Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs
Recently a heap-based buffer overflow vulnerability was discovered in the sudo utility by Qualys. Sudo is a command-line utility that allows a user to run commands in the context of other users with proper authentication. The vulnerability lets any user escalate the privileges to the root user. Qualys has shared technical details in their blog post, so in this post I’ll focus on how osquery and Uptycs can be used to detect the exploit and unpatched systems
Tagged as: threat hunting, vulnerability assessment, threat management, EDR
Osquery: What it is, how it works, and how to use it
Maintaining visibility into infrastructure and operating systems is critical for all organizations today—compliance, security, and your bottom line depend on it.
Network traffic encryption is increasing. This increase is driven by demand for privacy protection and the availability of great services for deploying certificates for free. According to Google’s Transparency Report, 88% of web traffic performed on Chrome for Windows is encrypted, and that number is higher for macOS, Android, and ChromeOS. The encryption trend is even clearer when you look at the percentage of HTTPS browsing time in the Transparency Report. At the same time, malware is also following this trend, as the increased security allows attackers to evade some detection mechanisms.
Tagged as: malware, open-source, threat hunting, threat intelligence, endpoint security
Resource smart YARA scans: Saving CPU and time with osquery
As attackers continually evolve their tactics, the arsenal of tools at hand for defenders needs to respond to attacker complexity while still enabling day-to-day business to happen.
When it comes to detecting malware, the arms race between attackers and defenders is certainly nothing new. The once seemingly simple battle between nuisance script kiddie worms and simple anti-virus software evolved over time into a much more complex and layered approach towards stopping powerful weapons against organizations to extort, incur damages, and steal intellectual property. For a long time now, malware-detection technologies have become more sophisticated as malware works harder than ever to gain access to a target machine and then conceal its presence as it runs.
Tagged as: malware, threat hunting, security analytics, endpoint security, yara
Investigating threat alerts with osquery: Understanding threat surface and risk
The Uptycs Threat Intelligence team is responsible for providing a high quality, curated, and current Threat Intelligence feed to the Uptycs product. In order to deliver the threat feed, the team evaluates every single alert that is seen by our customers, and investigates the alert as feedback into the threat feed curation process. Recently we observed a malicious domain alert from a customer. The out-of-the-box alert description indicated that it belonged to the OSX/Shlayer malware family. We were quickly able to query Uptycs threat intelligence to find that the domain first appeared on February, 2019 and was reported by multiple threat intel sources. Once the threat was validated, we dove into deeper investigation to understand the threat surface and risk. This post walks through the steps and techniques we performed to analyze data that had been collected via osquery, and aggregated in Uptycs.
Tagged as: osquery, incident investigation, threat hunting, threat intelligence
Building Your Cyber Security Strategy: A Step-By-Step Guide
A cyber security strategy is fundamental in helping your company take a proactive approach to security instead of reacting to every new threat, which can be time consuming and expensive. Whether you have an outdated strategy in place or you are starting from scratch, you can use this guide to get started building an effective and strategic cyber security plan.
Subscribe for new posts
Popular Posts
- Building Your Cyber Security Strategy: A Step-By-Step Guide
- 8 Docker Security Best Practices To Optimize Your Container System
- SOC 2 Compliance Requirements: Essential Knowledge For Security Audits
- Warzone RAT comes with UAC bypass technique
- Intro to Osquery: Frequently Asked Questions for Beginners