We will roll up a fix for that. And while we are at it, and given you are a sysmon user as well, we observed that sysmon doesn't give events for mounted drives. How useful would you say it is, if any.

Hi, just started working with this extension on osquery, I have been getting certain error logs when I start up osquery with the extensions and not sure if the extension is working properly

2022-01-28_15.38.41 INFO  plgx_win_extension.ext.cpp:601: ##### EclecticIQ Osquery Extension v3.0.0.0 #####
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:699: distributed_tls_plugin is tls
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:739: Failed retrieving Kernel state from osqueryd config. Error: 2 (The system cannot find the file specified.

)
2022-01-28_15.38.44 INFO  plgx_extension_watcher.cpp:41: Watcher Thread starting..
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:761:  Driver Load Failed Again
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:780: Polylogyx plugin not found. Creating Config thread to refresh config
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:784: config_tls_plugin is filesystem

Any help would be appreciated thanks!

Hi team, is there anyway for the extension and osquery not to use as many resources. Our osquery configuration before we added the extension with its query was lower than 5% cpu on average, but now with it its has gone up to average around 40% combined and will spike higher. We are wondering if there is any method to lower this. Any help is appreciated

Advanced memory forensics built in the extension: https://blog.eclecticiq.com/detect-and-remediate-process-hollowing-with-eclecticiq-endpoint-response

Announcing the release of new version of the extension v 3.5.1: https://github.com/eclecticiq/osq-ext-bin • Bug fixes • Additional visibility into File Delete events

Based on the above extension, a new community version of the platform is released today and available at: https://github.com/eclecticiq/eiq-er-ce

To know more about the additional visibility features in the extension: https://blog.eclecticiq.com/catch-em-deletes-increasing-visibility-not-the-cost

Good Morning. When looking in the extension log I can see references to a cert and attempted connections to a management server. Can this be disabled as we are not using that functionality of this extension.

I am also experiencing the race condition mentioned on git where filtered events get collected. Is there a way to reduce this, at times the amount of logs collected causes the extension to crash. And it seems even after allowing time for the race condition to correct I see events that should have been filtered being collected by the extension.

Is there any other logging location for the extension other than

plgx-win-extension

. I have been getting what appears to be resource exhaustion. I start the extension and it collects logs for about 1 minute then stops collecting. tailing the extension log I can see it reapplying the event filters and re-reading the config then eventually show the error below. Is there a place I can find more logs on this issue so I can try to fix it.

In case you wish to deploy osquery+agent without a manager (e.g. thru a script on local or remote systems or in a sandbox prior to detonating a malware), here is a script that will enable you to do so. https://github.com/eclecticiq/osq-ext-bin/tree/master/install

Thanks @lvferdi for your continued testing and reporting the issues. A new release of the extension has been posted with instruction on how to adjust the agent log depth (which can significantly help on query performances). https://github.com/eclecticiq/osq-ext-bin

I will install today and reply with results.

Ty

Looking forward

Hey Team, we have been load testing with osquery and this extension and it seems that using this extension makes osquery run and peak with a much higher cpu% than our normal osquery configurations. We were wondering if this normally makes osquery use a lot more cpu% or if this could just be resolved with tweaking our configs.

@Shane Sanborn, any improvements with your testing? Is there any logs you can share, if not.

Afternoon polylogyx team, just wanted to say the newly released agent has been rock solid. With the right filters to reduce overly noisy sources I have been able to get the agent to run error free for over a week with no errors from the extension. File_Events seemed to be one of the biggest offenders but I got that dialed in. Thanks for the great agent.

@lvferdi, thanks for the kind words. And a minor correction. We are now "EclecticIQ" team 🙂

Announcing the new release of our extension which has additional monitoring (e.g. named pipes) and a cool new feature that integrates the extension with 'desktop search'. This allows to use OSquery's SQL syntax to search for files on the desktop and overcomes the limitation of 'file' table. https://github.com/eclecticiq/osq-ext-bin

And also published the new version of our full Osquery management solution, Endpoint Response (ER) 4.0 Community Edition : https://github.com/eclecticiq/eiq-er-ce

We created a table in our extension that helps monitor log files. The blog describes on how the table can be used to monitor for IIS logs https://medium.com/eclecticiq/using-log-parsing-to-stop-microsoft-iis-backdoor-attacks-3bd6081dc47d

In the last release of extension, we added a feature to index the disk to make file searches easier on the disk (over and above what 'file' table provides) thru a new table. If interested on how it helps with threat hunt: https://medium.com/eclecticiq/hunting-emotet-made-easy-with-eclecticiq-endpoint-response-caef410772c8

If you were looking for some info on comparison between sysmon's filters and the filters usage in the extension, we published a bit of details on that: https://blog.eclecticiq.com/comparing-sysmon-and-eclecticiq-endpoint-response-event-filters

PolyMon is a windows desktop tool that wraps osquery and the extension to make it easier to use with a front end and some analytics. A new version of the same has been posted here: https://github.com/eclecticiq/eiq-polymon/ Invite everyone to try and share the feedback, if possible. 🙏👍

👋 Hello, team!

Hi. I am using the version v4.0.0.0 release. Regarding win_registry_events - I have been trying to get registry change detection to work. I want to monitor some additional keys. I have tried test cases monitoring/creating/deleting registry keys in areas where is is supposed to monitor and I never see the changes logged as win_registry_events. I must be missing something. I am running Windows 10 Pro, US-EN, 22H2, 19045.2486. For the sake of simplicity, I want to monitor HKEY_CURRENT_USER\Keyboard LayoutHKEY_CURRENT_USER\Keyboard Layout. I have followed the pattern but it does not show a win_registry_events in the log.

Thanks!

@Jams has left the channel