Facebook Open-Sourced Security Tool osquery in Action


osquery650Facebook open-sourced security tool osquery late last month, allowing engineers to write SQL-based queries efficiently and easily to explore operating systems and monitor their infrastructure. In a note on the Protect the Graph page, security engineer Ted Reed offered a look at how osquery can be used to detect suspicious activity within infrastructure.

Reed wrote:

An osquery deployment can help you establish an infrastructural baseline, allowing you to detect malicious activity using scheduled queries.

This approach will help you catch known malware (WireLurker, IceFog, Imuler, etc.) and, more important, unknown malware.

As an illustrative example, let’s look at Mac OS X startup items for a given laptop using osqueryi:


We see some pretty standard applications that run at boot, like iTunes and Dropbox.

Now imagine this same system is compromised at a later date.

We can use osquery’s log-aggregation capabilities to easily pinpoint when the attack occurred and what was installed.

Using the log aggregation guide, you will receive log lines like the following in your data store (ElasticSearch, Splunk, etc.):


It’s clear that a suspicious application called “Phone” was added to this host’s set of startup items Nov. 7 at 9:42 a.m.

In November, Palo Alto Networks discovered a new piece of OS X malware called WireLurker.

If you have osquery deployed, you can search for their static IOCs (indicators of compromise):


Better yet, you can generically detect WireLurker or other persistent malware using launchd and the following scheduled query, which will keep track of new, unique additions to your infrastructure:


This method has the distinct advantage of detecting malicious applications like WireLurker based on their behaviors rather than specific IOCs.

osquery provides a much more effective and scalable way to help you identify malicious activity in your infrastructure by going beyond static signatures and adding the ability to perform behavior-based detection.

We hope that you enjoy osquery. Keep up with osquery development on GitHub.