Mac Malware Analysis Using Osquery

Posted by Amit Malik on 3/19/19 9:01 AM

Osquery, at its most basic level, is an operating system instrumentation framework that exposes the OS as a SQL database. SQL queries can be run to view information about the systems similar to any SQL database, providing a unified cross platform framework (i.e. endpoints running on multiple operating systems can be queried using the industry standard database language: SQL. This structured approach for collecting and accessing data introduces great flexibility, making it useful for multiple purposes. For example, queries can be constructed to audit infrastructure for compliance, vulnerabilities, malware analysis and intrusion detection, etc. Data collected by osquery can be useful to anybody from IT support teams to CSIRTs. However, in this blog post we’ll narrow our focus and explore how to use osquery specifically for macOS malware analysis (though the methodologies discussed are the same for Windows and Linux operating systems).

Read More

Topics: osquery tutorial, osquery, macOS, malware, open-source

Detecting Dirty_Sock with Osquery - A Snapd Privilege Escalation Vulnerability

Posted by Guillaume Ross on 2/26/19 11:06 AM

You may have heard about “Dirty Sock”, a recently discovered vulnerability targeting snapd sockets, playing on the name of a previous vulnerability called “Dirty Cow”. Snapd allows for the execution of packaged snaps, which are a mechanism to distribute and update applications in a standard format.

Read More

Topics: osquery tutorial, osquery, malware, open-source, incident investigation

Windows Registry & Osquery: The Easy Way to Ensure Users are Secured

Posted by Guillaume Ross on 1/24/19 10:29 AM

The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike. Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance. Fortunately, osquery solves that for us.

Read More

Topics: osquery tutorial, osquery, open-source, Windows

Free Osquery Training Course Now On-Demand

Posted by Doug Wilson on 10/18/18 8:35 AM

I’m excited to share that we have just released free online training to introduce you to osquery. Our goal was to combine quick setup and hands on labs with complete accessibility, so that anyone who wanted to give osquery a try, could.

Read More

Topics: osquery tutorial, osquery, open-source

Osquery In Action: Where and When to Apply "Threat Intel"

Posted by Doug Wilson on 6/14/18 3:55 PM
Read More

Topics: osquery tutorial, osquery

SQL introduction for osquery

Posted by Doug Wilson on 4/12/18 7:39 AM

SQL (Structured Query Language) will be in its mid-forties later this month having been introduced by its creators Donald Chamberlin and Raymond Boyce in the 1970s. Given its age, it isn’t so hard to understand how the 2017 Stack Overflow Developers Survey uncovered that SQL is the second-most common programming language, used by 50% of developers and beaten only by JavaScript. 

Read More

Topics: osquery tutorial, osquery, video

6 Tasks for Basic macOS system monitoring with osquery [Video]

Posted by Doug Wilson on 3/29/18 9:45 AM

Osquery offers introspection capabilities for macOS that were previously difficult to achieve. Osquery uses a universal agent to collect and return a nearly unlimited amount of endpoint data that can then be queried like a database using SQL. For macOS system administrators, this opens up a world of quickly accessible system monitoring capabilities that we'll explore here today.    

In this post and video (click here to skip ahead to the video), we'll review some of the basic tasks for macOS system monitoring with osquery (osquery can be used for Linux and Windows as well, but because macOS was previously so underserved, I'm focusing there. Most commands we'll review will be the same or similar for other systems).

What we'll cover: 

Read More

Topics: osquery tutorial, osquery, macOS, video

How to unistall osquery from macOS in 4 steps [Video]

Posted by Doug Wilson on 3/22/18 9:52 AM
Need to manually uninstall osquery on macOS? If you no longer want to use osquery on your Mac, or if you need to manually clear out the installation because you're having problems with the end-point and you want to reinstall from scratch, follow the four steps outlined below. We've also included the terminal command in text format so you can easily copy and paste. 
 
Prefer video? Click here to skip ahead to a ~3 minute video and all commands required to uninstall osquery from your macos using Uptycs.
Read More

Topics: osquery tutorial, osquery, macOS

Finding browser extensions in osquery [with Video]

Posted by Doug Wilson on 7/19/17 8:01 PM

There have been several cases in the past year of major software vendors inadvertently introducing vulnerabilities through browser extensions. Last August, it was reported that 4.7M Chrome users were at risk due to malicious code injected into eight different Chrome extensions. This past November, Cisco's Webex extension - a widely adopted video conferencing platform - was found to have multiple vulnerabilities. 

Read More

Topics: osquery tutorial, osquery, video

Wildcards and globbing in osquery

Posted by Milan Shah on 5/18/17 7:49 PM

Filepath globbing (filename patterns with wildcards) support in osquery has regularly been a source of confusion, frustration, and lost time. You can certainly explore the wildcarding system in these osquery docs, but it is hoped that the notes below will help shed light on how globbing in osquery actually works to help save you some grief.

Read More

Topics: osquery tutorial, osquery

Uptycs Blog | Cloud Security Trends and Analysis

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you'll enjoy our blog enough to subscribe, share and comment.

Subscribe for New Posts

Find Uptycs Everywhere

Recommended Reads