As a part of a pretty crazy week (Microsoft/RDS, Apple/Mojave/High Sierra, Adobe Acrobat/ Flash Player) when it comes to security updates, some new speculative execution vulnerabilities were disclosed and fixed.
[Updated June 5th] Patching for the CVE (CVE-2019-0708) vulnerability (referred to as BlueKeep) appears to have been slow, according to Rob Graham among others. One security expert, Ryan McGeehan (@Magoo), with experience in modeling vulnerability exploit probability and has done just that with the BlueKeep security flaw.
His concerning summary concludes:
"Chances are about even ( 47.62%) for “in the wild” BlueKeep exploitation to be observed between now and end of June."
Follow the outline below to check your exposure using osquery.
Microsoft released an important patch to the remotely exploitable Remote Desktop Services (RDS) vulnerability. This vulnerability does not require any authentication and allows an attacker to run code remotely. Expect public exploits to start appearing soon.
Progress in open source projects thrives on the sharing of information. Yet even with the best of intentions, much of the learning can still be considered tribal knowledge, traded between small groups of closely connected individuals. While, the osquery project certainly isn’t immune to this, the community has absolutely benefited from a passionate and growing base of users, developers, contributors and tinkerers that are dedicated to documenting and sharing what they’ve learned.
Osquery, at its most basic level, is an operating system instrumentation framework that exposes the OS as a SQL database. SQL queries can be run to view information about the systems similar to any SQL database, providing a unified cross platform framework (i.e. endpoints running on multiple operating systems can be queried using the industry standard database language: SQL. This structured approach for collecting and accessing data introduces great flexibility, making it useful for multiple purposes. For example, queries can be constructed to audit infrastructure for compliance, vulnerabilities, malware analysis and intrusion detection, etc. Data collected by osquery can be useful to anybody from IT support teams to CSIRTs. However, in this blog post we’ll narrow our focus and explore how to use osquery specifically for macOS malware analysis (though the methodologies discussed are the same for Windows and Linux operating systems).
You may have heard about “Dirty Sock”, a recently discovered vulnerability targeting snapd sockets, playing on the name of a previous vulnerability called “Dirty Cow”. Snapd allows for the execution of packaged snaps, which are a mechanism to distribute and update applications in a standard format.
The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike. Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance. Fortunately, osquery solves that for us.
I’m excited to share that we have just released free online training to introduce you to osquery. Our goal was to combine quick setup and hands on labs with complete accessibility, so that anyone who wanted to give osquery a try, could.
Osquery offers introspection capabilities for macOS that were previously difficult to achieve. Osquery uses a universal agent to collect and return a nearly unlimited amount of endpoint data that can then be queried like a database using SQL. For macOS system administrators, this opens up a world of quickly accessible system monitoring capabilities that we'll explore here today.
In this post and video (click here to skip ahead to the video), we'll review some of the basic tasks for macOS system monitoring with osquery (osquery can be used for Linux and Windows as well, but because macOS was previously so underserved, I'm focusing there. Most commands we'll review will be the same or similar for other systems).