Less than a year after its release, osquery provides more than 100 different tables that inform intrusion detection, incident response, vulnerability management, and compliance efforts. The first step in taking advantage of the tool is to identify the queries for these tables that will bring the most value to your organization. This can be a difficult challenge, so we’re making it easier.
Starting today you can use query packs in osquery v1.4.5 and later. Query packs help you group queries by function or problem domain into files that are easy to download, distribute, and update. Network security monitoring has had this concept for ages (e.g., Emerging Threats), and now we’re bringing it to a free, performant host instrumentation platform.
Query packs utilize osqueryd’s existing query scheduler. As queries within the pack are executed on a defined, configurable interval, so you’ll receive data differentials and alerts for changes that matter to you.
In addition to making this feature available, we are publicly releasing many of the query packs we use internally at Facebook. We are maintaining and storing these query packs directly in osquery’s source tree on GitHub, and all of the query packs come with prebuilt osquery packages as of version 1.5.0. We encourage community members to submit queries to existing packs and to create new packs by contributing them directly to the project! The osquery team will evaluate submitted queries for quality, performance testing, and community review. We’re actively building guidelines and processes that make the query submission process as easy and transparent as possible.
Without further ado, here are a few query packs we run inside Facebook that can aid your efforts in intrusion detection, incident response, IT, compliance, vulnerability management, and more.
Queries in the incident-response pack help you detect and respond to breaches. Instead of relying on signatures, these queries holistically collect data relevant to the phases of a typical attack, including areas like exploitation, installation, command and control, and lateral movement. If the attacker persists via a plist and launchd entry, installs a kernel extension, disables the client firewall or grants an explicit exception, establishes C&C/C2 communications, or runs a tool like keychaindump, this query pack will collect data that can help alert you to these actions.
Dealing with yet another 0day announcement? Maybe one with a logo and a lot of press? The vuln-management pack helps you collect and quickly identify outdated and vulnerable software. Whether you’re interested or responsible for the operating system, browsers, browser plugins, particular applications, or packages, you can audit for vulnerable hosts and validate whether an upgrade was successful.
OS X attacks
Attackers continue to develop and deploy Mac OS X backdoors. We’ve seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives. For the recent HackingTeam OS X backdoor, here are some queries we include that can help identify its presence in your infrastructure:
select * from file where path = '/dev/ptmx0';
select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';
select * from launchd where label = 'com.ht.RCSMac' or label like 'com.yourcompany.%' or name = 'com.apple.loginStoreagent.plist' or name = 'com.apple.mdworker.plist' or name = 'com.apple.UIServerLogin.plist';
As a community, we’ll continue to iterate on this feature, adding queries and packs as we discover attacks and attack patterns. We encourage everyone — companies, vendors, and individuals — to participate and send us a pull request. Apply your threat intelligence and research in a way that benefits every osquery user!
For more information about available query packs, see the following page: https://osquery.io/docs/packs
If you’d like to learn how to configure osquery to take advantage of these packs, check out the configuration wiki: https://osquery.readthedocs.org/en/stable/deployment/configuration/#query-packs
Have questions or need help with a deployment? Let us know! Create an issue or email us.
Javier Marcos (@javutin) is a security engineer at Facebook.