clo.ng

Leveraging osquery to examine the XProtect Behavioral Service DB

Thu, 27 Jul 2023 00:00:00 +0000

Upon reading Mandiant’s “North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack”, one of the artifacts that stood out to me was the usage of XProtect’s Behavior Service DB. Until now, I had assumed all XProtect detections were signature based, but it sounds like Apple may be testing some behavioral-based rules to flag suspicious process executions in newer versions of MacOS.

Examining the DB locally using sqlite3

If you’d like to take a look at the DB on your own system, you can simply run sudo sqlite3 /var/protected/xprotect/XPdb:

Sunsetting DetectionLab

Sat, 31 Dec 2022 00:00:00 +0000

On Dec 11, 2017, I published the initial release of DetectionLab. I never expected the project to garner the attention that it did, and I couldn’t be more thankful for all of the positive experiences that came about from building it. However, after nearly 6 years of actively maintaining, expanding, and improving the project, I think it’s finally time to call it a day on DetectionLab development.

During the past two years, I became a father and also joined a startup – two things that are both extremely rewarding in their own ways, but are also very large time commitments. Multi-hour uninterrupted blocks of free time no longer exist for me and that is essentially a prerequisite for doing active development and testing of DetectionLab. Over the years, I’ve spent hundreds of hours testing changes and implementing new features. In that time:

Quick and Dirty Linux Forensics

Mon, 27 Sep 2021 00:00:00 +0000

Over the past few years, I’ve occasionally needed to do some quick forensics on Linux hosts. Each time I do, I find myself stitching together 5-10 different pages of content to pull together the information I need to grab the disk and memory collections.

This is a guide that attempts to pull all of that into one place and will likely serve as a future reference for me, but I hope others can derive some value from it as well.

My Take on the Decent Coffee Cart

Sat, 02 Jan 2021 00:00:00 +0000

In 2020, I decided to invest in an espresso machine since I am spending an inordinate amount of time at home and find myself regularly longing for a latte. However, I didn’t have the kitchen counter space for a machine, grinder, and all of the tools needed for a reasonable workflow.

After looking at a bunch of portable kitchen carts, I eventually came across the Decent Coffee Cart. Decent Espresso is a company that makes custom espresso products and the Decent coffee cart is sort of a DIY project where you modify an IKEA cart and convert it into an ideal coffee cart.

Installing DetectionLab on ESXi

Wed, 04 Nov 2020 00:00:00 +0000

I recently purchased an Intel NUC that I will be installing ESXi 7 on. I decided this would be a great opportunity to create a step-by-step guide on deploying DetectionLab on ESXi.

Hardware

For the hardware, I went with a Skull Canyon i7 NUC. For their size and price point, these things are hard to beat. I found a used one on eBay for $300 and got 2x1TB NVME drives and 32GB of RAM for an additional $300 bringing the total to $600. You can likely build a machine with more RAM/CPU for that price, but almost certainly not in such a quiet and compact case.

Too Big to Care

Thu, 08 Oct 2020 00:00:00 +0000

In 2020, I was excited to finally upgrade to a Macbook Pro with a physical escape key and keyboard with more travel. From a hardware perspective, the 2020 MBP13 was everything I wanted. However, upon the release of MacOS Catalina 10.15.5, I noticed that my USB devices would often stop working when I plugged it into my CalDigit TS3 dock until I rebooted the machine. While this was massively inconvenient, I chalked it up to hardware incompatibility or digital ghosts. I was extra relieved to see the release notes for 10.15.6 include the following fix:

Working Through Splunk's Boss of the SOC - Part 6

Mon, 13 Jul 2020 00:00:00 +0000

Question 51 (325)

Microsoft cloud services often have a delay or lag between “index time” and “event creation time”. For the entire day, what is the max lag, in minutes, for the sourcetype: ms:aad:signin? Answer guidance: Round to the nearest minute without the unit of measure.

This is an excellent question! Let’s start putting together a query to show the time and indextime.

You can’t just table the “_indextime” field, so we’ll use eval to create a field:

Working Through Splunk's Boss of the SOC - Part 5

Sun, 12 Jul 2020 00:00:00 +0000

Question 41 (315)

During the attack, two files are remotely streamed to the /tmp directory of the on-premises Linux server by the adversary. What are the names of these files? Answer guidance: Comma separated without spaces, in alphabetical order, include the file extension where applicable.

We know it’s likely that we’ll be able to find these files in the /tmp directory based on the question, so I’m going to start pretty broad here:

Working Through Splunk's Boss of the SOC - Part 4

Tue, 07 Jul 2020 00:00:00 +0000

Question 31 (304)

What is the name of the user that was created after the endpoint was compromised?

I have no idea what “the endpoint” is referring to here, so basically I’m stuck looking for anything user-creation related.

I wish I could tell you I had some surefire way of finding the answer, but here’s how I solved this one. I started with this query becuase it captured any event that had both “user” and “add”:

Working Through Splunk's Boss of the SOC - Part 3

Sun, 28 Jun 2020 00:00:00 +0000

Question 21 (220)

AWS access keys consist of two parts: an access key ID (e.g., AKIAIOSFODNN7EXAMPLE) and a secret access key (e.g., wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). What is the secret access key of the key that was leaked to the external code repository?

No SPL needed here. Answer this question by following the link to the Github commit mentioned in the email from Question 20.

Question 21 answer:

Bx8/gTsYC98T0oWiFhpmdROqhELPtXJSR9vFPNGk

Question 22 (221)

Using the leaked key, the adversary makes an unauthorized attempt to create a key for a specific resource. What is the name of that resource? Answer guidance: One word.

Working Through Splunk's Boss of the SOC - Part 2

Sat, 27 Jun 2020 00:00:00 +0000

I hope you enjoyed part 1 of this series and learned a few things along the way. I’m going to jump right into questions for part 2.

Question 11 (214)

What is the short hostname of the only Frothly endpoint to actually mine Monero cryptocurrency? (Example: ahamilton instead of ahamilton.mycompany.com)

NOTE: This answer writeup contains spoilers for question 9!

Wow, that’s a broad question. To me, the question implies that the attempt to mine cryptocurrency was actually successful and proof of work may have been submitted over the network. However, it’s not totally clear how the word “actually” is being used here.

Working Through Splunk's Boss of the SOC - Part 1

Fri, 26 Jun 2020 00:00:00 +0000

It occurred to me yesterday as I was updating documentation for DetectionLab that although it includes a script to install Boss of the SOC, I’ve never actually partipated in it or tried it out. I thought this could be a great place to document how I walk through the series of questions to help other people understand my methodology.

If you’d like to follow along, you can quickly spin up BOTS in DetectionLab as well: https://github.com/clong/DetectionLab/wiki/Install-the-Splunk-Boss-of-the-SOC-(BOTS)-Dataset(s)

2019 in Review

Fri, 03 Jan 2020 00:00:00 +0000

2019 in Review

From a personal standpoint, 2019 was a year filled with challenges and accomplishments. It was the first time I felt truly depressed in over a decade and some moments forced me to open up, be vulnerable, and seek help. I discovered the need to build better habits and learned that without structure, although I’m able to keep myself busy, I don’t often gravitate towards doing things that benefit me in the long term. However, 2019 also ended on a high note. I joined a new company and awesome team that has helped me to question a lot of assumptions I’ve made about enterprise security, I got to see two of my best friends get married, and I got to spend quality time with my family. My personal relationships greatly improved and I learned to really cherish some of my oldest friendships.

Setting Up Wireguard VPN with Algo

Sat, 30 Mar 2019 00:00:00 +0000

I’ve been lagging behind on keeping my VPN servers up to date, but I was delighted to see that Trail of Bits’ Algo supports Wireguard VPNs (and has for quite awhile now).

Wireguard offers a few advantages over other types of VPNs but the main feature I wanted it for was faster connection negotiations. When using on-demand VPN connections, I don’t want to be waiting more than a few seconds for my connection to be available over VPN.

Completing My Multi-Computer Desk Setup

Mon, 13 Aug 2018 00:00:00 +0000

Over the past few years, I’ve been trying to find a desk and hardware configuration that I’ve been satisfied with to control multiple computers. There are many hardware and software solutions available on the market, but I found most of them to be lacking in one way or another. My requirements for this setup were:

Supporting 3-4 different computers: 2 Laptops and 2 desktops.
Supporting full resolution and 60hz on a 34" wide screen display
No input lag or dependency on the network to share devices
Easy to add/remove peripherals to/from machines. Only the keyboard, mouse, and webcam should be shared across all devices.
I should not have to change any monitor settings or flip more than a single switch to transition between computers once they are plugged in.

A combination of hardware and software issues have plagued me until just recently, when I was finally able to get everything working the way I wanted.

Using Osquery to Detect Reverse Shells on MacOS

Sun, 21 Jan 2018 00:00:00 +0000

Reverse Shell Detection

One challenge when it comes to building defenses for MacOS are the numerous scripting languages that come pre-installed with the operating system. While it may be convenient for developers, it provides attackers with a variety of methods for establishing persistence and bootstrapping connections to command and control servers.

Once attackers gain a foothold on systems, they frequently like to gain shell access by launching reverse shells. The benefits of this are well documented here. As you might expect, there are numerous ways to initiate these connections using native utilities such as:

pwnable.kr: [mistake]

Thu, 07 Dec 2017 00:00:00 +0000

Introduction

As my first post, I thought I would do a quick writeup of the Mistake challenge found on pwnable.kr. This challenge took me a bit longer than I expected, but the mistake does turn out to have interesting side effects.

The challenge is as follows:

We all make mistakes, let’s move on.

(don’t take this too seriously, no fancy hacking skill is required at all)

This task is based on real event