Use Osquery for end point detection and response

Sept 10, 2018| Category: Security| Tags: Security, SecOps
Osquery is a tool released by Facebook for end point information collecting and aggregating. Its potential application includes threat hunting, host based intrusion detection system etc. End point protection/detection is not new. There are lots of enterprise solutions:

  1. Carbon Black Enterprise Response
  2. Cisco Advanced Malware Protection for Endpoints
  3. Confer
  4. CounterTack
  5. CrowdStrike Falcon
  6. Cybereason
  7. FireEye Endpoint Security (HX Series)
  8. Guidance Software’s EnCase Endpoint Security
  9. RSA, The Security Division of EMC, Enterprise Compromise Assessment Tool (ECAT)
  10. Tanium
  11. Carbon Black (Windows + Linux)
  12. Threat Stack (continuous only, Linux only)
Comparing with these solutions, Osquery is cross-platform(Linux, Mac, and Windows) and easy to use.  Here are several examples on security investigations:

List of all the logged_in users
select * from logged_in_users;
LoggedUser

Find new process connections

In command and control attack scenarios, malware could commonly communicate to remote server or inject to other processes to make connections to remote server. In a typical environment, it is very unlikely to see new process to start connecting out. Hence, discovering new process listening on certain ports is very useful in investigation. This is the simple line you can run to find processes that listening on network:
select DISTINCT process.name, listening.port, listening.address, process.pid FROM processes AS process JOIN listening_ports AS listening ON process.id = listening.pid;
processlisteningonport

Find processes that are running but binary was deleted
select name, path, pid from processes where on_disk = 0;
Find new services that are installed 

RunningServices

Find specific process of indicators(IOCs) in memory or hard disk. These IOCs could come from any threat intelligence field.  This is extremely useful in scope investigation. For example:
select * from processes where name = 'svchost.exe' and path like '%evil%'; 
In summary, Osquery is powerful. With the help of powerful security data analysis and real-time monitoring, Osquery can be a great tool for security detection and response in cloud or data center.