According to the schema for this table, we can get which user created it, when the file was created, modified, and last accessed. We can use the osquery table file to monitor for files under this folder. This is a very unusual folder that is not expected to exist on a normal Linux install. If we look at the report, we can see that all of the files are created under a folder named “ /.Library”. Since osquery abstracts the differences between all the operating systems into SQL, the queries we produce for Linux can easily be translated to the other operating systems.
Osquery for windows free#
Since the Windows version is well detected by antivirus engines and Patrick Wardle released a great blog post on how his free macOS security tools can detect the macOS variant, we will put most focus on the Linux variant. We can use these to write hunting or detection queries. The report highlights files and folders created by the SysJoker malware. The queries will be added to a query-pack to make it easier to manage. The interactive binary allows for ad-hoc queries and we will use it in this tutorial to construct queries that can be added to the daemon’s configuration. Data is continuously collected by the daemon and the difference since the last execution is logged to a result log. The daemon takes a configuration file where the queries are defined and executes them at a given interval. There are two ways of running osquery, as a daemon via osqueryd or interactively via osqueryi. The data is collected by the agent and exposed via SQL queries.
Osquery runs as an agent on machines and is designed to provide endpoint visibility in a performant way. It allows us to potentially find other samples of the same malware that has a different file hash but it can also turn up matches that are not malware.īefore you read any further, you can read our original blog post (if you haven’t already) to familiarize yourself with SysJoker. There are pros and cons to this approach over just using file hashes. As we are focusing on the indication and not a definite determination, the information we are collecting could be due to a false positive.
The goal of this tutorial is to show you how we gather information that can serve as an indication of compromise.
The reason for choosing osquery is that it is supported for all the affected operating systems that SysJoker targets and it is open source allowing essentially anyone to follow along in this tutorial. We decided to use osquery in this blog post. There are many tools available to gather system information and to perform threat hunting within an organization. As a consequence to this, we decided to release a followup blog posting showing how the information we released can be used to investigate whether you have been affected. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. SysJoker is a malware targeting Windows, macOS, and Linux. On January 11, 2022, we released a blog post on a new malware called SysJoker.
0 kommentar(er)
