return a nearly unlimited amount of endpoint data that can then be queried like a database using SQL. For macOS system administrators, this opens up a world of quickly accessible system monitoring capabilities that we'll explore here today.    

In this post and video (click here to skip ahead to the video), we'll review some of the basic tasks for macOS system monitoring with osquery (osquery can be used for Linux and Windows as well, but because macOS was previously so underserved, I'm focusing there. Most commands we'll review will be the same or similar for other systems).

What we'll cover: 

Read More

Topics: osquery tutorial, osquery, macOS, video

How to unistall osquery from macOS in 4 steps [Video]

Posted by Doug Wilson on 3/22/18 9:52 AM
Need to manually uninstall osquery on macOS? If you no longer want to use osquery on your Mac, or if you need to manually clear out the installation because you're having problems with the end-point and you want to reinstall from scratch, follow the four steps outlined below. We've also included the terminal command in text format so you can easily copy and paste. 
Prefer video? Click here to skip ahead to a ~3 minute video and all commands required to uninstall osquery from your macos using Uptycs.
Read More

Topics: osquery tutorial, osquery, macOS

Finding OSX/CreativeUpdater malware with osquery

Posted by Doug Wilson on 2/5/18 11:05 AM

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

Read More

Topics: osquery, macOS, malware

Finding OSX/MaMi with osquery

Posted by Doug Wilson on 1/12/18 12:27 PM

Seeing on Twitter that Patrick Wardle (a must follow for macOS security!) may have found his first piece of macOS malware for 2018, I eagerly flipped to his blog. Given that this is “new” malware on macOS, there is likely going to be a window between discovery and protection via A/V software.

Read More

Topics: osquery, macOS, malware

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Posted by Doug Wilson on 11/29/17 2:59 PM

Update: Following this article's original publication, Apple released a somewhat confusing set of security updates, which invalidates some of the original content I had shared. I have posted a follow-up here and updated the version number in the determination query in this article.

Tuesday’s event of a vulnerability in macOS High Sierra (tagged #iamroot by some) was a great chance to explore the utility of using osquery in response to a previously unknown security threat. [See this post for other macos malware identification tips]

Read More

Topics: osquery, macOS, #iamroot, malware

How to find malware on macs using osquery

Posted by Doug Wilson on 10/20/17 12:10 PM

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

Read More

Topics: osquery, macOS, malware

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Subscribe for New Posts

Find Uptycs Everywhere

Recommended Reads