Osquery mac download#
I ran Patrick Wardle’s ProcessMonitor.app (can download from: ) which leverages the Apple Endpoint Security Framework (ESF) for event monitoring. This was a bit strange since this search works fine from the command line locally by echoing it into osqueryi ( $echo “select * from shell_history ” | osqueryi). I did not test remotely searching all OSQuery tables but I was unable to remotely get data back from this OSQuery search: “ select * from shell_history ”.As this was tested on Catalina and I did not sign or notarize the MacShellSwift binary, I had to clear the quarantine attribute via the command line on the target host ($ xattr -c ) otherwise gatekeeper would stop it from running.I was able to successfully remotely invoke OSQuery and pull host data back to the C2 server
Osquery mac code#
Once I added the code above and corresponding server side code, I then tested it out to see if this would work remotely (I have added these examples above and a few more to my MacShellSwift project on github: ). $ echo “select pid,name,path,cmdline from processes ” | osqueryi -json In essence I tested the ability to remotely run the following type of terminal command:
Osquery mac how to#
Once I was comfortable with running the osqueryi binary and pulling host data via SQL statements, I then looked at how to run OSQuery searches remotely via a macOS post exploitation tool that can run shell commands. Then from there you can simply run your SQL statements to start pulling data back: tables” to list out all available OSQuery tables to query against: Running “osqueryi” will drop you into an interactive OSQuery shell:įrom there you can run “. In particular, the “ osqueryi” binary (by default installed at: /usr/local/bin/osqueryi) was of interest since it could be used to locally run OSQuery searches. a look at how easy it is to detect thisįirst, after ensuring OSQuery was installed, I looked at the macOS installation docs ( ) to get info on how to run OSQuery and some default file locations.remotely run OSQuery commands and pull back host data.remotely check and see if OSQuery is present.Given the immense value that OSQuery provides in terms of data that you can pull back from servers/endpoints, I started running some tests to see if I could do the following from from a post exploitation tool on macOS: I tend to focus a lot on macOS as a personal interest of mine. I am not sure how many organizations currently leverage OSQuery but my guess is that more organizations will utilize OSQuery as time goes on given how well it works and with it being cross platform. OSQuery is open source and was developed by the awesome and talented security team at Facebook. So this post shares the observations I have found with leveraging OSQuery remotely via a macOS post exploitation tool.įor anyone who may not be familiar with OSQuery, in a nutshell it is a SQL-based cross platform server/endpoint framework that allows organizations to query their servers/endpoints and ask all sorts of questions (ex: running processes, local users, last logged in users, etc.). I personally am a fan of OSQuery and I found it to be so valuable that I asked the question “Can an attacker remotely run OSQuery searches on a macOS host and obtain useful host information?”. From a defensive perspective, OSQuery is an awesome capability that can give defenders a ton of visibility and help answer important host based questions during an investigation. In this blog post I will share some fun testing I did purely out of curiosity.
0 kommentar(er)
