Select count(pid) as total, name from processes group by name order by total desc limit 10 We can be able to identify our malicious process, “ Web Content.” The following was the query used: In the following query, we decided to query the process count, process name and determine the top 10 most active processes. We wanted to determine the most active processes and their count in order to understand the behavior of malware. Listing of largest processes based on memory size The following is the screenshot showing the malicious process on our infected Linux system:įigure 13. The screenshot below highlights the command we used:įigure 12. We built the query as shown in the screenshot below, then ran it. Select pid, name, uid, resident_size from processes order by resident_size desc limit 10 We decided to limit our query to 10 responses. We used osquery to query for the process ID, process name and the process size in memory. This process takes a significant amount of RAM, competing with more relevant processes, and ends up freezing the system.
The malicious process, named “ Web Content,” can be seen below with the ID 2658. By way of example, we infected our system with a resource-intensive malware. Sometimes, malware may consume heavy system resources. Scenario 1: Querying the largest processes based on memory size In the following sections, we’ll discuss possible scenarios that Kolide and osquery can be used to make advanced queries for your threat-hunting needs. The following screenshot shows the list of queries that we created.įigure 11. We built a list of queries that we will be discussing in the sections below. Next, we’ll discuss how we can manage our osquery instances using Kolide Fleet to perform certain queries to inform our threat-hunting exercise. Kolide hosts manager dashboard with list-view online host The screenshot above shows a grid view of the online host, and the one below shows a list view of the online host.įigure 10. There are two main ways that we can list or have an overview of the available hosts. Kolide hosts manager dashboard with grid-view online host This is shown in the screenshot below:įigure 9. Any asset in green means it has reached Kolide and is live. Once the application is served and the instance in which osquery has been installed has reached Kolide, it should appear online within the dashboard. Running osquery for the instance to come online We launched our osquery instance as shown below:įigure 8.
#Kolide osquery install#
See below:ĭo not forget to run your osquery, or else once inside the Fleet management console, your osquery install will appear offline. You should then be able to navigate to your fleet server either on localhost or using the server IP address if you have managed to set it up within your network of osquery hosts. This is a unique, randomly generated key that you will need to provide before the application can be served. Notice that for every instance that you serve the application, you will be required to provide a unique –auth_jwt_key. Traffic streaming from served application The output below shows traffic as the application is being run.įigure 6. Once the server is running, you should be able to see the following on your terminal where you started the server from. Generating the server.cert fileĪfter you are done with the above steps, you can now serve the application using the command shown below: The command and output are shown below:įigure 4. In this step we are generating the signed certificate. The command and output are shown below:įigure 3. In the step below, we generate a certificate signing request file.
The command used and output is shown below:įigure 2. In this step, we are generating the private key to the certificate. Once complete, you should get a message reading “Migrations Completed.” We, however, need to generate some self-signed certificates by following the three steps given below: This can be done using the command “fleet prepare db” as shown below: Running the Fleetīefore you can run Kolide, you need to ensure that you have prepared the database. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The following are some of the things that you can be able to query: With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. We can also create query packs and build schedules. Using Fleet, we can be able to query multiple hosts on-demand. Kolide Fleet is a flexible control server that can be used to manage osquery fleets.