![kolide osquery kolide osquery](https://miro.medium.com/max/13304/1*eUaV8wZs1ognsUTEPpW8bQ.png)
![kolide osquery kolide osquery](https://1.bp.blogspot.com/-wW6PiNa9eCU/XNyYJhCP8vI/AAAAAAAABUw/aBYVwJuDsyMSXDAJ1s2Ba28T0JPoGnp6wCLcBGAs/s1600/run_query_from_kolide.jpg)
It’s importante to note that these temporary credentials can typically be used fom anywhere that can reach the AWS API, which are open to the entire Internet. Below we show a non-exhaustive list of commands the attacker could execute: Having obtained these credentials, an attacker could for example create a new AWS CLI profile and use them to map which privileges they contain, and also search for interesting ways to obtain persistence or valuable data to exfiltrate. See below a proof of concept we performed on a test environment: This is clearly a useful technique for pivoting from the osquery access to attacking the AWS control plane. This in turn allows the attacker to obtain valid temporary credentials to access the AWS APIs with the instance-assigned privileges in a convenient and scalable fashion. So, any attacker that obtains query access to an osquery fleet can query the AWS metadata service using the curl table. When privileges were assigned to an instance, this service can be used to obtain temporary credentials ( Access Key, Secret Key and Session Token) which can be used to perform AWS API calls using said privileges. By default any process inside an instance can access the metadata service at. One of the most critical ways in which the metadata service is used is to allow AWS IAM privileges to be granted to EC2 instances. Instance metadata is divided into categories, for example, host name, events, and security groups.” This is how the AWS documentation describes the EC2 instance metadata service: “ Instance metadata is data about your instance that you can use to configure or manage the running instance. So the angle of accessing the EC2 instance metadata service was the one that immediately grabbed our attention. To put this finding in perspective, here at Tenchi Security are really focused on cloud security. What if we used the curl table to exploit HTTP-accessible services on an organization’s internal network? Or what if we used it to query an Elasticsearch cluster? Or to access the EC2 instance metadata service? And the answer is that yes, this will allow us to gain access to potentially sensitive data in a typical environment.
![kolide osquery kolide osquery](https://defensivedepth.files.wordpress.com/2018/10/osquery-dashboard.jpg)
So essentially this is a vehicle for remotely executing a limited analog of the versatile command-line curl utility.ĭuring preparations for an upcoming osquery and Kolide course we’ll offer in Brazilian Portuguese (with all revenue being diverted to charities helping those affected by COVID-19), we had an idea. Querying this table allows you to perform a variety of HTTP requests from the host running osquery and obtain the response returned from the server. This is when we need to bring up the existence of the curl table in osquery. It is also important to note that, since it’s open source, osquery is widely used in an explicit or hidden way in several management and security offerings such as those in the MDR, MSSP and EDR categories. For example, great care was taken to not allow reading arbitrary files by default through osquery. One big underlying assumption, though, is that osquery takes great care to not allow anyone to obtain potentially confidential data from the hosts or environment they run on. The combination of tables and the queries allows IT and security professionals to answer a variety of questions which can then be continuously monitored (through scheduled queries), with optional alerts if particular values are found or if changes in certain values are detected. There are currently 257 tables that can be queried, which are listed at. The information offered through this simple model would otherwise require complex and varied methods for collection and normalization, so this is a huge win. The way osquery works is by offering relational tables (some of which are general and others which are OS-specific) which can be queried using SQL and allow you to inspect live information from hosts in your fleet. In order to solve this problem using an easy to use interface, Facebook created osquery in 2014, and published it as open source software.
#KOLIDE OSQUERY SOFTWARE#
Needs would include performance management, software inventories, or even threat hunting and incident response. Listening ON process.pid = listening.IT professionals often need to answer questions about what is happening in the operating systems of the fleet they manage or secure. Process.pid FROM processes AS process JOIN listening_ports AS SELECT DISTINCT process.name, listening.port, listening.address,
![kolide osquery kolide osquery](https://miro.medium.com/max/1632/1*I7ZdZ6EwUNrdBXNUXSLAqQ@2x.png)
Demystifying osquery for fun and profit asim jaweesh - null dubai dec 2019