BSidesNcl 2021 Yeet the leet with Osquery Sebastiaan Provost

well uh welcome everyone uh and uh let's say welcome to semester here who's going to take it away okay hello everyone and welcome to eat elite with oscary effective pretending without breaking the bank first i'd like to introduce myself who am i my name is vasim prakos and i'm currently the lead security engineer for a company called beacon my past life have experience with building security branches for a fintech company in london as well i love to travel and i love to go to the gym as well both of which only recently were very possible again so first i would like to talk about the motivation for this talk so what's my motivation so at present

nowadays edr mdr xdr they are seen as the answer the one-stop-shop solution for security for companies to protect themselves however because they in the answer lots of companies they try to um earn some money in that area of security industry certain mobile solutions um there are more intuitive solutions some of the more known ones are falcon film crowdstrike singularity from sentinel one carbon black from vmware you have to micro xdr or it all comes like cyber reason you have cortex and so on and so on but because they're portrayed as the one stop shop solution or the answer for security issues they're also quite expensive they're quite pricey sometimes but price doesn't mean anything because

if solution isn't as good as the as they say it is then it's basically a waste of money so sometimes these solutions they still miss common index and payloads that can be caught by using open source tools i want to express that this talk is not to complain about how bad they are actually quite good to systems i just want to show how we can help those solutions stay honest and complement them by using open source tools in this case os query i want to show how you can combine a whiskery and one of these security solutions to even give better protection to your environments so what can you expect today first i'll go for obvious query what it is who

create it and what it can be used for after that i'll go over the two frameworks two of them and their payloads and examples on how they can be caught by using obscurity when that's done i'll quickly go over how we can set up alerting uh by using two examples as well to empower our secular operation teams and as last and we'll give a quick sitrep to to explain what you've seen today so first always query what is overscreen os query is basically an operating system instrumentation framework it's powered by multiple operator it supports mob operating systems some of the more common known ones windows macos linux freebsd but because it's built in golang it's actually quite easy to

compile for lesser known operating systems i think some people even try to compile for android for example now originally it was built by facebook to uh allow them to give a better view on the state of all of the entire infrastructure across the company um but because it was useful the um um the the open source community uh facebook site to to um get it managed by the linux foundation so right now it's managed by linux foundation and supported by multiple people in the free time it's used by a lot of big companies like netflix uber airbnb also for them to give them a better view of the state of the infrastructure across the globe

now how does obvious query works always query basically exposed operating system as a relational database you can use sql queries to explore the operating system with multiple tables that represent the state of different parts like processors scanner modules files some examples are for example you can use sql query to see which chrome extensions are installed or which users are logged in almost any you can imagine from an operating system you can query with query there are you know although i'm saying now we can look at the different states of the operating system by sql queries there are two kinds of tables so egf tables that show a current state in time a snapshot sort of speak

like for example which files currently in a certain directory or which current modules are loaded but you also have event driven tables like file events for example if a file gets moved away or a process that post gets executed those are event driven tables oscary can on windows if you combine it with sisman is even more powerful because it can also tie into some functionality assessment we'll explore this later on as well to show how you can accomplish this now the first example would i show you from whiskery is how you can get a file information so since wiscons is runs on multiple different operating systems you will expect that the output is almost kind of

the same so this example i'm selecting a file in certain directory where the filename contains certain words as we can see the output is almost exactly the same you have a part directory filename we name it only differences between windows and linux is the uid field in the table because on win on the linux uid field basically shows the user id of the account who owns the file who is owning the file wins but when window is different the windows doesn't to do a diesel window ud is just zero another example i would like to show is that you can also look at listening ports like for example if you if you want to know which

processes what sports some processes are listening on it's perfectly possible in west query so basically you can like normal sql queries you can use inner joins in oscary to combine different tables and this query we're basically seeing gives us address support and small information from the table listing ports in the join the table processes based on a field called pid which sends process id using the table process the listing ports we have the same fields based on field we can we can layout a relation and show us more information and basically the output on linux for windows is again almost exactly the same we are looking for a process which always the name or splunk

then we can see for example splunk is on both operating systems listing board 8089 on my all live addresses and then on linux we see whisk reviews running and it's using a socket instead of a listing port another example i would like to show is name pipes name pipes is commonly used if you look at many actors to um plus information between the pros between processes to for example you have a beacon for example and sacrificial process then you can use name pipes to exchange space between the two so this is a big difference in windows and linux for example in windows if we say okay i want all pipes with for example my first name in the

name you can show those pipes um type of pipe with the flags and what the names and everything you can imagine and however in linux you don't see the name of the pack you only see the type of the pipe the file scripter and the plus id that the pipe belongs to nothing else there's a bit of a difference but now we've seen these examples of os query what but what potentially can do we only scratch the surface of the possibilities of screen you can do so much more but given the time name is to have i can't show you everything but this should give you an initial idea of what you can do with oscary and maybe

potentially you can start using it to get information to protect your systems even better than you you are already doing right now i would like to go a little bit more into uh common control frameworks and payloads so so what's common to control framework or situation framework it's based in a post-exploitation framework so initially so for example um you you're the target of a phishing of a phishing attempt you don't know what a phishing looks like so you see an email where someone else can open this document it contains information related to a case or some look or some products whatsoever in my opening document by accident you you don't know that it downloaded that's initial pillow that potentially

downloads excel information or exact code and that exact code can be from a c2 framework that allows the hacker or the malicious person whatever it gives them more functionality to do escalation on your system or common execution or some level movements basically c2 fair works they and the payloads they allow you to from a distance get more information or attack more systems from a former initial point of access sort of speak situ frameworks they work on multiple operating systems like linux mac os windows you name it some of the more known ones examples that i'll use in my talk are for example empire which is which original was a windows only or a pure powershell powershelf

c2 framework but it's got extended storage would also work for example on mac os linux you have mythic which is a very it's like a plug-and-play very model framework and global strikes one of the most known ones which originally was used a lot by redeemers in the engagement but nowadays is also used a lot by by malicious actors because it's so user-friendly and so easy to use now let's first look at empire now empire is a c2 framework that has met split like command line defense this is the the advantage of this is that if you wouldn't use to using metasploit in any capacity whatsoever the interface after this installed from empire will feel a bit familiar so it

will much easier for you to start using it and to do certain actions in it originally like i said before it was a just pure parcel c2 framework for windows along the way they start to expand or extend the functionality it's now compatible with python 3 for example for linux and mac os uh empire c2 favorite can can be deployed in in multiple ways for example with docker with kali linux or if you just clone the github repository you can do however you fit deploy it this is a quick example of how you would um the most simple way install the c2 empire so first you do a docker pull to get the latest image you create some

persistent storage and then you run basically the the docker container that you pulled the first step the first step and you use the procedure storage that you defined before and you map the ports in the container to ports on your host system and with results you can see in the screenshot you get like common line interface like with metasploits it's actually quite straightforward if you know if you have a very familiarity with metasploit itself it's quite easy to use and quite easy to extend as well so empire works with stators they have different kinds of stages like the types for example with shellcode dll files pkg files pkg files are like a package files for mac obs for

example or you can use macros for a macro stager that you can include in for example an office document and so on the screenshot shows the amount of the different kinds of stages that empire basically supports it even just supports simple batch stages for example of a python installer whatever you name it it is probably in there and as you can see it supports linux or mac os and windows another c2 framework i would like to go over because also um use this example later on the line is the mythic framework as i said before mythic is um quite modern um it's quite modular framework so it's called platform it works on all platforms it's a plug-and-play

architecture it's quite easy deployed so it's deployed back into the dock container and the front of the web interface so you just run the container in a command line and then you can open web interface in your browser and from there you can do all sorts of shenanigans so how to deploy mitig first you just clone the repository and you just run a bash script that's which that basically basically installs out messed up containers and then you just use the command line mythic start and that's it and as a result you get a nice interface that looks very it's not similar but it looks a little bit like global strike interface um but most of the control frameworks have

interface that have some features that are the same across all frameworks but it's quite a user friendly interface with and also quite extensive with quite a lot of features so how does mythic actually work so it uses instead of empire stages meticulous agents uh you have ages made different languages like um gxa is like a version javascript from macos for example golang python csup.net and they're quite easy to install now how easy to install for example you can use the command line for example to install an agent the apple agent which is an agent for mac os or json profiles http profile dns and whatsoever and so on and all these agents and profiles all of these

functionality built in but why do i set ins install because basically you install for example the apple engine like shown on the screen and basically it's it installs in the look container that plus into the diameter framework so basically the all ages of different containers that run their own but still tied in the framework which allows for the play architecture and the modularity in the entire framework which makes it actually quite easy to use now now that i've seen now now that we've seen two different c2 frameworks that i would like to use examples let's start with yi delete so there are different ways by using different ways that you can catch malice actors or malice processes on the

system with always query some of them i will go over are yara rules file integrity monitoring process events or obviously combined with system which is actually quite powerful which i explained before a little bit so let's first start with yara rules the ir rules are a way of identifying malware or files or processes by using rules the ar rules most of the time is in with obesity works in combination with some sort of file integrity monitoring basically you can monitor a directory with certain url rules and if a file event is still in a directory obvious query will scan that file that is related to the events with all the articles defined on risk query

and then see if matched in the rules now during my research for this for this talk i understood that yara rules and the fantasy modeling related to it they triggered on two file events create a modifier however it wasn't rigging in move 2. move 2 is a file event if you move a file into a directory that you're monitoring not out but indo but because it was not tricking on that file action of course it's possible for most actors or bad guys to move much interact with your monitoring and then just execute it but because it didn't trick it on that file event the bad actor could just stay on the radar so because of that i created pr in the

official repository of obscurity and whiskey version 5.0 will also include the file action booth too so this has been taken care of and the commits you can see as well on screen now what's the url actually look like this is simply a rule i've written to detect uh shellcode for windows stager for empire i explained so it contains description outer it doesn't matter and then i define two strings that it will trigger on so if any file that's empty that actually i'm monitoring contains those two strings we can say with a certain certainty that it's a shell code for windows from the empire c2 framework so how does that look like when you monitor a directory firstly for example

you monitor home shadow for example and i move the file embedded difficult in the directory this will trigger the r rule this will trigger always query to scan the file with all your walls and because we create a rear wall to detect the specific file we we will get a yara events like the yar event is an event driven table which create all events where they are was triggered and on this screenshot we can see that obscurity sold in by a different file and it triggered the arrow called empire win shellcodes and it also shows which strings triggered another way of potentially detecting uh malicious actions on system is by just using the very common file integrity monitoring

um the that functionality investory allows you to monitor directories for file changes you can use in one directive you can also also use it recursively so for example you monitor for example the home directory on linux and save recursively all that is being beneath as well this can be quite powerful actually this can be used to for example mount extensive directories like user bin directory and linux this one delves on the move to functional move to file event as well this basically tells us that the file integrity monitoring in their rules functionality is created differently than this file integrated monitoring that's the that's the main functionality for square now what does this look like configuration so

this part of configuration defined for obese query you can show that for example i want to monitor the temp directory my own workspace and on mac os all launch agents directories because they are used sometimes to hide malicious launch agents that might launch upon boot on mac os and by using the two percentage signs i tell it to monitor recursively so also directories under directly monitoring as well now what does this look like um when it's getting triggered so for example as in in the configuration you started i was trying to monitor all launch agents directories on my on the mac os so when someone potentially saves a malicious launch agent in one of the directories

the file degree monitoring functionality of history will trigger and this will show events again in a file in an event-driven table called file events on the screen so you can see that originally i create a malicious launch agent with the name com defcon software.agent.pls and because it's triggered this fountain monitoring this event safety noise query and later on we can potentially put alerting on that and say hey this is a malicious file do something with it another way of potentially detecting that actions with whiskery is by using process events again this will be with an event driven table so what's plus events what's what's functionality investor that allows do this what's query can monitor pros execution

based on defined uh queries you see you use it yourself it can look for both parent and child processes [Music] and two examples in in the past there are two malware families called hidden lotus and limpire that on macovis both use for example osa script to execute certain actions osc script is kind of like the powershell equivalent for mac os and um both families use javascript in the in the command line to execute on actions so if you can monitor process events or post executions from osa scripts you potentially catch those botox malware families what does this look like in the configuration uh this for example a query will run every 60 seconds that look in the process that looks in a

process events table for a command line with the letters osa this might potentially indicate that someone is using osa scripts to execute certain actions normally this is almost never done anymore so we can see with certain certainty that if someone uses osa scripts they have potential malicious intents as an example i said before we defined query to run f6 seconds to look for potential process events for osa execution so when the minus actor execute osa scripts this will train events and the screenshot shows what this event and the post event table will look like here we can see the process id the path the mode and the command line this command line basically tells tells us

that i myself use osg script to download the payload from the myth apple agents on my system now if you had some alerting you would be able to alert on this and say in general like well um there's a problem someone you execute obviously script potentially malicious we need to act on this now the last example i want to show is obesity combined with cismen this can be quite powerful now sisman allows you to monitor your windows devices for sharing events based on configuration you define yourself this can be um this can be very custom configurations so one of the advantages of system it stays active across reboots it locks among the system activity some examples that it monitors for our

process injection create pipe however i found out it doesn't monitor using epc calls so process injection can be done by for example using the functionality great remote threads in windows which basically creates another thread for a certain process which can be detected by cismen however with user apc calls you can basically attach yourself to another already existing threads of a process to already existing process without creating a new thread this base allows you to fly under radar and will be detected by cismen now all these events that systems detects are being saved in the event for windows under the um channel called microsoft security system for such operational now how is this powerful combined with

oscary a wishfully can basically tap into wiz in the into the windows event channel events channel that you'll define for example the seasman one and it can receive every single event saved and channel in again an even given table

now how would something like this look like basically you find a good configuration from system somewhere online the one i've shown here on the screen the the link is good default config and then obviously you launch a recipe with a very specific flag that's that that tells monitor the microsoft windows system first slice operational channel for example and then in your screen you would basically say show me all windows events where event id is not then every six seconds for example and it will show them in um it will okay how's my apologies it'll basically write a result of this query in a log file and which you can then use for example the data online for alerting

now an example is for mobile before is great pipe so as i said before earlier in this in stock is it's sometimes bad actors or use name pipes to exchange information between two processes for example cobblestrike uses pipes named unnamed it uses this communication between its beacon its main beacon and sacrificial processes for example it hasn't been piped to land the shell gourds now so if a season looking uh monitoring for system activity or for events that were pipes created or closed and we have always curry tapping into the events channel and saying okay gather information and then we for example query saying okay um select everything from windows events wherever day 17 which is the event id for grade

pipe this is what you would get you would get information like what's the source um what's provider name what's the device name where this happened was event id and for example um was a pipe name and also was the um the image the image you see on the screen is basically the binary that created pipe that is it allow you to alert on the create by functionality and so on so on to detect pipes create for example cobalt strike all the processes that are used to communicate between different items in the computer another example i want to show is process injection for this as an example i'll use the mythic agent from the apollo mythic

agents because it basically use process injection to execute certain tasks as an example i ran the mythic framework and agent myself and i told my agent look use the toolbox that exit binary so inject yourself in that process and then take a screenshot of my screen the two toolbox exit binary is battery from jetbrains for all their ides and as a result of course system detected that and what you see in the screen is basically the result that you see with obscuring so basically it shows us the technique id for the mitral attack framework which is t1055 and the technique name is process injection it all tells us in which binary this has been injected

and by which process so basically this is again quite powerful if you want to detect post injection which is moon and then use obesity to gather all information and set up some alerting or ending you can imagine now the last bit is so we've seen how we can detect bad actions with using os query as an example i use some common control frameworks we've we've seen file degraded monitoring we've seen close injection we've seen uh named vibes how to dictum or which are rules but just state them is not enough we also need to do something with them so then we come to the to step alerting so the next step of course the process

is alerting um because detection is only a small part and we want to empower our security teams to be able to do something with information gathered by oscary and sisman i will show two small examples using a splunk elastic structures now this is what a very simple pipeline could look like with always queries blank and for example it's like a page duty where the alerts end up so use your endpoints that contain for example always query binary and a splunk forwarder all this create saves your results in a log file and the splunk forwarder basically goes and monitors this log file and sends the data from a log file to a splunk instance and then explaining instance

based on certain queries that is running scheduled every so many minutes or hours you can then send alerts to victims like page dvd dealer was like so the first screenshot shows an event again like you seen before on ls query then in splunk we have a defined query that basically runs real time so the moment an an event comes in it turns the query and if it's the query has results it tells an alert to slack and on the right screenshot you basically see what an alert on slack potentially might look like and if your security branch team sees this alert knows we need to act on this because something pretty malicious is happening another example i would like to show you

is a learning pipeline with um elastic certain kimbani instead of splunk so basically this pipelining season out of four elements you have your endpoint where you have whiskering and fall beats with elasticsearch in kibana then as an end result here for example was like a page duty where the alert end up on again so instead of having an endpoint obscurity and string folder you have now which query and file beats again oscar sends their results in a log file which would be monitored by file bits file bit sends the information to search and then kibana can alert on received events on stack of page journey these days look like so on the right windshields and in this screenshot we see an event

from obviously again which is basically an event from a trigger on a yara rule now this because of file bit this will be sent to um elasticsearch and then middle screenshot you'll see how we can find alerting kibana [Music] and then this alert if it receives an event this rule if it is an event but since in this example straight to pages duty as you can see in the right screenshots with where an alert was triggered based on received events now we should know two very simple uh pipelines that you use to alert and to empower your security teams um of course there are much more ways to do this these are just two simple

examples i want to show you how you can do it is to start powering your security teams so what would be the next step be day we've seen detecting certain events and alerting but sometimes you can create a learning fatigue passing too much alerts to your security teams so next potential could be soar source stands for security orchestration automation and response we have different solutions like phantom cortex 18 volt and so on so basically allows you to automate actions that are otherwise executed by your security teams for example if you have an event on the windows device that's severely high or critical then solar platform can automatically isolate device until you are there to minimize to mitigate potential

risks the the the functional the capabilities are much bigger you can do almost any install platform and this basically improves the quality of life for your secure operation teams so they can focus on other items for their work and all the things they need to do instead of constantly looking at alerts this also prevents alert fatigue from happening too much to your teams and this will also give them more happy so what we have seen today we have seen what is always growing and after that we've seen we've we've dived a little bit into c2 frameworks and payloads and how we can potentially detect them with using oscary and cismen after that you've seen a

short example of alerting pipelines how it can be used to send the events we've detected to secure teams and i've given a very very quick intro in store platforms i would like to thank you all for uh listening in to this talk if you have any questions you can always contact me on one of these items and and thanks for listening all and i hope you enjoy today fantastic well thank you very much uh i am not seeing any questions directly in the chat so

technically we are on break for the next 10 minutes

perfect was it any was it in um are we still streaming yes we are if you do have any uh direct questions uh i'm just going to throw you a follow on twitter and [Music] uh yeah so uh people are saying that it was a lot to take in so that doesn't mean that there was some content and that that confidence was

yeah i understand it's quite a lot to take in because it's called content basically for one talk i think that's what we're here for right

there we go it's easier if you can just tune the screen clean contact yeah awesome definitely

um right uh on that note someone else has entered the weight and i have not seen any questions

no problem um well thanks for listening