Investigating Threat Alerts with Osquery: Understanding Threat Surface & Risk

The Uptycs Threat Intelligence team is responsible for providing a high quality, curated, and current Threat Intelligence feed to the Uptycs product. In order to deliver the threat feed, the team evaluates every single alert that is seen by our customers, and investigates the alert as feedback into the threat feed curation process. Recently we observed a malicious domain alert from a customer. The out-of-the-box alert description indicated that it belonged to the OSX/Shlayer malware family. We were quickly able to query Uptycs threat intelligence to find that the domain first appeared on February, 2019 and was reported by multiple threat intel sources. Once the threat was validated, we dove into deeper investigation to understand the threat surface and risk. This post walks through the steps and techniques we performed to analyze data that had been collected via osquery, and aggregated in Uptycs.

First, some context: Uptycs provides an out of the box integration with third-party threat intelligence. We have more than 6 million indicators in 8 different categories. In addition to historical scanning (which is mostly invoked manually), Uptycs also scans DNS and IP connections in real time to identify malicious connections.

Now, let’s dig in.

We received an alert on ‘’ domain as shown in figure 1.

Figure 1: Threat Information in the Uptycs Platform


At the time of alert we knew from the description that it belongs to OSX/Shlayer malware, and the specific number of machines that were identified as infected with the malware. Uptycs captured the following events:

  1. DNS lookup events
  2. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Uptycs Blog authored by Amit Malik. Read the original post at: