init In the previous post 1 we have installed osquery and seen how it works. In the writeup, we will try to match a yara rule with one of the file we will create to understand how it wall works. Now we will make a directory in the home directory called yara-rules in that directory you will need two files. The contents of those files are given below: $ cat ~/yara-rules/example1.
In the last writeup we were able to generate logs based on file change. But that does not help us much because we again have to monitor every single machine in the environment manually which is impossible. It is certainly better if we can centralize all the logs into a single dashboard. As ELK one of the common tool to search and visualize data, we can transfer logs using Logstash to Elastic and eventually view them in Kibana dashboard.
In this article we will look into how we can use osquery to check the integrity of the filesystem of FIM. FIM is File Integrity Monitoring which monitors the changes in the filesystem. Usually when a attacker is inside a victim’s machine, the victim will certainly will try to download some scripts/programs to the victims machine so that the attacker can perform privilege escalation. This is valuable if you are searching for movement of any adversary in a system.
I have always wanted to use osquery and checkout the capabliity so what I can understand how it can help me identifyting aversaries in my environment. But to do that, first I needed to understand how it all works. In the post, I will be installing osquery and checking out its power and how it can assist me in protecting my environment. Follow the steps below to perform the installation of osqueryi in virtual machine with following: