SlideShare a Scribd company logo

Osquery

Animesh Roy
Animesh Roy

A talk by @anir0y Video Link: https://youtu.be/4gc6DfwJZWc

Technology
1 of 17
Download to read offline
INTRO: OS QUERY A Basic Dive in with OS Query (https://osquery.io)
Outline Lesson 1. Introduction to OS Query Lesson 2. OS Query at a glance Lesson 3. Deploying OS query Lesson 4. Running some basic commands Lesson 5. Kolide (?) maybe for fleet management.
What is osquery? osquery is an open source tool created by Facebook for querying various information about the state of your machines. This includes information like: • Running processes • Kernel modules loaded • Active user accounts • Active network connections And much more! osquery allows you to craft your system queries using SQL statements, making it easy to use by security engineers that are already familiar with SQL
osquery at a glance Features Osquery is a framework we’ve used to create a few products and tools. Osquery’s modular codebase allows us to take advantage of existing concepts in new and interesting ways. We’re releasing several tools as a part of the open source release and we have more planned. We’re also looking forward to seeing how the community uses the codebase to create even more interesting tools. Interactive query console The interactive query console, osqueryi, gives you an SQL interface to try out new queries and explore your operating system. With the power of SQL and dozens of useful tables built-in, osqueryi is an invaluable tool when diagnosing a systems operations problem, troubleshooting a performance issue, etc.
Deploying OSQUERY! osquery is agent software that must run directly on your endpoints (e.g., your OSX installation, Windows System or Linux servers). osquery will require root or system privileges to get a lot of detailed system information, although it is possible to glean some information when not ran as 'root'. For more information, see the official deployment guide. • Install on Mac • Install on Linux • Install on Windows
Check OS Versions Basic Commands
Basic 1: Shell history Running this query periodically and diffing against older results can yield whether or not a new kernel module has loaded: kernel modules can be checked against a whitelist/blacklist and any changes can be scrutinized for rootkits. #Shell History Query: select * from shell_history; #user Shell Query: select * from users;
Basic 2: Networking Basic Networking Commands for OSQuery. #Print NIC Query: select * from interface_addresses; #DNS Resolver Query: select * from dns_resolvers; #Check Default Routing Query: select * from routes; #ARP Cache Query: select * from arp_cache; #/etc/hosts
Basic 2: Networking Basic Networking Commands for OSQuery. #Listening Ports Query: Query: select * from listening_ports; #Process Listening on UDP port Query: select protocol,local_port,b.name,b.path from process_open_sockets as a join processes as b where a.pid=b.pid and a.protocol=17;
Basic 3: Process #Process running with Root Privileges Query: select name,path,uid,on_disk from processes where on_disk=0; #List all Possible Outcome Query: select * from processes;
Use case 1: Finding new processes listening on network ports Frequently, malware will listen on port to provide command and control (C&C) or direct shell access for an attacker. Running this query periodically and diffing with the last ‘known good’ results will provide the security team with any new processes that are listening for network connections, and allow the team to investigate the nature of that process SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;
Use case 2: Finding suspicious outbound network activity On endpoints with well-defined behavior, the security team can use osquery to find any processes that do not fit within whitelisted network behavior, e.g. a process scp’ing traffic externally when it should only perform HTTP(s) connections outbound example: looks for processes with IP traffic to ports not in (80, 443) select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port not in (80, 443) and family = 2;
Use case 3: Finding processes that are running whose binary has been deleted from the disk Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted or modified (which could be an indicator of a suspicious process) SELECT name, path, pid FROM processes WHERE on_disk = 0;
Use case 4:Finding new kernel modules that have loaded Running this query periodically and diffing against older results can yield whether or not a new kernel module has loaded: kernel modules can be checked against a whitelist/blacklist and any changes can be scrutinized for rootkits. select name from kernel_modules;
Credit: Attack Defense
Say Hello: ◦ OS Query : Schema ◦ Rapid 7: Blog post ◦ Attack Defense : Online Labs References: Tweet: @anir0y LinkedIn : Anir0y Mail : animeshroy@live.com

Recommended

Introduction to distributed file systems
Introduction to distributed file systemsIntroduction to distributed file systems
Introduction to distributed file systemsViet-Trung TRAN
 
iSCSI Protocol and Functionality
iSCSI Protocol and FunctionalityiSCSI Protocol and Functionality
iSCSI Protocol and FunctionalityLexumo
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Maximizing performance via tuning and optimization
Maximizing performance via tuning and optimizationMaximizing performance via tuning and optimization
Maximizing performance via tuning and optimizationMariaDB plc
 
High Concurrency Architecture and Laravel Performance Tuning
High Concurrency Architecture and Laravel Performance TuningHigh Concurrency Architecture and Laravel Performance Tuning
High Concurrency Architecture and Laravel Performance TuningAlbert Chen
 
Operating system
Operating systemOperating system
Operating systemAbdullah Al Amin
 
Shell scripting
Shell scriptingShell scripting
Shell scriptingAshrith Mekala
 
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Application Load Balancer and the integration with AutoScaling and ECS - Pop-...
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Amazon Web Services
 

Recommended

Introduction to distributed file systems
Introduction to distributed file systemsIntroduction to distributed file systems
Introduction to distributed file systemsViet-Trung TRAN
 
iSCSI Protocol and Functionality
iSCSI Protocol and FunctionalityiSCSI Protocol and Functionality
iSCSI Protocol and FunctionalityLexumo
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Maximizing performance via tuning and optimization
Maximizing performance via tuning and optimizationMaximizing performance via tuning and optimization
Maximizing performance via tuning and optimizationMariaDB plc
 
High Concurrency Architecture and Laravel Performance Tuning
High Concurrency Architecture and Laravel Performance TuningHigh Concurrency Architecture and Laravel Performance Tuning
High Concurrency Architecture and Laravel Performance TuningAlbert Chen
 
Operating system
Operating systemOperating system
Operating systemAbdullah Al Amin
 
Shell scripting
Shell scriptingShell scripting
Shell scriptingAshrith Mekala
 
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Application Load Balancer and the integration with AutoScaling and ECS - Pop-...
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Amazon Web Services
 
Bringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack TogetherBringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack TogetherDavid La Motta
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualizationelliando dias
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with RedisGeorge Platon
 
Backup, Restore, and Disaster Recovery
Backup, Restore, and Disaster RecoveryBackup, Restore, and Disaster Recovery
Backup, Restore, and Disaster RecoveryMongoDB
 
Virtualization
VirtualizationVirtualization
Virtualizationvishnurk
 
3. CPU virtualization and scheduling
3. CPU virtualization and scheduling3. CPU virtualization and scheduling
3. CPU virtualization and schedulingHwanju Kim
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Data dictionary pl17
Data dictionary pl17Data dictionary pl17
Data dictionary pl17Ståle Deraas
 
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017Amazon Web Services Korea
 
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어NHN FORWARD
 
Raid
RaidRaid
Raidjayjay26912
 
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, ClusterJi-Woong Choi
 
RAID
RAIDRAID
RAIDMukesh Tekwani
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionKaran Singh
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-VMark Wilson
 
Erasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterErasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterRed_Hat_Storage
 
SSD HSD storage drives
SSD HSD storage drives SSD HSD storage drives
SSD HSD storage drives ParikshitTaksande1
 
Hive Authorization
Hive AuthorizationHive Authorization
Hive AuthorizationMinwoo Kim
 
A simple introduction to redis
A simple introduction to redisA simple introduction to redis
A simple introduction to redisZhichao Liang
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux SessionKellyn Pot'Vin-Gorman
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 

More Related Content

What's hot

Bringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack TogetherBringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack TogetherDavid La Motta
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualizationelliando dias
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with RedisGeorge Platon
 
Backup, Restore, and Disaster Recovery
Backup, Restore, and Disaster RecoveryBackup, Restore, and Disaster Recovery
Backup, Restore, and Disaster RecoveryMongoDB
 
Virtualization
VirtualizationVirtualization
Virtualizationvishnurk
 
3. CPU virtualization and scheduling
3. CPU virtualization and scheduling3. CPU virtualization and scheduling
3. CPU virtualization and schedulingHwanju Kim
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in LinuxHenry Osborne
 
Data dictionary pl17
Data dictionary pl17Data dictionary pl17
Data dictionary pl17Ståle Deraas
 
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017Amazon Web Services Korea
 
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어NHN FORWARD
 
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, ClusterJi-Woong Choi
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionKaran Singh
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-VMark Wilson
 
Erasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterErasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterRed_Hat_Storage
 
Hive Authorization
Hive AuthorizationHive Authorization
Hive AuthorizationMinwoo Kim
 
A simple introduction to redis
A simple introduction to redisA simple introduction to redis
A simple introduction to redisZhichao Liang
 

What's hot (20)

Bringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack TogetherBringing NetApp Data ONTAP & Apache CloudStack Together
Bringing NetApp Data ONTAP & Apache CloudStack Together
 
Introduction to Virtualization
Introduction to VirtualizationIntroduction to Virtualization
Introduction to Virtualization
 
Caching solutions with Redis
Caching solutions with RedisCaching solutions with Redis
Caching solutions with Redis
 
Backup, Restore, and Disaster Recovery
Backup, Restore, and Disaster RecoveryBackup, Restore, and Disaster Recovery
Backup, Restore, and Disaster Recovery
 
Virtualization
VirtualizationVirtualization
Virtualization
 
3. CPU virtualization and scheduling
3. CPU virtualization and scheduling3. CPU virtualization and scheduling
3. CPU virtualization and scheduling
 
Disk and File System Management in Linux
Disk and File System Management in LinuxDisk and File System Management in Linux
Disk and File System Management in Linux
 
Data dictionary pl17
Data dictionary pl17Data dictionary pl17
Data dictionary pl17
 
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
AWS 클라우드 기반 게임 아키텍처 사례 - AWS Summit Seoul 2017
 
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
[2018] NHN 모니터링의 현재와 미래 for 인프라 엔지니어
 
Raid
RaidRaid
Raid
 
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
[오픈소스컨설팅]Day #2 MySQL Tuning, Replication, Cluster
 
RAID
RAIDRAID
RAID
 
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake SolutionCeph Object Storage Performance Secrets and Ceph Data Lake Solution
Ceph Object Storage Performance Secrets and Ceph Data Lake Solution
 
Introduction to Hyper-V
Introduction to Hyper-VIntroduction to Hyper-V
Introduction to Hyper-V
 
Erasure codes and storage tiers on gluster
Erasure codes and storage tiers on glusterErasure codes and storage tiers on gluster
Erasure codes and storage tiers on gluster
 
SSD HSD storage drives
SSD HSD storage drives SSD HSD storage drives
SSD HSD storage drives
 
Hive Authorization
Hive AuthorizationHive Authorization
Hive Authorization
 
A simple introduction to redis
A simple introduction to redisA simple introduction to redis
A simple introduction to redis
 
Linux file system
Linux file systemLinux file system
Linux file system
 

Similar to Osquery

Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...Felipe Prado
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoAlluxio, Inc.
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsGianluca Varisco
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016Suibin Zhang
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)Jose Hernandez
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Codemotion
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security GuideShawn Wells
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plugKamal Rathaur
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 

Similar to Osquery (20)

#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux Session
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
DEF CON 27 - workshop - GUILLAUME ROSS - defending environments and hunting m...
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Osquery

  • 1. INTRO: OS QUERY A Basic Dive in with OS Query (https://osquery.io)
  • 2.
  • 3. Outline Lesson 1. Introduction to OS Query Lesson 2. OS Query at a glance Lesson 3. Deploying OS query Lesson 4. Running some basic commands Lesson 5. Kolide (?) maybe for fleet management.
  • 4. What is osquery? osquery is an open source tool created by Facebook for querying various information about the state of your machines. This includes information like: • Running processes • Kernel modules loaded • Active user accounts • Active network connections And much more! osquery allows you to craft your system queries using SQL statements, making it easy to use by security engineers that are already familiar with SQL
  • 5. osquery at a glance Features Osquery is a framework we’ve used to create a few products and tools. Osquery’s modular codebase allows us to take advantage of existing concepts in new and interesting ways. We’re releasing several tools as a part of the open source release and we have more planned. We’re also looking forward to seeing how the community uses the codebase to create even more interesting tools. Interactive query console The interactive query console, osqueryi, gives you an SQL interface to try out new queries and explore your operating system. With the power of SQL and dozens of useful tables built-in, osqueryi is an invaluable tool when diagnosing a systems operations problem, troubleshooting a performance issue, etc.
  • 6. Deploying OSQUERY! osquery is agent software that must run directly on your endpoints (e.g., your OSX installation, Windows System or Linux servers). osquery will require root or system privileges to get a lot of detailed system information, although it is possible to glean some information when not ran as 'root'. For more information, see the official deployment guide. • Install on Mac • Install on Linux • Install on Windows
  • 8. Basic 1: Shell history Running this query periodically and diffing against older results can yield whether or not a new kernel module has loaded: kernel modules can be checked against a whitelist/blacklist and any changes can be scrutinized for rootkits. #Shell History Query: select * from shell_history; #user Shell Query: select * from users;
  • 9. Basic 2: Networking Basic Networking Commands for OSQuery. #Print NIC Query: select * from interface_addresses; #DNS Resolver Query: select * from dns_resolvers; #Check Default Routing Query: select * from routes; #ARP Cache Query: select * from arp_cache; #/etc/hosts
  • 10. Basic 2: Networking Basic Networking Commands for OSQuery. #Listening Ports Query: Query: select * from listening_ports; #Process Listening on UDP port Query: select protocol,local_port,b.name,b.path from process_open_sockets as a join processes as b where a.pid=b.pid and a.protocol=17;
  • 11. Basic 3: Process #Process running with Root Privileges Query: select name,path,uid,on_disk from processes where on_disk=0; #List all Possible Outcome Query: select * from processes;
  • 12. Use case 1: Finding new processes listening on network ports Frequently, malware will listen on port to provide command and control (C&C) or direct shell access for an attacker. Running this query periodically and diffing with the last ‘known good’ results will provide the security team with any new processes that are listening for network connections, and allow the team to investigate the nature of that process SELECT DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid;
  • 13. Use case 2: Finding suspicious outbound network activity On endpoints with well-defined behavior, the security team can use osquery to find any processes that do not fit within whitelisted network behavior, e.g. a process scp’ing traffic externally when it should only perform HTTP(s) connections outbound example: looks for processes with IP traffic to ports not in (80, 443) select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port not in (80, 443) and family = 2;
  • 14. Use case 3: Finding processes that are running whose binary has been deleted from the disk Frequently, attackers will leave a malicious process running but delete the original binary on disk. This query returns any process whose original binary has been deleted or modified (which could be an indicator of a suspicious process) SELECT name, path, pid FROM processes WHERE on_disk = 0;
  • 15. Use case 4:Finding new kernel modules that have loaded Running this query periodically and diffing against older results can yield whether or not a new kernel module has loaded: kernel modules can be checked against a whitelist/blacklist and any changes can be scrutinized for rootkits. select name from kernel_modules;
  • 17. Say Hello: ◦ OS Query : Schema ◦ Rapid 7: Blog post ◦ Attack Defense : Online Labs References: Tweet: @anir0y LinkedIn : Anir0y Mail : animeshroy@live.com