Facebook open-sourced security tool osquery late last month, allowing engineers to write SQL-based queries efficiently and easily to explore operating systems and monitor their infrastructure. In a note on the Protect the Graph page, security engineer Ted Reed offered a look at how osquery can be used to detect suspicious activity within infrastructure.
An osquery deployment can help you establish an infrastructural baseline, allowing you to detect malicious activity using scheduled queries.
Now imagine this same system is compromised at a later date.
We can use osquery’s log-aggregation capabilities to easily pinpoint when the attack occurred and what was installed.
Using the log aggregation guide, you will receive log lines like the following in your data store (ElasticSearch, Splunk, etc.):
It’s clear that a suspicious application called “Phone” was added to this host’s set of startup items Nov. 7 at 9:42 a.m.
If you have osquery deployed, you can search for their static IOCs (indicators of compromise):
Better yet, you can generically detect WireLurker or other persistent malware using launchd and the following scheduled query, which will keep track of new, unique additions to your infrastructure:
This method has the distinct advantage of detecting malicious applications like WireLurker based on their behaviors rather than specific IOCs.
osquery provides a much more effective and scalable way to help you identify malicious activity in your infrastructure by going beyond static signatures and adding the ability to perform behavior-based detection.
We hope that you enjoy osquery. Keep up with osquery development on GitHub.