Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
•Download as PPTX, PDF•
0 likes•41 views
"Leveraging Osquery for DFIR @ Scale" presented at BSidesSF 2020
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Similar to Leveraging Osquery for DFIR @ Scale _BSidesSF_2020 (20)
Recently uploaded
Recently uploaded (20)
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
- 1. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Leveraging Osquery for DFIR at scale Sohini Mukherjee | Security Researcher @ Adobe
- 2. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Agenda Rapid Incident Response Fast Forensics Proactive Threat Hunting 2
- 3. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Needle in a haystack? Running processes Active network connections New user accounts Detect file system changes Kernel Modules loaded Evidence of Persistence Evidence of Code Injection Non-standard Running Services 3
- 4. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Can Osquery help? Abstracts the OS to SQL (SQLite) Open-Source, active development Cross-platform Light-weight agent Non-intrusive: user-mode 4 Reference: https://blog.kolide.com/profiling-osquery-performance-with-kolide-cloud-8e01097469db
- 5. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Some Osquery statements.. 5
- 6. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Osquery Deployment.. 6 1. osquery enrolls or polls 2. TLS endpoint responds with a query 3. osquery replies with results
- 7. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet – Open Source Osquery Manager 7
- 8. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Kolide Fleet Portal 8
- 9. © 2019 Adobe. All Rights Reserved. Adobe Confidential. @ Scale.. 9
- 10. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Potential Attack Scenarios
- 11. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario : Reverse Shells 11
- 12. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 12
- 13. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 13
- 14. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Mshta : MITRE [T1170] 14
- 15. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : Regsvr32 : MITRE [T1117] 15
- 16. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Reverse Shell : DLL Injection : MITRE [T1055] 16
- 17. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 17 • Pstree with active network sockets • https://github.com/facebook/osquery/blob/master/specs/processes.table
- 18. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Detections 18 • Injection (malicious msf.dll) as seen by process_memory_map table • https://github.com/facebook/osquery/blob/master/specs/process_memory_map.table
- 19. © 2019 Adobe. All Rights Reserved. Adobe Confidential. DLLInjection: Evidence gathering 19 • File System Metadata for evidence of time of execution • https://github.com/facebook/osquery/blob/master/specs/utility/file.table
- 20. © 2019 Adobe. All Rights Reserved. Adobe Confidential. CryptoMining 20
- 21. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Attack Scenario 21 4. The miner establishes connection to its pool 2. Attacker establishes alternate access by creating a new user 1. Attacker authenticates with stolen credentials 3. The new user installs and starts the miner
- 22. © 2019 Adobe. All Rights Reserved. Adobe Confidential. 22
- 23. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection via Kolide Fleet deployment 23 • Suspicious process on a non-standard network socket • select s.pid, p.name, local_address, remote_address, family, protocol, local_port, remote_port from process_open_sockets s join processes p on s.pid = p.pid where remote_port like 4444
- 24. © 2019 Adobe. All Rights Reserved. Adobe Confidential. How does it look like in SIEM? 24
- 25. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Detection from artifacts 25
- 26. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit 26
- 27. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Privileged Container/ Container escape attempt 27 Container Container Container Container Container Privileged
- 28. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Can we detect it? 28 • Container running in privileged mode with the root user without any Security Profiles
- 29. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Docker queries Docker_open_sockets: 29
- 30. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Container Exploit Scenario 30
- 31. © 2019 Adobe. All Rights Reserved. Adobe Confidential. References https://osquery.io/ https://github.com/facebook/osquery https://github.com/teoseller/osquery-attck https://github.com/polylogyx/osq-ext-bin https://github.com/osql/extensions https://github.com/gcmurphy/windmill https://github.com/osquery/osquery-python https://blog.trailofbits.com/2018/05/28/collect-ntfs-forensic-information-with-osquery/ 31
- 32. © 2019 Adobe. All Rights Reserved. Adobe Confidential. Thank You
Editor's Notes
- Discussion on artifacts
- Running misconfigured containers in Prod or any environment can lead to vulnerable scenarios. E.g. Running Privileged Containers, Running without Security Restrictions like AppArmor, Conrainers running as root. An attacker might exploit an Application vulnerability and compromise a Container and with enough elevated privileges , might be able to break in to the underlying Host Kernel space. And eventually, move laterally to other Containers sharing the same host kernelspace and say, starts running Miners in all Production Containers. Container Forensics is challenging – one of the many reasons being short-lived nature of Containers. That’s how Containers are supposed to be. However, we can audit for this security misconfigurations and remediate those proactively before a compromise actually takes place
- We can use more complex osquery statements to audit for Docker Open Sockets And as we have seen from our previous examples – Open Sockets might lead to pretty interesting information For proactive theat-hunting, we might want to do an Outlier Analysis beyond a baseline of known good. E.g. A newly seen process is running out of an unexpected file path and reaching out to a first-seen set of IP Addresses – not necessarily malicious but gives you an interesting subset of information to investigate further on. And this is not just related to Containers, we can apply the same logic to more conventional environments as well.
- But what if none of these Security flaws were detected or remediated and an attacker has been able to compromise ang gain access to a Container Let’s try to put us in the attacker’s shoes The attacker might want to download more malicious code in to the Container – or say, try to install and start running a miner And he might just use a command like “curl” or “wget” to do so And if this is not a commandline that’s expected in your runtime environment – that might just give you a very critical heads-up that some anomaly has just happened in your Container environment
- As we approach the concluding part of the talk, I would want to reiterate that all that we have discussed today are not necessarily limited to just Osquery We can extrapolate the detection mechanisms and apply to any Commercial EDR tool that you might be running or even better , build your own framework and open-source it It’s basically unleashing the power of Open-Source and contribute to it – so that we , as a community, can be a step ahead of the bad guys