How to identify threats if you have no logs (introducing OSQuery & Fleet)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

it's inevitable that security logs will have gaps either due to benign system errors or due to attackers intentionally disabling login to help cover their tracks and of course it's just not technically feasible to collect detailed logs about every little thing and store them forever so what can we do to plug the holes in our visibility left by imperfect login hi there i'm andy and in this video we'll be exploring how to use os query to make point-in-time assessments of key security properties without having to depend on logs [Music] imagine an attacker has obtained credentials for this network and is in the process of implanting malware and backdoors with event based login we defenders will have visibility of the actions that are being performed at specific points in time such as a new local user account has been created on each machine and added to the local admin group and perhaps a new scheduled task has been created to run crypto locker malware to encrypt all user data in say 6 months time but if our attacker is smart they know that these events would likely be flagged to a security analyst to investigate so the first step in their attack is to disable the log collection agent on each machine here by stopping the win log beat service and their last step is to clear the local logs before re-enabling the log agent we defenders now no longer see the specific back doors and malware implanted into the system we just see that the event log was cleared now of course clearing event logs is suspicious and should be investigated but how can we investigate if we don't have logs we need a slightly different mindset here events tell us what has changed between a starting state and an end state for example the starting state may be that there's only two direct members of the local administrator group the event is that a new user is added to this group the end state is that there's now three direct members of this local admin group without logging we can't see the specific event that's happened when and by who but we can still observe the end state if nothing else by logging onto a machine and manually viewing the local admin group but this doesn't work well at scale it's slow time consuming and doesn't allow for easy comparison this is where a tool such as os query comes in it along with the fleet graphical front end allows us to ask questions about the current state of machines in our estate by using a sql-like syntax some data is available as saved queries for example listing out all of the currently configured scheduled tasks each time we run a query we must specify which machines we want to run it on i'm selecting all of the windows machines in my lab for this one the query then gets sent out to the os query agent running on each machine for data to be gathered and as each one completes the task it reports back to fleet okay so viewing the list of scheduled tasks is one thing but at this point we're still left with a lot of manual effort if we're hunting for signs of badness so let's start to refine the query perhaps we've seen an intelligence report suggesting that an attack group of concern to us typically creates a backdoor task named bacon so we just need to add a where clause onto this query to identify any machines which have a task where the name includes the word bacon the documentation panel on the right side of the screen provides some useful hints as to the field names we need to specify here we can see that there's two machines that have a potentially suspiciously named task the queries we've looked at so far have involved examining a single table but os query makes scores of them available to us and like with databases we can do awesome things by joining tables for example we have a table that lists groups and we have a table that lists users and we have a table that maps the relationship between users and groups so if we wanted to list all the user ids which were in the administrator group of any machine we could join the tables together like this with the following where clause here we can see that the same two machines that had the bacon backdoor service also have a little piggy user account in their local admin groups we'll touch on a couple more examples later but hopefully by now you're itching to give this a try yourself and good news setup is pretty simple fleet that graphical user interface for os query is provided as part of security onion the linux distro that we've been using across the other videos in this series the only thing required on the server side is to run so allow to update the local firewall to allow local network clients to communicate with the os query service each client needs the os query agent to be installed security onion provides a set of downloads for windows linux and mac clients which are specifically built to include the necessary server config and secret keys for our particular server all packaged up into a single installer so for a windows machine we just need to run the msi file wait a few moments and job done logging into fleet we can see this windows server is now listed in the console along with the security onion sensor that fleet is running on manual installation is not ideal but a gpo can automate the rollout we just need to create a new policy and then define a software installation under computer configuration policies software settings specifying the path to the os query msi file stored on a network share once clients have picked up the new group policy and installed os query they too appear in the fleet console but os query is not just for windows installation on linux is just as simple in this case running d-package to install the debian package on this ubuntu machine and then verifying that the service is up and running i don't yet have any linux automation set up for my lab environment here so i'm going to repeat this manual install across the other linux clients once complete another refresher fleet shows all the devices now reporting and online really only scratched the surface with the example queries from earlier the documentation pane is really useful to explore other tables available some that i think are particularly noteworthy are the registry table which provides access to examine any registry value similarly file allows for searching across file systems login sessions shows which users are connected to a windows machine including distinguishing between those with local sessions remote rdp connections or network share sessions processes lists all running processes and you can examine the command history of linux users via the shell history table check out the documentation for more and of course remember you can join tables together for extra power do let me know in the comments what awesome queries you've come up with an endpoint query tool such as os query will never be able to replace a comprehensive login solution and nor should it these tools serve two different purposes but they are entirely complementary with each one helping to address the deficiencies in the other typically log events are better for real-time correlation and alerting of known bad actions versus point-in-time queries being more useful in threat hunting or verifying compliance to technical policies it's also worth noting that os query has a daemon process which can run queries on a schedule and then generate alert events if there's a change between consecutive runs i'll probably create a video dedicated to this in the future so get subscribed if you don't want to miss it but that's all for now drop a note in the comments below if you have any questions or ideas for future videos i'll see you next time [Music] you

Info

Channel: Attack Detect Defend

Views: 2,687

Rating: undefined out of 5

Keywords:

Id: fYLjEs4oKKs

Channel Id: undefined

Length: 9min 3sec (543 seconds)

Published: Tue Dec 07 2021