tstriada.blogg.se

28 Juli 2022 - 22:25
Osquery threat hunting
Allmänt
Osquery threat hunting










  1. #Osquery threat hunting how to
  2. #Osquery threat hunting full
  3. #Osquery threat hunting software
  4. #Osquery threat hunting code
  5. #Osquery threat hunting series

  • Using leaked credentials and keys: The passwords might be reset or the keys are revoked.
    • You’d have to send another email and hope the victim will fall for it again.
  • Sending an email with a malicious attachment: The victim wouldn’t open the same maldoc twice.
    • Redoing the exploitation might be difficult depending on the attacker vector: Remember, exploitation is just the first step for the attacker they still need to take additional steps to fulfill their primary objective.Īfter successfully gaining access to the machine, they need to pivot through the network and find a way to access and exfiltrate the crown jewels.ĭuring these post-exploitation activities, the attacker’s connection to the machine can be severed, and to regain access, the attacker might need to repeat the exploitation step. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access ¹Īttackers employ persistence techniques so that exploitation phases do not need to be repeated.
  • Hijack Execution Flow: Dynamic Linker Hijacking.
  • Boot or Logon Autostart Execution: Kernel Modules and Extensions.
  • Modify Authentication Process: Pluggable Authentication Modules.
  • (WIP) Hunting for Persistence in Linux (Part 6): Rootkits, Compromised Software, and Others.
  • 12 – Boot or Logon Initialization Scripts: systemd-generators.
  • Hunting for Persistence in Linux (Part 5): Systemd Generators.
  • 11 – Event Triggered Execution: Unix Shell Configuration Modification.
  • 10 – Boot or Logon Initialization Scripts: motd.
  • 9 – Boot or Logon Initialization Scripts: init.d.
  • 8 – Boot or Logon Initialization Scripts: RC Scripts.

    • osquery threat hunting

  • Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration.
  • 5 – Create or Modify System Process: Systemd Service.
  • Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron.
  • 4 – Account Manipulation: SSH Authorized Keys.
  • Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation.

    • #Osquery threat hunting software

  • 1 – Server Software Component: Web Shell.
  • Hunting for Persistence in Linux (Part 1): Auditing, Logging and Webshells.
    • The diagram above gives an overview of what will be discussed in this series. We will discuss other techniques in succeeding posts. In this blog post, we will only discuss web shells but we will be focusing more on logging and monitoring.

    #Osquery threat hunting how to

  • How to monitor and detect persistence techniques.
  • How to deploy the persistence techniques.
  • Show how a defender might monitor and detect these installationsīy giving concrete implementations of these persistence techniques, I hope to give defenders a better appreciation of what exactly they are trying to detect, and some clear examples of how they can test their own alerting.Įach persistence technique has two main parts:.
  • Give examples of how an attacker might deploy one of these backdoors.
    • To do this, we will take an “offense informs defense” approach by going through techniques listed in the MITRE ATT&CK Matrix for Linux.

    #Osquery threat hunting series

    There can never be enough skepticism – Attackers often invent very convincing names for their scheduled tasks, but for obvious reasons one cannot find any documentation about them on the internet.Welcome to this blog series “Hunting for Persistence in Linux”! This is a series that explores methods attackers might use to maintain persistent access to a compromised linux system. In the output of the query listed below, we look for unusual names of the scheduled tasks, paths to executables and their command line arguments.

    osquery threat hunting osquery threat hunting

    #Osquery threat hunting code

    Notorious technique for achieving malicious code execution or persistence is creation of a scheduled task or tampering with a legitimate one (MITRE ATT&CK T1053.005). You can read more about Osquery in our short blog post. In this first part, we will show a few queries that help in discovering persistence created by attacker or malware.

    #Osquery threat hunting full

    Keep in mind though, that the full power of Osquery manifests itself when deployed widely and managed centrally, when a single query retrieves data from the entire environment.

    osquery threat hunting

    For testing and demonstration of the information retrievable by Osquery, it is enough to run the queries on a single endpoint. In the following three-part series, we will show a number of examples using Osquery for hunting of cyber threats on Windows machines.












    Osquery threat hunting
    0 kommentar(er)
    Om Mig: