ATT&CK +osquery = Love

Share and earn Cybytes
Facebook Twitter LinkedIn Email

I had the ability to live-stream MITRE’s ATT&CKcon, a two-day event where organizations came together as a community to share their best practices with leveraging the ATT&CK framework. At this conference, Scott Lundgren, Chief Architect at Carbon Black ,presented “ATT&CK + osquery = Love,” where he proposed a challenge to the cybersecurity community. If we could find a way to use osquery to start looking for specific techniques from ATT&CK, we could begin a new way of detecting techniques.

Good news, Scott noted, there are people out there already working on this!

First Step: Navigated out to (via @teoseller) to check out the query packs. The one that really caught my eye: windows-incorrect_path_process.conf, but see below the list he has created at this point:

At this point, I am going to pull svchost for an example, but once you build one, you can really replace it with any filepath/process. I translated this query into one that would work with Carbon Black’s Cb LiveOps in the Predictive Security Cloud. The cool thing to note about Cb LiveOps, is there are two ways you can build queries: Query Builder or SQL Query. For those just starting out with SQL queries, our Query Builder is the Bees Knees. Start there, learn the patterns, and then move into building your own. I used the query builder and submitted:






`name` = ‘svchost.exe’

AND ‘path’ != ‘c:\windows\system32\svchost.exe’

AND ‘path’ != ‘c:\windows\syswow64\svchost.exe’

AND path != ”;;

In Cb LiveOps, it looks like this:

Last, decide which policies this query runs against and if you want an email when completed. I just completed a query that can look for this technique (T1306 – Masquerading). This is a repeatable query I can now use, export the results and manipulate the data any way I want. One small step for osquery, one giant leap for mankind!

The post ATT&CK +osquery = Love appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?