Are there ways to know if a user is trying to spoo...
# kolidet
Travis
12/15/2020, 8:12 PMAre there ways to know if a user is trying to spoof OS Query data? What certainties do we have that data collected has not been tampered with. I would guess File integrity monitoring helps here
f
fritz
12/15/2020, 8:15 PMVery interesting question @Travis, to better answer, could you give me an example of what data might be spoofed?
t
Travis
12/15/2020, 8:17 PMmore of just a general thought about if it could be done. I mean you could always place OS query in a VM and set up whatever you want but I was curious if could catch if folks were trying to adjust the OS query config
f
fritz
12/15/2020, 8:21 PMI guess I am still trying to understand the proposed attack pattern. Let's break this down into a smaller question and make some basic assumptions to help us narrow the scope.
For example:
On a macOS device, can the SIP configuration attestation be subverted/spoofed?
How is this data collected by osquery today?
Copy code
SELECT * FROM sip_config;
+----------------------------+---------+---------------+
| config_flag | enabled | enabled_nvram |
+----------------------------+---------+---------------+
| sip | 1 | 1 |
| allow_apple_internal | 0 | 0 |
| allow_device_configuration | 0 | 0 |
| allow_kernel_debugger | 0 | 0 |
| allow_task_for_pid | 0 | 0 |
| allow_unrestricted_dtrace | 0 | 0 |
| allow_unrestricted_fs | 0 | 0 |
| allow_unrestricted_nvram | 0 | 0 |
| allow_untrusted_kexts | 0 | 0 |
+----------------------------+---------+---------------+t
Travis
12/15/2020, 8:23 PMSure, I'll get some specifics from a dev on our team that felt they could send false data
f
fritz
12/15/2020, 8:23 PMSo @seph probably has some interesting proposed hypotheticals for how this could be spoofed or subverted.
The first way I see would be building your own osquery binary from source wherein you modified the underlying table code to hardcode the values, instead of dynamically retrieving them via the normal API calls that the table would make.
fritz
12/15/2020, 8:24 PMThe other variable we would want to control for would be whether the device was running a vanilla osquery agent vs Kolide's prepackaged osquery via launcher.
fritz
12/15/2020, 8:26 PMIs your question in reference to our SaaS offering K2 or just plain-old vanilla osquery?
t
Travis
12/15/2020, 8:33 PMSaaS Kolide
t
terracatta
12/15/2020, 9:03 PM
Hi Travis,
We did not design our system to be robust against a motivated user who wants to intentionally spoof responses.
With that said, am confident that if you were suspicious about tampering by an end-user we could likely work with you to prove the responses were spoofed after the fact.
terracatta
12/15/2020, 9:05 PM
If the engineer wants to explain what their plan was to spoof data, I'd love to hear about it though so we can understand their thought process.
t
Travis
12/15/2020, 9:08 PMThanks, I'll be sure to pass the details along when I get them. Personally I'm not so worried because if an attacker is coming in I really doubt they will have OS Query installed and be able to property spoof device details well enough to evade our SIEM flagging the actor as suspicious.
t
terracatta
12/15/2020, 9:10 PM
yeah if they have that level of access, i'd imagine they would be doing much more interesting things than that
➕ 1
4 Views