Threat hunting with Kolide and osquery

Introduction

In this article, we’ll discuss how we can use Kolide Fleet for threat-hunting purposes. This article is not intended to be an introductory piece, but rather a write-up showing the capabilities of Kolide Fleet in threat-hunting. We will therefore not cover basic installation, but the main features and capabilities of Kolide.

Overview

Kolide Fleet is a flexible control server that can be used to manage osquery fleets. Using Fleet, we can be able to query multiple hosts on-demand. We can also create query packs and build schedules.

With Kolide, you can manage your fleet of osquery hosts more easily through a web interface. The following are some of the things that you can be able to query:

• Running processes
• Kernel modules loaded
• Active user accounts
• Active network connections

The web interface makes it very easy to use Kolide if you already understand SQL syntax and have interacted with osquery. The extensiveness of the queries that you can use depend on how conversant and comfortable you are using SQL. For instance, just like in SQL, osquery allows you to perform joins, limits and aggregates within your queries.

Running the Fleet

Before you can run Kolide, you need to ensure that you have prepared the database. This can be done using the command “fleet prepare db” as shown below: [CLICK IMAGES TO ENLARGE]

Sponsorships Available

Sponsorships Available

Sponsorships Available

Figure 1. Preparing the database

Once complete, you should get a message reading “Migrations Completed.” We, however, need to generate some self-signed certificates by following the three steps given below:

These steps involve the:

• Creation of the server.key key file
• Creation of the server.csr csr file
• Creation of the server.cert cert file

Step 1

In this step, we are generating the private key to the certificate. The command used and output is shown below:

(Read more...)