Avatar

As the son of a retired automotive mechanic, the lessons my father taught me are still just as important today. As I mentioned in my previous post about Orbital Advanced Search, “Pops” was always teaching me something. This time it was to always clean the tools after every job, maintain the tools that need oil, etc., and to always keep your tools organized neatly in the toolbox. These efforts allowed the tools to last longer, made them easier to identify and find in the drawer, and ultimately lead to increased efficiency. Not only did he become more productive, but these simple acts also worked as a mental inventory for the tools he owned. He always knew what tools he had and what drawer they were in.

The same is true today with IT Operation tools. IT Operators are responsible for defining the way an organization manages software and hardware, and to help keeping the business running. They provide other IT supports such as network administration, device management, and help desk. Ultimately, they are charged with advancing and improving business requirements while maintaining the operational stability of the organization.

IT Operations teams are being held back by the lack of access to the devices in their care. Something as simple as on-boarding and confirming the configuration of a new employee’s device is difficult without the ability to physically inspect the machine. They are challenged in the execution of their job with respect to seeing and controlling what is happening with devices in near real-time. Lastly, they are faced with the results of their efforts and trying to save time on recurring activities which allows their team to be more proactive.

As a feature in Cisco’s AMP for Endpoints AdvantageOrbital Advanced Search can be the organizational tool for your IT Operations. Orbital Advanced Search has an entire category dedicated to Posture Assessments which contains queries to check CPU data, network host connections, operating system information, installed programs, and more.

Whether you are hardening your environment through network & hardware hygiene audits or ensuring a new employee’s devices are configured properly without having to physically inspect the endpoint, Orbital Advanced Search will get you the answers you need to complete these tasks faster.

Let’s start with one IT Operations Catalog query that you can run daily.

YOU WANT TO: Check to see if there are any Chrome Browser Extensions that are running that can be used to perform malicious activity

 

Orbital Catalog Query to run: Chrome Browser Extensions Monitoring –This query returns data on the chrome extensions installed on the host for a particular user. The following data is retrieved:

  • username – the local user that owns the extension
  • name – display name
  • identifier
  • version
  • description
  • locale
  • update_url – extension-supplied update URI
  • persistent – 1 If extension is persistent across all tabs else 0
  • path – path to extension folder

WHY IS THIS IMPORTANT: This information can be used in an attempt to detect an extension performing malicious activity since it is a common practice for malware to disguise itself as a legitimate and well-known browser extension.

STEPS:

  1. Select the endpoints you wish to query
  2. Search the Catalog for “Chrome Browser Extensions Monitoring”
  3. Click the “+” to copy into your SQL query window
  4. Close the Query Catalog Window
  5. Click the Query button

QUERY RESULT: The query results deliver a table of data to be reviewed. First, look at the name of the extension that is running, be sure that it is a known name. Next, the identifier value can be used to obtain details from the Google Chrome webstore, for any extension found in your query results. As an example, if the identifier field is ghbmnnjooekpmoecnnnilnnbdlolhkhi, then details from the webstore can be seen at:

https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi

To investigate other extensions, just add the extension identifier to the base url [replacing the identifier string with one returned in query results]:

https://chrome.google.com/webstore/detail/$identifer

Most often the update URL will point to the Google Chrome store. Look for any anomalous URLs that do not point to a trusted location [such as the Google Chrome store]. In the Update-URL column, you can take direct actions on the URLs, by using the pivot menu, which facilitates searching Talos intelligence, investigating across the SecureX platform, tracing artifacts in Threat Response, or taking action – such as host isolation.

FREQUENCY TO RUN: Daily.

That’s it! It’s easy to get you started with your first IT Operations query using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built posture assessment queries to streamline your IT Operations.

If you don’t already have Cisco AMP for Endpoints and are interested in trying Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.

Stay tuned, our next blog discusses Vulnerability & Compliance and how you can use Orbital Advanced Search to check firewall configurations and authorized applications and ensure your endpoints are running the most updated version of anti-virus.

Read all my blogs on Orbital Advanced Search