Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

macOS: Bashed Apples of Shlayer and Bundlore

macOS: Bashed Apples of Shlayer and Bundlore

The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a plague of adware strains—Shlayer and Bundlore. These malware are the most predominant malware in macOS, also with a history of evading and bypassing the built-in Xprotect, Gatekeeper, Notarization and File Quarantine security features of macOS.

Evasive Techniques Used By Malicious Linux Shell Scripts

Evasive Techniques Used By Malicious Linux Shell Scripts

Research by: Siddartha Sharma and Adhokshaj Mishra

In our previous blog, we discussed the common utilities in Linux which are generally used by threat actors in the attack chain. This blog discusses the common defense evasion techniques which are mostly used in malicious shell scripts and how Uptycs detects them.

Linux Commands and Utilities Commonly Used by Attackers

Linux Commands and Utilities Commonly Used by Attackers

Uptycs' threat research team has observed several instances of Linux malware where the attackers leverage the inbuilt commands and utilities for a wide range of malicious activities.
In this post, we’ll take a look at the Linux commands and utilities commonly used by attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Sudo local privilege escalation (CVE-2021-3156) detection using osquery and Uptycs

Recently a heap-based buffer overflow vulnerability was discovered in the sudo utility by Qualys. Sudo is a command-line utility that allows a user to run commands in the context of other users with proper authentication. The vulnerability lets any user escalate the privileges to the root user. Qualys has shared technical details in their blog post, so in this post I’ll focus on how osquery and Uptycs can be used to detect the exploit and unpatched systems

Osquery: What it is, how it works, and how to use it

Osquery: What it is, how it works, and how to use it

Maintaining visibility into infrastructure and operating systems is critical for all organizations today—compliance, security, and your bottom line depend on it.

Osquery and JA3: Detecting malicious encrypted connections locally

Osquery and JA3: Detecting malicious encrypted connections locally

Network traffic encryption is increasing. This increase is driven by demand for privacy protection and the availability of great services for deploying certificates for free. According to Google’s Transparency Report, 88% of web traffic performed on Chrome for Windows is encrypted, and that number is higher for macOS, Android, and ChromeOS. The encryption trend is even clearer when you look at the percentage of HTTPS browsing time in the Transparency Report. At the same time, malware is also following this trend, as the increased security allows attackers to evade some detection mechanisms.

Page 1 of 2: