Use Osquery for end point detection and response

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Osquery is a tool released by Facebook for end point information collecting and aggregating. Its potential application includes threat hunting, host-based intrusion detection system etc. End point protection/detection is not new. There are lots of enterprise solutions:

  1. Carbon Black Enterprise Response
  2. Cisco Advanced Malware Protection for Endpoints
  3. Confer
  4. CounterTack
  5. CrowdStrike Falcon
  6. Cybereason
  7. FireEye Endpoint Security (HX Series)
  8. Guidance Software’s EnCase Endpoint Security
  9. RSA, The Security Division of EMC, Enterprise Compromise Assessment Tool (ECAT)
  10. Tanium
  11. Carbon Black (Windows + Linux)
  12. Threat Stack (continuous only, Linux only)

Comparing with these solutions, Osquery is cross-platform(Linux, Mac, and Windows) and easy to use.  Here are several examples on security investigations:

List of all the logged_in users:

select * from logged_in_users;

 

Find new process connections

In command and control attack scenarios, malware could commonly communicate to remote server or inject to other processes to make connections to remote server. In a typical environment, it is very unlikely to see new process to start connecting out. Hence, discovering new process listening on certain ports is very useful in investigation. This is the simple line you can run to find processes that listening on network:

select DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.id = listening.pid;

 

Find processes that are running but binary was deleted

select name, path, pid from processes where on_disk = 0;

 

Find new services that are installed 

 

Find specific process of indicators(IOCs) in memory or hard disk. These IOCs could come from any threat intelligence field.  This is extremely useful in scope investigation. For example:

select * from processes where name = 'svchost.exe' and path like '%evil%'; 

In summary, Osquery is powerful. With the help of powerful security data analysis and real-time monitoring, Osquery can be a great tool for security detection and response in the cloud or data center.

When you are ready, here are two things we can help:

  • Schedule a free consultation to help set up osquery and start threat hunting (schedule here)
  • Get started with DTonomy’s AI-based platform DTonomy AIR with guided threat hunting (Access here)

 

Continue Reading

October 30, 2021

Investigation and Response for Unemployment Benefit Fraud Alerts
Read More No Comments
ransomware
July 8, 2021

Leveraging AI To Reduce Risk of Ransomware
Read More 1 Comment

Copyright © 2023 By DTonomy Inc.

Empower your service center with AI
and Automation!

Request a demo!