SlideShare una empresa de Scribd logo

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery

Descargar como PPTX, PDF
BlueHat Security Conference
BlueHat Security Conference

The document discusses using osquery, an open source host-based monitoring and detection agent, to detect compromise on Windows endpoints. It provides an overview of osquery's capabilities including scheduled and event-based queries, file carving, on-demand querying, and deployment at scale. Examples are given of using osquery to monitor processes, users, groups, USB activity, Windows events, and PowerShell for detection of suspicious activity.

Tecnología
1 de 118
Detecting compromise on Windows endpoints with osquery Nick Anderson Security Engineer
Get-Host • Nick Anderson • Security Engineer at Facebook • thor@fb.com • Super legit, not an alias • Github - github.com/muffins • Twitter - twitter.com/poppyseedplehzr • twitter.com/osquery is much more interesting
• Intro and Background • Osquery crash course • Configuration and deployment • Detection use cases • Conclusion and questions Schedule
• FOSS host based IDS agent • Built at Facebook for Facebook systems • Not much for POSIX back in 2012 • Must run on many systems • Abstracts OS as a SQL database • SQLite • Native statically linked binary • Shell vs daemon components What is osquery
• Grants “Snapshot view” of OS state • “Show me all scheduled tasks in my fleet” • Data is state + time focused • Detect deviations in enterprise • Breadth of Detection vs Depth What is osquery
• What about CotS? • Infra already established for scaling • Why not WMI? • Required cross-platform agent • “One query to ask them all” • Osquery has so much more to offer • Expose WMI compatibility layer • Rich data vs performance Porting to Windows
osqueryi
osqueryi C:UsersNick λ osqueryi Using a virtual database. Need help, type '.help’ osquery> .tables => appcompat_shims => arp_cache => autoexec => carbon_black_info => carves => certificates => chocolatey_packages
osqueryi osquery> select name, pid from processes limit 1;
osqueryi osquery> select name, pid from processes limit 1; +---------------------+-----+ | name | pid | +---------------------+-----+ | System Idle Process | 0 | +---------------------+-----+
osqueryi osquery> select p.pid, p.name, lp.port, lp.address from processes p, listening_ports lp where lp.pid = p.pid limit 5;
osqueryi osquery> select p.pid, p.name, lp.port, lp.address from processes p, listening_ports lp where lp.pid = p.pid limit 5; +------+-------------+------+---------+ | pid | name | port | address | +------+-------------+------+---------+ | 920 | svchost.exe | 135 | 0.0.0.0 | | 4 | System | 445 | 0.0.0.0 | | 516 | wininit.exe | 1536 | 0.0.0.0 | | 1292 | svchost.exe | 1537 | 0.0.0.0 | | 1236 | svchost.exe | 1538 | 0.0.0.0 | +------+-------------+------+---------+
osqueryi osquery> select f.filename, h.md5 as file_md5 from file f, hash h where h.path = f.path and f.path like 'C:UsersNickDesktop%' limit 5;
osqueryi osquery> select f.filename, h.md5 as file_md5 from file f, hash h where h.path = f.path and f.path like 'C:UsersNickDesktop%' limit 5; +------------------------+----------------------------------+ | filename | file_md5 | +------------------------+----------------------------------+ | CCL_Invoice_003022.pdf | dd3e72b01b545f0b36359d5477f1e094 | | client.png | 78bda620715bcdfe1f5809f5d25d028b | | desktop.ini | 9e36cc3537ee9ee1e3b10fa4e761045b | | flareon4_writeups.md | cbe90f8119536ca8a6a13d5daa229844 | | interviewing_advice.md | e51c462465edf91383699dc1fc5bd46d | +------------------------+----------------------------------+
osqueryi osquery> select name, data from registry where key = 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun';
osqueryi osquery> select name, data from registry where key = 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun'; +---------------------+--------------------------------------------------------------+ | name | data | +---------------------+--------------------------------------------------------------+ | SecurityHealth | %ProgramFiles%Windows DefenderMSASCuiL.exe | | VMware User Process | "C:Program FilesVMwareVMware Toolsvmtoolsd.exe" -n vmusr | +---------------------+--------------------------------------------------------------+
osqueryi osquery> .mode line osquery> select key, name, data from registry where key like 'HKEY_USERS%SOFTWAREMicrosoftWindowsCurrentVersionRun';
osqueryi osquery> .mode line osquery> select key, name, data from registry where key like 'HKEY_USERS%SOFTWAREMicrosoftWindowsCurrentVersionRun'; key = HKEY_USERSS-1-5-21-3535526762-2088972459-3486670382- 1001SOFTWAREMicrosoftWindowsCurrentVersionRun name = totally legit data = C:Windowstempdolphin_not_virus.exe …
osqueryi osquery> .mode line osquery> select key, name, data from registry where key like 'HKEY_USERS%SOFTWAREMicrosoftWindowsCurrentVersionRun'; key = HKEY_USERSS-1-5-21-3535526762-2088972459-3486670382- 1001SOFTWAREMicrosoftWindowsCurrentVersionRun name = totally legit data = C:Windowstempdolphin_not_virus.exe osquery> select r.data, h.md5 from registry r, hash h where key like 'HKEY_USERS%SOFTWAREMicrosoftWindowsCurrentVersionRun' and h.path = r.data; +---------------------------------------+----------------------------------+ | data | md5 | +---------------------------------------+----------------------------------+ | C:Windowstempdolphin_not_virus.exe | 13974cbf51996ab168c12d662fb3bfb7 | +---------------------------------------+----------------------------------+
Scheduled queries and osqueryd
• Daemon agent vs CLI shell • SYSTEM level service • Executes queries at scheduled intervals • Logs changes between queries • Highly configurable osqueryd
Query packs "rpc_services": { "query": "select name, status, path from services where name like '%rpc%' limit 1;" … "interval" : "60", "description" : "RPC Services in our enterprise", … },
Scheduled Queries Time t1 rpc_services t2 rpc_services "interval" : "60"
Scheduled Queries Time t1 rpc_services t2 rpc_services Results log
Scheduled Queries Time t1 rpc_services t2 rpc_services Results log { "name":" rpc_services", "hostIdentifier":"devbox", … "decorations": { "host_uuid":"65694D56-6BD1-CA97-DCF9-AA673CB88E8B", "username":"Nick" }, "columns":{ "name":"rpcapd", "status":"STOPPED” }, "action":"added”, … }
Scheduled Queries Time t1 rpc_services t2 rpc_services Results log { "name":" rpc_services", "hostIdentifier":"devbox", … "decorations": { "host_uuid":"65694D56-6BD1-CA97-DCF9-AA673CB88E8B", "username":"Nick" }, "columns":{ "name":"rpcapd", "status":"STOPPED” }, "action":"added”, … } … <t2 execution, no new results> …
Query packs "rpc_services": { "query": "select name, status, path from services where name like '%rpc%' limit 1;" … "snapshot" : true, "interval" : "60", "description" : "RPC Services in our enterprise", … },
Scheduled Queries Time t1 rpc_services t2 rpc_services Results log {"snapshot":[{"name":"rpcapd","status":"STOPPED"}],"action":"snapshot", "name":"rpc_services","hostIdentifier":"devbox","decorations":{…}} {"snapshot":[{"name":"rpcapd","status":"STOPPED"}],"action":"snapshot", "name":"rpc_services","hostIdentifier":"devbox","decorations":{…}} ...
Scheduled Queries Time t1 Threat_intel_query t2 Threat_intel_query
Scheduled Queries Time t1 Threat_intel_query t2 Threat_intel_query p1 Infection occurs
Scheduled Queries Time t1 Threat_intel_query t2 Threat_intel_query p1 p2 Infection occurs Service Deleted/modified
Event-based queries
Event based queries Time t1 osquery.db
Event based queries Time t1 Event_based_query osquery.db
Event based queries Time t1 Event_based_query p1 Infection occurs osquery.db
Event based queries Time t1 Event_based_query p1 p2 Infection occurs Service Deleted/modified osquery.db
Event based queries Time t1 t2 Event_based_query p1 p2 Infection occurs Service Deleted/modified Event_based_query osquery.db
Event based queries C:UsersNick λ osqueryi --nodisable_events --windows_event_channels="System,Security,Microsoft-Windows-PowerShell/Operational" Using a virtual database. Need help, type '.help’ osquery> select time, eventid, source, data from windows_events where eventid = 4104;
Event based queries C:UsersNick λ osqueryi --nodisable_events --windows_event_channels="System,Security,Microsoft-Windows-PowerShell/Operational" Using a virtual database. Need help, type '.help’ osquery> select time, eventid, source, data from windows_events where eventid = 4104; time = 1508904136 eventid = 4104 source = Microsoft-Windows-PowerShell/Operational data = {"EventData":{"MessageNumber":"1","MessageTotal":"1","Path":"C:UsersNickDocuments WindowsPowerShellModulesposh-gitGitTabExpansion.ps1","ScriptBlockId":"0bf6389f- d4af-46fc-97ff-9069fb22fc3b","ScriptBlockText":"# Initial implementation by Jeremy Skinnerrn# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows- powershell/rnrn$Global:GitTabSettings = New-Object PSObject -Property @{rn …
osqueryd at scale
osqueryd User Laptops provision
osqueryd User Laptops graph.facebook.c om Config Store Enrollment db
osqueryd User Laptops graph.facebook.c om Config Store Enrollment db
osqueryd – Logging graph.facebook.c om User Laptops Detection Magic
osqueryd – Logging graph.facebook.c om User Laptops Detection Magic
Response features
File Carving
File Carving osquery> select * from carves where carve = 1 and path = 'C:Windowstempdolphin_not_virus.exe';
File Carving osquery> select * from carves where carve = 1 and path like 'C:Users%Desktop%';
File Carving graph.facebook.c om User Laptops Encrypted store temp block cache
File Carving graph.facebook.c om User Laptops Encrypted store temp block cache
File Carving graph.facebook.c om User Laptops Encrypted store temp block cache
On-demand osquery
On-demand osquery graph.facebook.c om User Laptops select identifier from chrome_extensions limit 1; uuid = ‘90EE3116-01C4-5B92-9A95-C77B4303BB84’ on-demand query store
On-demand osquery graph.facebook.c om User Laptops select identifier from chrome_extensions limit 1; uuid = ‘90EE3116-01C4-5B92-9A95-C77B4303BB84’ on-demand query store
On-demand osquery graph.facebook.c om User Laptops on-demand query store +----------------------------------+ | identifier | +----------------------------------+ | aohghmighlieiainnegkcijnfilokake | +----------------------------------+
Where we are • 1+ year ago • Unified results data for all platforms • Agnostic queries against our full enterprise • Numerous Windows specific wins
WEL Secure Auditing • Numerous guides online for secure GPO • Turn these on full blast because unlimited storage • Spend weeks playing with all of your shiny data • Find all the evil
Stories
System Process Auditing
System Process Auditing
System Process Auditing
System Process Auditing Filter proc starts
System Process Auditing
System Process Auditing Process Info
System Process Auditing
System Process Auditing Process cmdline
Local User Added to Admins
Local User Added to Admins
Local User Added to Admins Local user created
Local User Added to Admins
Local User Added to Admins
Local User Added to Admins
Local User Added to Admins Wat.
Local User Added to Admins
Local User Added to Admins
Local User Added to Admins
Local User Added to Admins Tracks users added to groups
Local User Added to Admins
Local User Added to Admins Target groupUser to add Who dunnit
USB File Audits
USB File Audits
USB File Audits
USB File Audits
USB File Audits
USB File Audits
USB File Audits
USB File Audits
USB File Audits
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Powershell
Let’s leverage open source communities to build use cases for detecting compromise beyond exploitation Call to Action
Use case from Community • Open Source Mentorship Program • Universities and Students • Engage more open source contributors • Foster better open source community
Community
Community
Community
Community
Community
Thanks! -- Questions? • osquery • github.com/facebook/osquery • twitter.com/osquery • osquery.slack.com • thor • thor@fb.com • Twitter.com/poppyseedplehzr
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery

Recomendados

Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleCoreStack
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 

Recomendados

Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Introduction to Ansible
Introduction to AnsibleIntroduction to Ansible
Introduction to AnsibleCoreStack
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAltinity Ltd
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and CephProtecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and CephSean Cohen
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultBram Vogelaar
 
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...Henning Jacobs
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Ilya Haykinson
 
Make BDD great again
Make BDD great againMake BDD great again
Make BDD great againYana Gusti
 

Más contenido relacionado

La actualidad más candente

Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAltinity Ltd
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConJérôme Petazzoni
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and CephProtecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and CephSean Cohen
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultBram Vogelaar
 
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...Henning Jacobs
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf toolsBrendan Gregg
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 

La actualidad más candente (20)

Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdf
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutes
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and CephProtecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
Protecting the Galaxy - Multi-Region Disaster Recovery with OpenStack and Ceph
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp Vault
 
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
Running Kubernetes in Production: A Million Ways to Crash Your Cluster - DevO...
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Velocity 2015 linux perf tools
Velocity 2015 linux perf toolsVelocity 2015 linux perf tools
Velocity 2015 linux perf tools
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 

Similar a BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery

Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Ilya Haykinson
 
Make BDD great again
Make BDD great againMake BDD great again
Make BDD great againYana Gusti
 
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...NETWAYS
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Docker, Inc.
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)Wesley Beary
 
Automating complex infrastructures with Puppet
Automating complex infrastructures with PuppetAutomating complex infrastructures with Puppet
Automating complex infrastructures with PuppetKris Buytaert
 
Cutting through the fog of cloud
Cutting through the fog of cloudCutting through the fog of cloud
Cutting through the fog of cloudKyle Rames
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
 
What is the best full text search engine for Python?
What is the best full text search engine for Python?What is the best full text search engine for Python?
What is the best full text search engine for Python?Andrii Soldatenko
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
 
Creating Reusable Puppet Profiles
Creating Reusable Puppet ProfilesCreating Reusable Puppet Profiles
Creating Reusable Puppet ProfilesBram Vogelaar
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardHow I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardSV Ruby on Rails Meetup
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
 
Virtual Hosting With Apache and Linux
Virtual Hosting With Apache and LinuxVirtual Hosting With Apache and Linux
Virtual Hosting With Apache and LinuxIresha Rubasinghe
 

Similar a BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery (20)

Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4
 
Make BDD great again
Make BDD great againMake BDD great again
Make BDD great again
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...
 
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto
 
#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux Session
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 
Automating complex infrastructures with Puppet
Automating complex infrastructures with PuppetAutomating complex infrastructures with Puppet
Automating complex infrastructures with Puppet
 
Cutting through the fog of cloud
Cutting through the fog of cloudCutting through the fog of cloud
Cutting through the fog of cloud
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
What is the best full text search engine for Python?
What is the best full text search engine for Python?What is the best full text search engine for Python?
What is the best full text search engine for Python?
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2
 
Creating Reusable Puppet Profiles
Creating Reusable Puppet ProfilesCreating Reusable Puppet Profiles
Creating Reusable Puppet Profiles
 
TIAD : Automating the modern datacenter
TIAD : Automating the modern datacenterTIAD : Automating the modern datacenter
TIAD : Automating the modern datacenter
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardHow I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
Perl Programming - 04 Programming Database
Perl Programming - 04 Programming DatabasePerl Programming - 04 Programming Database
Perl Programming - 04 Programming Database
 
Virtual Hosting With Apache and Linux
Virtual Hosting With Apache and LinuxVirtual Hosting With Apache and Linux
Virtual Hosting With Apache and Linux
 
Osquery
OsqueryOsquery
Osquery
 

Más de BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

Más de BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 

Último

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery

Notas del editor

  1. *
  2. Talk about yourself a bit
  3. Cover what we’re going to talk about and our roadmap
  4. Agent built by Facebook to provide security and telemetry data for production systems, both CentOS and MacOS Treat the OS like a SQL table, and query different OS constructs Single binary statically linked to ease dependency maintenance, also provides a standalone CLI utility
  5. Gives high level over-arching state of operating system State and time focused data Talk doesn’t emphasize low level techniques Not finding ROP in memory (yet ;)) Focus is on detecting compromise post exploitation Build detection layers and seek compromised behavior
  6. Focus here on why this was ported to windows Sell Sell Sell Osquery gives much more capability than WMI
  7. Now let’s dive into the CLI utility. While this isn’t a driving component of osquery, I still find it super useful Very nifty for prototyping scheduled queries, Handy in triaging system state, netstat example
  8. Launching the shell Similarity to sqlite shell
  9. OS Constructs are groupings and abstracted behind tables Can select from attributes relating to the construct Pid, name, path, etc, can all be queried against
  10. The real power of osquery shows up when you start joining the different tables Here we take our processes table from the first query, and we join it against our listening ports table, which only contains the pi
  11. This gives us a view of processes with listening ports on the system
  12. Make sure to mention Globbing We have a table for taking crypto digests of files, it cannot be directly queried against, but you can pass it paths from other tables
  13. Imagine this data being auto-cross referenced against something like VT or your internal IoC databases
  14. One of the more powerful tables on Windows is the registry table Abstracted the entire registry hive behind SQL tables. Can specify different hives and key paths
  15. Continuing these feature sets, we brought globbing to the system registry
  16. We can glob all user registry hives
  17. And then pass this data to hashes table we saw from before
  18. Prototyping with shell How do we run these prototyped queries periodically?
  19. The daemon is the primary component deployed Whiel the Shell is great for prototyping queries and querying the system state, daemon runs as a background service Executes configured queries at specific time interval Logs the differentials of results by default, shows results that have been added or removed Large amounts of configuration options. Allows for one to turn off features they’re not interested in or do not want
  20. Given all of the shell work, packs organize our queries These are consumed by the daemon
  21. At a high level this is what scheduled queries look like We execute at the sepcified time interval
  22. Lets walk through this Looking at that data, at time t1 we execute
  23. The data here gets reported to our results log Decorations – Host uuid, this data gets ‘decorated’ on all of our results Action – added, this can also be “removed” This is an illustration of differentials
  24. Differential component is that at t2 we don’t recorded anything new
  25. Change our query pack to be snapshot
  26. Differential component is that at t2 we don’t recorded anything new
  27. You might’ve noticed a potetnail issue Consider a scenario with scheduled queries
  28. At p1, the infection happens
  29. P2 our intel is dated, and threat intel isn’t going to catch
  30. Eventing solves this issue by “flight” recording Records events in DB via pub subs
  31. Similar to before, let’s consider an execution flow This time we’ll cache events as they happen into our RocksDB
  32. At time t1, we’ll execute our scheduled query We wont get any data, because nothing has happened yet
  33. Now, at p1, when the infection occurs we’ll cache that event via a pub/sub model
  34. We also potentially catch the “change” where the malware is attempting to hide
  35. Lastly we query against the database and get any events that have transpired
  36. Let’s look at event based queries in action
  37. Then we trigger some events and see our event data happening. In this example we’ve turned on powershell script block logging, and we’re seeing a script block of powershell
  38. With nuances of osqueryd How do we configure and deploy osquery How do we get logs back?
  39. Provision with Chef at FB Puppet, SCCM, whatever you like Packages hosted in Chocolatey MSI coming soon! <3 Chef configures client boxes with certs and tokens
  40. At a high level, our configuration consists of these three parts Graph API endpoint A configuration store An enrollment store Endpoints
  41. User laptops hit our Graph API endpoint Can happen anywhere they have internet Happens over TLS with pinned certs provisioned from Chef The Graph API verifies the enrollment of the Nodes
  42. Logging happens in somewhat of a similar fashion
  43. The endpoints write their data to the graph API endpoint Again this is pretty awesome as we don’t need them to be on corp VPN to get our data Data flows from graph API endpoint (again after enrollment verification) to a series of detection tubes Once we’ve escalated things correctly and done some decoration of the data, we drop this into a long term “infinite” store
  44. Whew. That was a lot Now that we’ve gone over what an osquery configuration and deployment looks like, let’s take a quick look at some of the more advanced osquery feature sets
  45. One of the features we get asked for quite a bit is the ability to take action It’s something of a motto for us, that we’ll never alter system state There’s one new exception to that rule, and whether or not it “alters” is debatable imo ;)
  46. We have a feature we call the “Carver” This allows one to remote pull files from systems running osquery Disabled by default Query agains a table Table itself is metadata
  47. Similar to before, globbing can be used with carves If we wanted to always grab all files off of a desktop we could
  48. High level configuration of carve Uses ODOS (We talk about this shortly) Requires MORE TLS endpoints User laptop gets path TARs everything up
  49. The tar is “chunked” and fired off to the TLS endpoints Blocks are stored in a temp cache
  50. Once all blocks received, we stash these in an encrypted store Other TLS endpoints are working to implement these Expect support for other services soon!
  51. On-demand osquery (or ODOS, we know, we’ve been through the runs with names :) ) allows you to poll a remote system in your enterprise
  52. “work” database User issues queries by placing them into this db
  53. Laptops periodically ask for work Get work, execute work Results posted back and stored This capability can go one to many
  54. Results are then presented back to the user This data can be decorated
  55. Accomplished agent port Deploying osquery on Windows “Ask one query to rule them all” Thousands of corp, 100s of ks in prod Already scaling on POSIX, Windows takes full advantage Windows wins – registry globbing and WEL Follow with Patch compliance and vuln mgmt Start a conversation around detection logic Lets ask better questions around detecting compromise
  56. What is WEL Why are we talking about WEL? Before we jump into use cases WEL Secure auditing empowers WEL table
  57. Let’s take a look at some wins Note that all of this data is “as seen from” our back end infra This is not osquery, this is interacting with our Hive cluster to view our “infinite” data
  58. One of the more common suggestions for WEL secure auditing – turn on Process auditing Think aboutt he eventing example we used prior While we don’t have a process events table, we can view proc starts in WEL, and see the bad process starting
  59. This image shows how we’re extracting this out Our logging infra brings back the data as decorated JSON blobs, so we need to extract
  60. Focus on how we’re filtering
  61. We obtain these by filtering on EID 4688 in the security WEL source
  62. In particular, we get back these fields
  63. PID, Command Line, the process name, as well as (potentially) the user who spawned, …
  64. This is how our data shows up
  65. Can see fine grained process starts and their command line. Noice.
  66. Our first detection scenario we wanted to look for was “Can we see when a new local user is added to Local admins?”
  67. To get this it’s similar to the proc starts, we instead look for one of a couple of event ids. Event ID 4720 is local users being created
  68. To get this it’s similar to the proc starts, we instead look for one of a couple of event ids. Event ID 4720 is local users being created
  69. This returned a surprising number of results
  70. Specifically they all held a similar named pattern Not depicted here but these were happening *in line* with being added to the local administrators group We traced these down by looking for event ID 4720, 4735 very close to each other
  71. Specifically they all held a similar named pattern Not depicted here but these were happening *in line* with being added to the local administrators group We traced these down by looking for event ID 4720, 4735 very close to each other
  72. Specifically they all held a similar named pattern Not depicted here but these were happening *in line* with being added to the local administrators group We traced these down by looking for event ID 4720, 4735 very close to each other
  73. Turns out that Lenovo installs a local user as a Local Admin in order to perform service updates
  74. Turns out that Lenovo installs a local user as a Local Admin in order to perform service updates
  75. Filtered out noisy results
  76. Tracked explicit user group adds
  77. First view of the data
  78. We now have detections rolled out around local users being added to the Admins group, and we can see which accounts are responsible This detection happens through considering multiple Event IDs in sequence Just user adds is too noisy Just Admin adds might not be rich enough
  79. With our WEL pipeline we have turned on removable device auditing. This lets us see USB devices plugged, files written, and files read
  80. Another wall of our SQL This allows us to view all removable device events, let’s break this down
  81. One of the cool features of the WEL pipeline is we can turn on powershell script block logging. This gives us transcriptions of powershell executed on clients, but it’s in blocks You can see here ¾, but we know that we can reassemble the blocks by using the block ID, total count, and script_block_id
  82. This is us filtering for removable device audit logs in the security channel, looking on my particular machine
  83. The fields we are extracting
  84. Most of these fields are pretty strait forward, we see the device name, the user initiating the action, the process name
  85. The access mask indicates the type of transfer We’ll see here ina second that ‘0x2’ indicates a file was _written_
  86. This is our generic view of the data
  87. Emphasize the device name and the process name We could catch any types of transfers here, not just drag and drop from explorer.
  88. One of the cool features of the WEL pipeline is we can turn on powershell script block logging. This gives us transcriptions of powershell executed on clients, but it’s in blocks
  89. Here’s a sample of that data
  90. You can see here how we have the different blocks.
  91. Fellow engineer Trevor Pottinger wrote some nightly jobs to reassemble this, and drop these into a new table so now we can start hunting around for different powershell scripts
  92. We started with the most obvious question, “can we find mimikatz in our network?” We staged quite a few mimikatz runs between our cert team and myself. These all showed up
  93. We started with the most obvious question, “can we find mimikatz in our network?” We staged quite a few mimikatz runs between our cert team and myself. These all showed up
  94. This found quite a few of my test cases, but also found some folks trying to make facebook more secure 
  95. Progressing from there, we started wondering if we had seen any native Win32 API executions
  96. This turned up numerous script runs, but after quite a bit of filtering we found some interesting scripts
  97. This was a pretty big script, bigger than the others I had seen to this point
  98. Turned out to be a ninja copy run, from the same person who was turning off SE-DebugPriv earlier He generates loads of FPs 
  99. From kernel32, we checked out a few sampled api calls themselves
  100. This actually turned up three hits Legit hits. Looked to be some form of Shellcode loader in powershell
  101. Snippet closer up.
  102. Did some OS recon and found this was from the SET framework Notified CERT, only to find these were old infections that had already been dealt with (*Dang*)
  103. So, I’m very excited about scouring through our Powreshell scripts for strings Numerous talks here and else where by Lee Holmes and Daniel Bohannan (and many more I’m sure) show string matching isn’t enough We started decomposing the powershell scripts in hopes of finding better pattersn
  104. Looked for really high percentage frequencies of white space characters
  105. Here you see ~40% white space, and to the right you can see the histogram of chars
  106. We checked out some of the higher scorers of all time Unfortunately these looked to just be incomplete script blocks 
  107. Call to action, emphasis here on the grow as a community component. My hope for this talk is that you’ll be able to see us pull off some relatively advanced behavioral detections with FOSS Potential candidates: “Let’s make open source tools and communities more robust, supported” Through open source we can build and foster powerful relationships across company boundaries Engaging in these communities allows us to build better tools, more robust detections, and lower the bar to entry for companies hoping to establish robust security programs
  108. To close out, I have one last story We have an Open Source Mentorship program at FB Great hiring pipeline, great way to engage students Also great way to encourage more open source developers
  109. We got loads of issues out of this program, which was awesome Lots more eyes gave us much better usability Helped us focus on barriers to entry and how we can better foster our communities
  110. One mentee in particular, Rubab Syed From Lahore Packiston, graduate student in computer sciences Wrote a virtual table for monitoring pip managed packages on Linux We got her to also port this to MacOS, and this was a great succcess for the program as she had never done OSS contribs
  111. Then just recently, it came out that PyPi had received some masqueraded packages.
  112. Notification went out Set 9th
  113. We had open source query packs on September 15th This was a bit after we had already scoured our internal network Using Rubab’s table we were able to very quickly check our whole production and corporate environment for these packages
  114. * Ways to get in touch with the osquery team and community