Checking MDS/Zombieload Mitigations on macOS with Osquery

Posted by Guillaume Ross on 5/15/19 12:46 PM

As a part of a pretty crazy week (Microsoft/RDS, Apple/Mojave/High Sierra, Adobe Acrobat/ Flash Player) when it comes to security updates, some new speculative execution vulnerabilities were disclosed and fixed.

Read More

Topics: osquery tutorial, osquery, macOS, malware, open-source, incident investigation

Threat Hunting with Osquery: 5 macOS Malware Techniques & How to Find Them

Posted by Amit Malik on 5/2/19 9:40 AM

This previous blog post explored ways to use osquery for macOS malware analysis. Using the same methodology introduced there, we analyzed five additional macOS malware variants and recorded their behavior to understand the techniques they used. Below, you’ll find the techniques used by Calisto, Dummy, HiddenLotus, LamePyre and WireLurker. Read on to explore how to translate the techniques used by these malware into queries you can run to hunt for the active presence or historical artifacts using osquery.

Read More

Topics: osquery, macOS, malware, mac edr, open-source, incident investigation

Mac Malware Analysis Using Osquery

Posted by Amit Malik on 3/19/19 9:01 AM

Osquery, at its most basic level, is an operating system instrumentation framework that exposes the OS as a SQL database. SQL queries can be run to view information about the systems similar to any SQL database, providing a unified cross platform framework (i.e. endpoints running on multiple operating systems can be queried using the industry standard database language: SQL. This structured approach for collecting and accessing data introduces great flexibility, making it useful for multiple purposes. For example, queries can be constructed to audit infrastructure for compliance, vulnerabilities, malware analysis and intrusion detection, etc. Data collected by osquery can be useful to anybody from IT support teams to CSIRTs. However, in this blog post we’ll narrow our focus and explore how to use osquery specifically for macOS malware analysis (though the methodologies discussed are the same for Windows and Linux operating systems).

Read More

Topics: osquery tutorial, osquery, macOS, malware, open-source

Detecting Dirty_Sock with Osquery - A Snapd Privilege Escalation Vulnerability

Posted by Guillaume Ross on 2/26/19 11:06 AM

You may have heard about “Dirty Sock”, a recently discovered vulnerability targeting snapd sockets, playing on the name of a previous vulnerability called “Dirty Cow”. Snapd allows for the execution of packaged snaps, which are a mechanism to distribute and update applications in a standard format.

Read More

Topics: osquery tutorial, osquery, malware, open-source, incident investigation

Finding OSX/CreativeUpdater malware with osquery

Posted by Doug Wilson on 2/5/18 11:05 AM

The first week of February 2018 has seen another piece of macOS malware —  CreativeUpdater malware. This time a cryptominer masquerading as several different software packages on the MacUpdate.com website. Again, even a few days later, a lot of endpoint solutions are not necessarily picking this up, looking at VirusTotal.

Read More

Topics: osquery, macOS, malware

Finding OSX/MaMi with osquery

Posted by Doug Wilson on 1/12/18 12:27 PM

Seeing on Twitter that Patrick Wardle (a must follow for macOS security!) may have found his first piece of macOS malware for 2018, I eagerly flipped to his blog. Given that this is “new” malware on macOS, there is likely going to be a window between discovery and protection via A/V software.

Read More

Topics: osquery, macOS, malware

Identifying #iamroot issues with osquery (blank password vuln in macOS 10.13.1)

Posted by Doug Wilson on 11/29/17 2:59 PM

Update: Following this article's original publication, Apple released a somewhat confusing set of security updates, which invalidates some of the original content I had shared. I have posted a follow-up here and updated the version number in the determination query in this article.

Tuesday’s event of a vulnerability in macOS High Sierra (tagged #iamroot by some) was a great chance to explore the utility of using osquery in response to a previously unknown security threat. [See this post for other macos malware identification tips]

Read More

Topics: osquery, macOS, #iamroot, malware

How to find malware on macs using osquery

Posted by Doug Wilson on 10/20/17 12:10 PM

There have been several instances where malware has been introduced to OS X machines in the past few months via “supply chain attacks”. This is where a vendor is tricked into distributing, or is compromised in a way, that their legitimate software is either replaced by or includes malware in the distribution bundle. 

Read More

Topics: osquery, macOS, malware

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Subscribe for New Posts

Find Uptycs Everywhere

Recommended Reads