![]() ![]() ![]() To add a table to osquery, you first define its spec, or schema. New sensors are added to osquery with the addition of “tables,” maintaining the abstraction of all system information as SQL tables. Verifying Authenticode signatures with osquery osquery offers an ideal method for performing such a search. The malware might have successfully evaded antivirus-type protections, but any code signed with a known-stolen certificate is an easy red flag: signing can be checked with a 0% chance of any false-positives. As the defender you can make lemonade out of these lemons: search for other systems on your network with executables that were also signed with this stolen certificate. Once a particular signing certificate is known to be stolen, it also works as a telltale indicator of compromise. But, there’s another use for code signatures: incident response. So, defenders already know that a trust model based on an assumption that all third-party software vendors can protect their code-signing certificates is untenable, and that on platforms like Windows, code-signing is only a weak trust marker or application whitelisting mechanism. It has become a routine feature of criminal and nation-state malware attacks in the past few years, and most recently happened again with an infected software update to the popular app CCleaner. This realization (and the high-profile Stuxnet incident) began a trend of malware signed with stolen code-signing certificates. Malicious actors realized that they only needed to steal one of these certificates in order to sign malware and make it appear to be from a legitimate software vendor. Unfortunately, on general-purpose computing platforms like Windows, third-party software vendors are individually responsible for protecting their code-signing certificates. Part of osquery’s appeal is its flexibility and open-source model – if there’s another feature you need built, let us know! Code-signed malwareĬode signing was intended to be an effective deterrent against maliciously modified executables, and to allow a user (or platform owner) to choose whether to run executables from untrusted sources. If you are unfamiliar with osquery, take a moment to read our previous blog post in which we explain why we are osquery evangelists, and how we extended it to run on the Windows platform. This post explains the importance of code signatures in incident response, and demonstrates a use case for this new osquery feature by using it to detect the recent CCleaner malware. Fortunately, signed malware is now simple to detect with osquery thanks to a pull request submitted by our colleague Alessandro Gario that adds Windows executable code signature verification (also known as Authenticode). ![]() Recently, 2.27 million computers running Windows were infected with malware signed with a stolen certificate from the creators of a popular app called CCleaner, and inserted into its software update mechanism. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |