Facebook has released a new tool that allows administrators and security teams to search for malicious processes, browser extensions, or other problematic issues on their Windows networks.
The tool, called osquery, has been available for a couple of years for Linux and OS X environments, but now Facebook engineers have published a Windows version. It’s powered by SQL and is designed to help teams hunt down security threats on their networks before they become active problems.
“For example, osquery allows our Facebook security team to fetch data about all browser extensions running on our corporate network. We then compare that information to threat intelligence data to quickly identify malicious extensions and remove them. This proactive technique, known as ‘threat hunting,’ is an important enhancement to traditional detection-based security, but not yet offered by many commercial agents,” Nick Anderson, a security engineer at Facebook, said in a post on the release of the osquery tool.
“As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security. We saw the long-held misconception of “security by obscurity” fall away as people started sharing tooling and experiences with other members of the community. Our initial release of osquery was supported for Linux and OS X, but the community was also excited for a Windows version — so we set out to build it,” Anderson said.
Facebook’s engineers worked with the team at Trail of Bits, a high-end security consultancy, to port osquery to Windows. The Trail of Bits team faced a number of challenges during the project, but said the work was worth the effort.
“The osquery tables – the code that retrieves information from the local machine – present their own unique challenges. For instance, the processes table needed to be re-implemented on Windows. This table retrieves information about processes currently running on the system. It is a requirement for the osquery daemon to function. To implement this table, we created a generic abstraction to the Windows Management Instrumentation (WMI), and used existing WMI functionality to retrieve the list of running processes. We hope that this approach will support the creation of many more tables to tap into the vast wealth of system instrumentation data that WMI offers,” Trail of Bits said in a post.