Sebastiaan
07/20/2021, 12:13 PMStefano Bonicatti
07/20/2021, 4:34 PMntfs_acl_permissions
as @puffycid was sayingfritz
07/20/2021, 7:58 PMkolide_wmi
table, if you have only vanilla osquery you can get a little more brittle and cobble something together using the registry
table like so:Shane Sanborn
07/21/2021, 4:41 PMJason NG
07/22/2021, 2:45 AMStefano Bonicatti
07/22/2021, 12:01 PM--pidfile=<path>
Anoop K V
07/22/2021, 1:55 PMPensamento Profundo
07/26/2021, 1:24 AMJason NG
07/26/2021, 8:10 AMJams
07/26/2021, 6:07 PMJacob
07/26/2021, 9:51 PMclong
07/28/2021, 5:50 PMsnapshot: true
under descriptionMadhur Jodhwani
07/28/2021, 6:17 PMSebastiaan
07/28/2021, 6:38 PMJames Rowley
07/28/2021, 7:34 PMMadhur Jodhwani
07/30/2021, 6:58 AMMystery Incorporated
07/30/2021, 8:09 AMnickcoll
07/30/2021, 10:51 AMMystery Incorporated
07/31/2021, 4:18 PMYash Boura
08/02/2021, 5:13 AMYash Boura
08/02/2021, 5:38 AMMadhur Jodhwani
08/03/2021, 4:03 AMMystery Incorporated
08/03/2021, 9:50 AMBacarus
08/03/2021, 2:55 PMinterval: 10
What I would like to achieve:
• A first query to store initial results for the new scheduled query (some rows with action: "added"
 )
• if the query detects some changes every 10 seconds (the field counter
is increased each time a query is executed in this epoch)
• After 600 seconds (10 minutes) the epoch changes, counter is reseted to 0 and a new “first” query to store initial results (the rows with action: "added"
mentioned before) is executedJason NG
08/04/2021, 3:20 AM# Server
--tls_hostname=<http://osquery-demo.com:8080|osquery-demo.com:8080>
--tls_server_certs=/etc/osquery/fleet.pem
# Enrollment
--host_identifier=instance
--enroll_secret_path=/etc/osquery/secret.txt
--enroll_tls_endpoint=/api/v1/osquery/enroll
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
# Logging
--logger_plugin=kafka_producer
--logger_kafka_brokers=<name>.<http://kafka.ap-southeast-1.amazonaws.com:9094,<name>.kafka.ap-southeast-1.amazonaws.com:9094|kafka.ap-southeast-1.amazonaws.com:9094,<name>.kafka.ap-southeast-1.amazonaws.com:9094>
--logger_kafka_topic=AWSKafkaTutorialTopic
--logger_kafka_acks=0
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000
Grigory Emelianov
08/04/2021, 9:35 AMravigupta230290
08/04/2021, 11:53 AM[2:12 AM] osqueryd --flagfile=/Users/ragupta/Downloads/flagfile.txt --verbose ─╯
I0803 02:07:28.218417 114695680 init.cpp:357] osquery initialized [version=4.9.0]
E0803 02:07:28.243902 114695680 init.cpp:398] osqueryd initialize failed: osqueryd (356) is already running
ravigupta230290
08/04/2021, 11:57 AMravigupta230290
08/04/2021, 12:41 PMMike Myers
08/04/2021, 4:07 PM