Skip to content
/ ThirdEye Public

Monitors your Kolide instance for un-authorized use

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

d4rk-d4nph3/ThirdEye

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
third_eye.py
third_eye.py
 
 

Repository files navigation

ThirdEye

osquery osquery


image

Description

This project is to audit Kolide instances by exploiting the API provided by Kolide.

If you don't know about Kolide then, it's never too late to learn about this awesome product based on osquery.

In short, osquery is an OS instrumentation framework for that exposes an OS as a high-performance relational database. This allows you to write SQL queries to explore operating system data.

And, Kolide is a front-end for efficiently deploying osquery across multiple endpoints. Also, that UI is love.

Motivation

Motivation for this project is to monitor your Kolide instance by looking at any tamperings or un-authorized use like adding of a new unknown device, or running of queries by new actors.

Compromise of your Kolide means, now the adversary has a high performance framework available for reconnaisance.

Requirements

pip3 install requests

Usage

Testing

This project requires three values to be set before running:

  • Add your Kolide Access Token
  • Add a list of valid users
  • Add a list of valid locations (like United States, Sweden, etc)
python3 third_eye.py

Normal Use

For normal use, clone this repository and create a scheduled task to run this project for say, every 2 days.

Output

Enrolled Devices Summary

Generated at: 03:57 PM, Wed Aug 05, 2020

Total number of devices enrolled: 1

Device ID: 1102
Device Name: Win07
Platform: windows
OS: Microsoft Windows 10 Pro Version: 10.0.19041 | UBR: 388
Enrolled At: 2020-08-01T12:43:55.016Z
Last Seen At: 2020-08-05T07:57:43.000Z
Primary User: sam
Remote IP: 8.8.8.8
Location: China

Live Query by New Author Detected Alert

alert_id=200 timestamp=04:49 PM, Wed Aug 05, 2020 log_ts=2020-08-02T07:21:19.503Z author=John query=SELECT pid, name, path, cmdline, parent FROM processes WHERE name = 'svchost.exe' AND cmdline not LIKE '% -k %'; message=Live query by new author detected

New Device Location Detected Alert

alert_id=100 timestamp=04:11 PM, Wed Aug 05, 2020 location=Russia device=Win10 remote_ip=100.44.116.43 message=New device location detected

New Actor Detected in Audit Log Alert

alert_id=200 timestamp=04:19 PM, Wed Aug 05, 2020 log_ts=2020-08-05T07:55:05.428Z actor=Kira message=New Actor detected in Audit Log

TODO

  • Audit enrolled devices
  • Audit live queries
  • Fetch Audit logs
  • Detect queries by new authors
  • Detect abonormality in location
  • Visualize live query and API usage statistics

About

Monitors your Kolide instance for un-authorized use

Topics

api osquery kolide

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Languages