Threat hunting with Kolide and osquery
Introduction
In this article, we’ll discuss how we can use Kolide Fleet for threat-hunting purposes. This article is not intended to be an introductory piece, but rather a write-up showing the capabilities of Kolide Fleet in threat-hunting. We will therefore not cover basic installation, but the main features and capabilities of Kolide.
Overview
Kolide Fleet is a flexible control server that can be used to manage osquery fleets. Using Fleet, we can be able to query multiple hosts on-demand. We can also create query packs and build schedules.
With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. The following are some of the things that you can be able to query:
- Running processes
- Kernel modules loaded
- Active user accounts
- Active network connections
The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries.
Running the Fleet
Before you can run Kolide, you need to ensure that you have prepared the database. This can be done using the command “fleet prepare db” as shown below: [CLICK IMAGES TO ENLARGE]
Figure 1. Preparing the database
Once complete, you should get a message reading “Migrations Completed.” We, however, need to generate some self-signed certificates by following the three steps given below:
These steps involve the:
- Creation of the server.key key file
- Creation of the server.csr csr file
- Creation of the server.cert cert file
Step 1
In this step, we are generating the private key to the certificate. The command used and output is shown below:
(Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/tNoCFpCzxOk/