While this might seem complex, the Elastic Osquery Manager integration supports an easy deployment across multiple endpoints and simplifies the collection of data and aggregation of data.
It’s never been easier to implement osquery at scale
The Osquery Manager integration simplifies the deployment shown in Figure 1 by adding it to the policy assigned to the agents running on your endpoints. Once deployed, it lets you run live queries and schedule recurring queries for those agents to gather data from hundreds of tables across your entire enterprise — all within a dedicated page in Kibana. The extensive schema provided by osquery helps with a variety of use cases, including security vulnerability detection, compliance monitoring, incident investigations, and more.
Let’s see now how to use this integration for threat hunting.
Windows advanced persistence techniques
Persistence is a tactic used by adversaries to maintain their access on a compromised machine. Several techniques exist to achieve this tactic – an exhaustive list of those techniques are describe within the MITRE ATT&CK Matrix.
Some of the most common techniques exploited by the attackers are:
1. Scheduled Task technique (MITRE T1053.005): Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Attackers often invent very convincing names for their scheduled tasks and this might pass unobserved by a less scrutinous eye.
2. Services Creation technique (MITRE T1543.003): Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. We should investigate services whose executables are located in an unusual folder. AppData and its subfolders are a notorious example.
3. Startup Items technique (MITRE T1547.001): Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry Run key. Adding an entry to the “Run keys” in the Registry or startup folder will cause the program referenced to be executed when a user logs in. Placing a program within a startup folder will also cause that program to execute when a user logs in.
The most common Run keys created by default on Windows systems are:
But Run keys may exist under multiple Windows registry hives, and if you want a comprehensive understanding on this subject, visit the official microsoft documentation.
With this brief introduction to some known persistence techniques, let’s focus on the configuration of the Elastic Agent with the Osquery Manager integration.
Elastic Agent: A quick refresh
The Elastic Agent provides a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, and more. A single agent makes it easier and faster to deploy monitoring across your infrastructure. Each agent has a single policy that you can update to add integrations for new data sources, security protections, and more.
Elastic Agent can be deployed in Fleet or standalone mode. With the former, you install Elastic Agent on each host you want to monitor and use Fleet in Kibana to define, configure, and manage your agents in a central location. It makes the management and upgrade of your agents considerably easier. Standalone mode lets you install Elastic Agent on each host you want to monitor and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is recommended for advanced users only.
Every Agent policy may contain multiple integrations depending on the type of data you want to collect from the endpoint where it is deployed.
Configuring Osquery Manager with Elastic Agent
Let’s see the full configuration cycle from deployment to installation of the Elastic Agent focusing on the Osquery Manager integration.
Once your deployment is up and running, open the Kibana menu and browse to Fleet: