OSQuery: Malware I

Every effective Incident Response team needs the ability to “ask a question” to a single or multiple hosts in the fleet and receive timely and accurate answers.
Incident detection and response across thousands of hosts having different operating systems and configurations would be a tedious process. While endpoint detection and protection tools can provide some lift out-of-the-box, deep insight and analysis of security-relevant events are crucial to detecting advanced threats.

OSQuery to the rescue!! It could be used to answer these questions for the hosts irrespective of the operating system used by them.

It makes use of simple SQL like queries to extract information from the hosts in a unified manner!

Lab Scenario

We have set up the below scenario in our Attack-Defense labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab: Malware I

This lab comprises of a malware running on the target machine. You will get access to the OSQuery shell to analyze the malware.

Challenge Statement

A malware is running on the machine. You will be provided with osquery shell on the same machine. You have to run appropriate queries and answer the provided questions.

Solution

Q1. A service on the system is trying to resolve a TOR service domain. Provide the domain name.

Answer: dewrszxasdaf.onion

Solution:

Run the following query repeatedly to retrieve the command line arguments used to create the processes:

Query: select cmdline from processes;

Viewing the commands used to create the processes

Viewing the commands used to create the processes again — Repeat this to observe the activity of the malicious process!!

Repeating the same query multiple times reveals that the malware issues multiple DNS requests to resolve multiple domains.

Repeat the same query till the TOR service domain is revealed.

The “.onion” domain is revealed in the commands

Note: It may take a while to observe the domain name.

Q2. NSLookup is being invoked on the system to resolve multiple domain names. How many different domains are there?

Answer: 5

Solution:

Run the following query repeatedly to retrieve the command line arguments used to create the processes:

Query: select cmdline from processes;

Repeatedly viewing the commands used to create the processes to observe the different domains being resolved using the nslookup utility

Repeatedly viewing the commands used to create the processes to observe the different domains being resolved (contd.)

Repeatedly viewing the commands used to create the processes to observe the different domains being resolved (contd.)

Repeatedly viewing the commands used to create the processes to observe the different domains being resolved (contd.)

Run the above query multiple times to get all the domain names.

Q3. A new user account has been created by a suspected malware. What is the name of that user?

Answer: mallory

Soultion:

Run the following query to retrieve all the information from the users table (in osquery):

Query: select * from users;

The last entry has uid and gid set to 0 (root) which is really suspicious!!

User ‘mallory’ has its uid=0 and gid=0. It indicates that this user is a backdoor on the system.

Q4. What is the domain name with which the system has established a TCP connection over the remote port 4444?

Answer: qzcdxvbqokp.dev.local

Solution:

Run the following query to retrieve the local and remote IP addresses and ports from the process_open_sockets table where the connection is in the established state and the remote port is 4444:

Query: select local_address, local_port, remote_address, remote_port from process_open_sockets where state=’ESTABLISHED’ and remote_port=4444;

Retrieving the local and remote IP-port pair where the connection state is “ESTABLISHED” and the remote port is 4444

Note: It may take a while to observe the connection.

To get the hostname, query the etc_hosts table.

Query: select * from etc_hosts;

Retrieving all the entries of /etc/hosts file

Notice the last IP address. It was the IP address of the remote machine to which a connection ws established on port 4444. Its domain name is “qzcdxvbqokp.dev.local”.

Q5. A file was downloaded to the machine from a remote server using a well-known utility. What is the name of that file?

Answer: details

Solution:

Run the following query to retrieve process commandline, local address , remote address, and a remote port (of the corresponding socket) by joining the processes and process_open_sockets table where the connection state is established:

Query: select p.cmdline, pos.local_address, pos.remote_address, pos.remote_port from process_open_sockets as pos JOIN processes as p ON pos.pid=p.pid where pos.state=‘ESTABLISHED’;

Retrieving all the processes where the connection state was “ESTABLISHED”

To download a file, first a connection has to be established to the remote server from where the file has to be downloaded.

Notice that only one entry makes use of wget command.

Note: It may take a while to observe the process.

Well, that was it!! I hope you got a new and valuable tool added under to your belt today :)

Stay Safe and Happy Hacking!

References

1. osquery (​https://osquery.io/​)
2. osquery documentation (​https://osquery.io/schema/3.3.2​)