Michael
03/16/2021, 3:16 PMosquery.flags
for Plgx cpt deploy tool? I need to change some Watchdog settingsMichael
03/23/2021, 12:35 PMMichael
03/23/2021, 3:13 PMEugene
03/24/2021, 9:32 AMpg_dump -U polylogyx polylogyx > 03_24_dump.dmp
and restore:
psql -U polylogyx polylogyx < 03_24_dump.dmp
As a result we can observe many errors:Michael
03/30/2021, 9:43 AMMichael
04/19/2021, 3:27 PMDervon
04/20/2021, 9:14 AMFred Koch
07/29/2021, 7:48 PMlvferdi
10/21/2021, 8:09 PMNo event_filter found
and CreateFileW failure Error
and none of the event tables have any data. the No event_filter found
error repeats over and over. I see the queries being scheduled and run with osqueryd in the foreground but no data ever populates the tables.
Thoughts please?lvferdi
11/02/2021, 2:25 PMlvferdi
11/03/2021, 7:23 PMOpenPlgx
11/09/2021, 5:21 AMlvferdi
11/15/2021, 7:08 PMNo event control (blocking) filter found in config
when the plgx_event_filters
are set in the osquery.conf
fileOpenPlgx
11/16/2021, 4:08 AMlvferdi
11/24/2021, 4:32 PMwin_file_event
polylogyx filter apply to the win_pefile_event
query as well as the win_file_event
query. As in if I have filters set in my osquery conf file for win_file_events
will those filters apply when I run a select * from win_pefile_events;
lvferdi
11/29/2021, 9:00 PM$start = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if zero exit
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value 4 -Force
Attack successful if zero exit
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" | Select-Object -ExpandProperty "Start"
Attack successful if output matches /4/
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\wuauserv" -Name "Start" -Value $start -Force
When I execute this with target_name: { include: { values [ * ] } }
, I get the results I would expect but if I add
"target_name": {
"include": {
"values": [
"*\\Start",
]
}
}
I get no results.
Expected outcome is that since the resulting registry entry ends with \Start
the include filter for *\\Start
would be enough to capture the information.OpenPlgx
12/01/2021, 3:52 PMShane Sanborn
01/28/2022, 7:45 PM2022-01-28_15.38.41 INFO plgx_win_extension.ext.cpp:601: ##### EclecticIQ Osquery Extension v3.0.0.0 #####
2022-01-28_15.38.44 INFO plgx_win_extension.ext.cpp:699: distributed_tls_plugin is tls
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:739: Failed retrieving Kernel state from osqueryd config. Error: 2 (The system cannot find the file specified.
)
2022-01-28_15.38.44 INFO plgx_extension_watcher.cpp:41: Watcher Thread starting..
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:761: Driver Load Failed Again
2022-01-28_15.38.44 INFO plgx_win_extension.ext.cpp:780: Polylogyx plugin not found. Creating Config thread to refresh config
2022-01-28_15.38.44 INFO plgx_win_extension.ext.cpp:784: config_tls_plugin is filesystem
Any help would be appreciated thanks!Shane Sanborn
03/01/2022, 7:31 PMOpenPlgx
04/13/2022, 4:48 PMOpenPlgx
05/05/2022, 3:31 PMOpenPlgx
05/13/2022, 12:19 PMOpenPlgx
05/13/2022, 12:19 PMlvferdi
05/17/2022, 12:03 PMlvferdi
05/17/2022, 3:19 PMlvferdi
05/20/2022, 3:53 PMplgx-win-extension
. I have been getting what appears to be resource exhaustion. I start the extension and it collects logs for about 1 minute then stops collecting. tailing the extension log I can see it reapplying the event filters and re-reading the config then eventually show the error below. Is there a place I can find more logs on this issue so I can try to fix it.OpenPlgx
05/24/2022, 1:03 PMOpenPlgx
07/05/2022, 8:57 AMlvferdi
07/05/2022, 12:30 PMlvferdi
07/05/2022, 12:30 PM