drawklion.blogg.se

16 Februari 2023 - 09:43
Osquery architecture
Allmänt
Osquery architecture









  1. Osquery architecture how to#
  2. Osquery architecture install#
  3. Osquery architecture software#
  4. Osquery architecture series#

  • auditd: the de facto auditing and logging tool for Linux.
    • Two powerful tools to monitor the different processes in the OS are:

    Osquery architecture how to#

    For instructions on how to set up auditd and auditbeats see A02 in the appendix.Īuditd and Sysmon What are sysmon and auditd?

  • Auditbeat’s File Integrity Monitoring: įor the blog posts, we will be using mainly auditd, and auditbeats jointly.
    • For example, if we are trying to detect installation of services, we might want to look for newly added service files in /etc/systemd/system and other related directories. This gives us an opportunity to catch the adversaries if we are able to lookout for file creation or modification related to special files of directories. The configuration changes needed to set up persistence usually require the attacker to touch the machine’s disk such as creating or modifying a file. Linux Logging and Auditing File Integrity Monitoring He might simply use the added account in the machine or wait for the reverse shell from an installed service. With persistence installed, the attacker no longer needs to rely on exploitation to regain access to the system.

    Osquery architecture install#

    To do this, they install backdoor access that reliably maintains access to the compromised machine even after reboots.

  • Exploiting servers with critical CVEs: The server can be patchedīecause of how difficult the exploitation can be, an attacker would want to make the most out of their initial access.
  • Using leaked credentials and keys: The passwords might be reset or the keys are revoked.
    • You’d have to send another email and hope the victim will fall for it again.
  • Sending an email with a malicious attachment: The victim wouldn’t open the same maldoc twice.
    • Redoing the exploitation might be difficult depending on the attacker vector: Remember, exploitation is just the first step for the attacker they still need to take additional steps to fulfill their primary objective.Īfter successfully gaining access to the machine, they need to pivot through the network and find a way to access and exfiltrate the crown jewels.ĭuring these post-exploitation activities, the attacker’s connection to the machine can be severed, and to regain access, the attacker might need to repeat the exploitation step. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access ¹Īttackers employ persistence techniques so that exploitation phases do not need to be repeated.
  • Hijack Execution Flow: Dynamic Linker Hijacking.
  • Boot or Logon Autostart Execution: Kernel Modules and Extensions.
  • Modify Authentication Process: Pluggable Authentication Modules.
  • (WIP) Hunting for Persistence in Linux (Part 6): Rootkits, Compromised Software, and Others.
  • 12 – Boot or Logon Initialization Scripts: systemd-generators.
  • Hunting for Persistence in Linux (Part 5): Systemd Generators.
  • 11 – Event Triggered Execution: Unix Shell Configuration Modification.
  • 10 – Boot or Logon Initialization Scripts: motd.
  • 9 – Boot or Logon Initialization Scripts: init.d.
  • 8 – Boot or Logon Initialization Scripts: RC Scripts.

    • osquery architecture

  • Hunting for Persistence in Linux (Part 4): Initialization Scripts and Shell Configuration.
  • 5 – Create or Modify System Process: Systemd Service.
  • Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron.
  • 4 – Account Manipulation: SSH Authorized Keys.
  • Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation.

    • Osquery architecture software#

    1 – Server Software Component: Web Shell.Hunting for Persistence in Linux (Part 1): Auditing, Logging and Webshells.The diagram above gives an overview of what will be discussed in this series.

    osquery architecture

    We will discuss other techniques in succeeding posts. In this blog post, we will only discuss web shells but we will be focusing more on logging and monitoring.

  • How to monitor and detect persistence techniques.
  • How to deploy the persistence techniques.
  • Show how a defender might monitor and detect these installationsīy giving concrete implementations of these persistence techniques, I hope to give defenders a better appreciation of what exactly they are trying to detect, and some clear examples of how they can test their own alerting.Įach persistence technique has two main parts:.
  • Give examples of how an attacker might deploy one of these backdoors.
    • To do this, we will take an “offense informs defense” approach by going through techniques listed in the MITRE ATT&CK Matrix for Linux.

    Osquery architecture series#

    Welcome to this blog series “Hunting for Persistence in Linux”! This is a series that explores methods attackers might use to maintain persistent access to a compromised linux system.











    Osquery architecture
    0 kommentar(er)
    Om Mig: