Generally, adversaries want to run their malware as soon as they run the service to reduce the amount of noise being produced on the system. Windows: SELECT name, display_name, status, path, user_account FROM services WHERE start_type = “AUTO_START” AND path NOT LIKE “%System32\svchost.exe%” ![]() By running the below query, we can identify if such a malicious service was installed: In the event that a user logs off or restarts their computer, the adversary will maintain access, or in other words, persistence, to the system. With even the most common intrusions, the adversary will create their own service to execute malicious commands or software. Windows: SELECT users.uid, ername, users.shell, users.type FROM user_groups INNER JOIN users ON user_groups.uid = users.uid WHERE user_groups.gid = 544 This might be useful to check if accounts have been disabled once employees leave the company, or to identify unknown user acconts that require further investigation.Īll OS Types: SELECT type, user, tty, host FROM logged_in_users Īll OS Types: SELECT uid, gid, username, description, directory, shell FROM users Īs part of routine account auditing, it would be beneficial to know what user accounts have been granted administrative access, or if a privileged account has been created to maintain persistence In Windows, this is determined if the user is part of the group with group ID 544 in Linux it is group ID 27, and macOS it is 80. Next, we can run the following commands to check who is currently logged in, and what user accounts exist on the endpoint. Windows: SELECT hotfix_id, installed_on, caption FROM patches To obtain more details on what patches have been implemented throughout Windows endpoints, use the ‘patches’ table this will determine if any recent patches have not been installed yet. The output of the following command will demonstrate whether endpoints have recently been patched, running an outdated version, or an unsupported operating system (such as Windows Server 2003, Windows 7).Īll OS Types: SELECT name, version, major, minor, patch, build FROM os_version ![]() These queries can provide some quick wins to determine whether malicious actors are already in your network. There are some simple OSQuery commands you can run to get a better idea of your environment. ![]() OSQuery is pretty particular with the type of apostrophes used too if you are given an error with any of the queries below, be sure to check this syntax. For example, if you wanted to query for all currently running processes, you would use OSQuery’s ‘processes’ table.įor more information, you can find the SQL explanation here, and the full list of OSQuery tables here. This is how we can use SQL queries, as the tables defined by OSQuery’s schema represent core operating system concepts and then pull out that data for us to analyse. Identifying Potentially Unwanted ProgramsĪs a quick primer before we jump into the queries, OSQuery works by treating the target computer as a relational database.General Operating System (OS) Enumeration.In this article, we will examine the use of OSQuery in being able to do the following, on predominantly Windows systems: ![]() OSQuery is straight forward to deploy, is compatible with Windows, MacOS, Linux, and FreeBSD, and crafting queries requires only limited knowledge in SQL. Instead of purchasing another appliance, organisations should take advantage of the capabilities already available in existing toolsets, such as querying languages.Ī growing trend in the Managed Defence and Response (MDR) world is the use of querying languages such as OSQuery in MDR platforms. There are several proprietary vulnerability scanners in the market, and to make matters more complicated, organisations typically deploy seven different security appliances as part of their overall defence program 1. Vulnerability management is the end-to-end process of identifying vulnerabilities, assessing their risk to an organisation, and remediating or mitigating the vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |