Security Insights for Linux, macOS and Containers | osquery tutorial
[Updated March 11th] This article was written in May 2019 and updated in June 2019. We are updating it again, as CVE-2020-0796 is now public, and has not been patched yet.
CVE-2020-0796 is a remote code execution bug in Microsoft’s SMB (file sharing) server.
Expect attacks targeting this vulnerability soon. Use the queries in this article to find machines with port 445 exposed to the Internet.
As Microsoft recommends disabling compression as a workaround, which is configured in the registry, you can also query for the mitigation status of your systems.
Disabling SMBv3 Compression
A registry parameter can be configured, via PowerShell or any other method, to disable SMBv3 Compression.
|Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force|
Checking SMBv3 Compression is Disabled with osquery
This query only returns results if a machine has the workaround configured properly.
|SELECT name, data, key, type FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' AND name='DisableCompression' AND data=1;|
If you are sending osquery data to a centralized environment, configure this query to run, or run it as a real-time/distributed query. Any system that does not return data is unprotected at the moment, until a patch is released.
If you want more data, and want to get results from machines that are not protected as opposed to the other way around, this query will return a 0 if the key does not exist, a 1 if it exists but is misconfigured, or nothing if it is configured properly.
0 = Key missing
1 = Key misconfigured
Null results = all good
SELECT IFNULL(key_count,0) AS key_state FROM (SELECT COUNT(*) AS key_count, data
FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression')
WHERE key_state!=1 OR data!=1;
[Updated June 5th] Patching for the CVE (CVE-2019-0708) vulnerability (referred to as BlueKeep) appears to have been slow, according to Rob Graham among others. One security expert, Ryan McGeehan (@Magoo), with experience in modeling vulnerability exploit probability and has done just that with the BlueKeep security flaw.
His concerning summary concludes:
"Chances are about even ( 47.62%) for “in the wild” BlueKeep exploitation to be observed between now and end of June."
Follow the outline below to check your exposure using osquery.
Microsoft released an important patch to the remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.
Progress in open source projects thrives on the sharing of information. Yet even with the best of intentions, much of the learning can still be considered tribal knowledge, traded between small groups of closely connected individuals. While, the osquery project certainly isn’t immune to this, the community has absolutely benefited from a passionate and growing base of users, developers, contributors and tinkerers that are dedicated to documenting and sharing what they’ve learned.
Osquery, at its most basic level, is an operating system instrumentation framework that exposes the OS as a SQL database. SQL queries can be run to view information about the systems similar to any SQL database, providing a unified cross platform framework (i.e. endpoints running on multiple operating systems can be queried using the industry standard database language: SQL. This structured approach for collecting and accessing data introduces great flexibility, making it useful for multiple purposes. For example, queries can be constructed to audit infrastructure for compliance, vulnerabilities, malware analysis and intrusion detection, etc. Data collected by osquery can be useful to anybody from IT support teams to CSIRTs. However, in this blog post we’ll narrow our focus and explore how to use osquery specifically for macOS malware analysis (though the methodologies discussed are the same for Windows and Linux operating systems).
You may have heard about “Dirty Sock”, a recently discovered vulnerability targeting snapd sockets, playing on the name of a previous vulnerability called “Dirty Cow”. Snapd allows for the execution of packaged snaps, which are a mechanism to distribute and update applications in a standard format.