init#

In the previous post 1 we have installed osquery and seen how it works. In the writeup, we will try to match a yara rule with one of the file we will create to understand how it wall works.

Now we will make a directory in the home directory called yara-rules in that directory you will need two files. The contents of those files are given below:

$ cat ~/yara-rules/example1.yar 
rule OfExample1
{
    strings:
        $a = "dummy1"
        $b = "dummy2"
        $c = "dummy3"

    condition:
        2 of ($a,$b,$c)
}

$ cat ~/yara-rules/osq-yara.conf
{
  "schedule": {
    "yara_events": {
      "query": "select * from yara where sig_group = 'sig_group_1' and path LIKE '/tmp/%';",
      "removed" : false,
      "interval": 30
    }
  },
  "yara": {
    "signatures": {
      "sig_group_1": [ "/home/user1/yara-rules/example1.yar" ]
    },
    "file_paths": {
      "tmp": [ "sig_group_1"]
    }
  },
  "file_paths": {
    "tmp": [ "/tmp/%" ]
  }
}

Here teh osq-yara.confis the file which we will use to load the configurations. Almost all the lines in the configuration is quite self explanatory. The details for the yara rules were taken from 2 and this is only a simple example to understand how the system works. As we can see that the yara rule will be considered matched when there are two (2) match for dummy1 , dummy2 and dummy3 texts inside a file. We will create a file in the /tmp folder, which is osquery, is monitoring and should execute when there is a match.

Now lets run the osquery from one terminal in the interactive mode.

$ sudo osqueryi --config_path=./osq-yara.conf  --verbose --disable_events=false --enable_file_events=true

In another terminal inject the following text into the file

$ echo "dummy1" >> /tmp/file1.mal && echo "dummy2" >> /tmp/file1.mal && echo "dummy3" >> /tmp/file1.mal

In the osquery prompt we can execute the following command to check whether it is detected by yara or not.

osquery> select * from yara where sig_group = 'sig_group_1' and path LIKE '/tmp/%';
+----------------+------------+-------+-------------+---------+----------------+------+
| path           | matches    | count | sig_group   | sigfile | strings        | tags |
+----------------+------------+-------+-------------+---------+----------------+------+
| /tmp/file1.mal | OfExample1 | 1     | sig_group_1 |         | $a:0,$b:7,$c:e |      |
+----------------+------------+-------+-------------+---------+----------------+------+

As we can see that yet it is being detected. so we can remove the file /tmp/file1.mal and exit out of the interactive mode by typing .exit command.

Now lets automate the process:

$ sudo osqueryd --config_path=./osq-yara.conf  --verbose --disable_events=false --enable_file_events=true

Now if we recreate the /tmp/file1.mal file we should see something like below in the file tail -f /var/log/osquery/osqueryd.results.log as we have already setup as per link 3.

092c89f8131c92f5e3820f8c0d796a3c.png

If you want to push this information to the Elastic Stack you can follow the link 4.

reference#

  1. https://geekyadmins.com/2023/08/installation-of-osquery-in-ubuntu/ ↩︎

  2. https://odokalip.com/other-ways-to-write-xor#/consent-discussion-on-college-classroom ↩︎

  3. https://geekyadmins.com/2023/08/osquery-and-file-integrity-monitoring/ ↩︎

  4. https://geekyadmins.com/2023/08/osquery-and-fim-using-elk/ ↩︎