Exposing files written to disk within the last 100 secondsĪs you can see, the file squarectx.exe is extracted and executed. Select path, size, from file where path like ‘C:Users%%’ and mtime > (select local_time from time) – 100 and filename != ‘.’ įigure 3. We can also use a query that identifies anything within the Users directory that was written to disk within the last 100 seconds and after the payload’s download. As can be seen, PowerShell connects to two remote IPs at port 80. The query above shows the JOIN statement we used between the process_open_socket and processes tables. Exposing processes performing network communication Select processes.name, process_open_sockets.remote_address, process_open_sockets.remote_port from process_open_sockets LEFT JOIN processes ON process_open_sockets.pid = processes.pid WHERE process_open_sockets.remote_port != 0 AND processes.name != ” įigure 2. We can also use osquery to log socket connections for each process, performing network communications as shown below: The two lines below the PowerShell command above are the script texts that we get once the PowerShell command above gets decoded. Exposing PowerShell scripts used during malware execution Select time, script_text from powershell_events įigure 1. Once the malware is run in our sandbox environment, we can view the PowerShell events using the following osquery command: We will also need to enable script block logging in order to read the PowerShell event log channel. We will then make osquery queries to retrieve the events generated by PowerShell from the powershell_events table. We will create a Windows 7 environment on VirtualBox and intentionally infect it with Emotet. You can also find the VirusTotal malware summary here. The sandbox report detailing the activities of Emotet can be found here. The way Emotet spreads is by email, where the malicious dropper runs and downloads the virus through a malicious Word macro. In this case, we will be working with the famous Emotet banking Trojan. We will need to obtain a malware sample to work with. We will also, where necessary, leverage on other tools to support osquery. $ sudo tee /etc/systemd/system/rvice /dev/nullĮnvironment=FLAG_FILE=/etc/osquery/osquery.flagsĮnvironment=CONFIG_FILE=/etc/osquery/nfĮnvironment=LOCAL_PIDFILE=/var/osquery/osqueryd.pidfileĮnvironment=PIDFILE=/var/run/osqueryd.pidfileĮxecStartPre=/bin/sh -c "if then touch $FLAG_FILE fi"ĮxecStartPre=/bin/sh -c "if then mv $LOCAL_PIDFILE $PIDFILE fi"Ĭreated symlink /etc/systemd/system//rvice → /etc/systemd/system/ us to bring to perspective the power of osquery, we will need to analyze the activities of a malware sample and look at how various malicious activities such as persistence and the installation of root certificates are achieved. If you want to setup osqueryd, the host monitoring daemon that allows you to schedule queries and record OS state changes, just create and enable the following systemd service: | uid | gid | uid_signed | gid_signed | username | description | directory | shell | uuid | Osquery> select * from users where username = ‘core’ That’s it! At this point you can jump into osqueryi, the osquery interactive query console/shell. $ sudo cp -R /tmp/osquery/share/* /var/osquery/ $ sudo mkdir -p /opt/bin /etc/osquery /var/osquery /var/log/osquery # cp -R /usr/share/osquery/* /tmp/osquery/share/ # curl -L | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery # dnf install -y ‘dnf-command(config-manager)’ Note: In the below snippets, the $ refers to input in the CoreOS host, and the # refers to input in the Toolbox container. Then it’s possible to copy binaries and other artifacts into our host. Since osquery is published to a yum repository we can use Toolbox, which by default uses the stock Fedora Docker container, to install the RPM package. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. This allows you to write SQL queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. The tools make low-level operating system analytics and monitoring both performant and intuitive. Osquery is an operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. Most things in CoreOS Container Linux can be run in containers, except when it doesn’t make sense.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |