Posts by

Anomaly detection with Google BigQuery ML and Capsule8
Unsupervised Anomaly Detection Using BigQueryML and Capsule8
January 16, 2020
In a sea of data that contains a tiny speck of evidence of maliciousness somewhere, where do we start? What is the most optimal way to swim through the inconsequential information to get to that small cluster of anomalous spikes? Big data in information security is a complicated problem due to the sheer volume of […]
What is the Linux Auditing System (aka AuditD)?
January 7, 2020
The Linux Auditing System is a native feature to the Linux kernel that collects certain types of system activity to facilitate incident investigation. In this post, we will cover what it is as well as how people deploy and manage it. We will also discuss its strengths — namely it being offered for the delicious […]
OOMyPod: Nothin’ To CRI-O-bout
December 4, 2019
Gather around the fire for a story about the unlikely partnership of bugs that led to a partial container escape. While this is a fairly technical post covering some container and Kubernetes components, we included links throughout if you want to learn about them or need a refresher while reading.   TL;DR Three issues in […]
Don’t Get Kicked Out! A Tale of Rootkits and Other Backdoors
November 14, 2019
Introduction When it comes to rootkits and other backdoors, everything is on the table. There exists a vulnerability that can be exploited in a system binary to gain root access? There’s a rootkit1 for that. You allow kernel modules? A plethora of nefarious goodies can be part of your system! Your new chip is made […]
The Curious Case of a Kibana Compromise
October 31, 2019
The sun rose, coffee was guzzled, and fingers clicked away at keys, making it a typical day at Capsule8 HQ – until it wasn’t. As the Capsule8 team deployed one of our toy target instances (one with exploitable software on it for demo purposes), we noticed alerts firing from components which weren’t part of our […]
Major Key Alert: Data Discovery for Red Teams with an ML Tool for Keylogging
September 18, 2019
With the glut of security vendors who promise to secure to the moon and back on the star-glazed spaceship of Machine Learning (ML) technology, where is the equivalent for red teams? Imagine a scene: an earnest red teamer hunched at their desk, hand under chin, eyes hazy with fatigue as their finger presses the down […]
How Capsule8 Approaches Linux Monitoring
September 18, 2019
We at Capsule8 have put a lot of thought into our product by thinking about what would make us most mad as hackers if we encountered it while attacking an organization. One difference between Capsule8 and other Linux detection solutions is that our detection happens locally. It’s far less expensive for everyone to do computations […]
monitoring linux infrastructure
A Guide to Linux Monitoring
April 3, 2019
Different Approaches to Linux Host Monitoring In case you hadn’t heard, Linux is a big deal. Linux servers are used in the vast majority of production systems, the ones running the apps and services everyone uses. But, as said by the great infosec #thoughtleader and uncle to Spiderman, “with great power comes great responsibility.” These […]
An Exercise in Practical Container Escapology
March 6, 2019
What seemed lost in this (runc) hype is that the ability to escape containers is not confined to a one-off vulnerability in container management programs or orchestrators.
Kernel Configuration Glossary
February 28, 2019
In our post “Millions of Binaries Later: a Look Into Linux Hardening in the Wild”, we examined the security properties of different distributions. In the following, we provide a glossary for the security-relevant kernel configuration options discussed in that post (scraped from the Linux Kernel Driver Database). Option Description Significance CONFIG_X86_SMAP Supervisor Mode Access Prevention […]
Linux Hardening in the Wild
February 28, 2019
TL;DR: Millions of Binaries Later In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, […]
Exploiting systemd-journald Part 2
February 6, 2019
Introduction This is the second part in a multipart series on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9th. In the first post, we covered how to communicate with journald, and built a simple proof-of-concept to exploit the vulnerability, using predefined constants for fixed addresses (with ASLR disabled). In this […]