https://github.com/osquery/osquery logo
Powered by
Title
k

Kathy Satterlee

08/11/2022, 4:15 PM
Here are the Workshop notes: https://docs.google.com/document/d/1AQtsxt6PKykaspivzcPGW05eX6q5lsDwEeTZNKahThQ/edit
g

Guillaume

08/11/2022, 4:18 PM
git clone -b defcon <https://github.com/ksatter/fleet-docker.git>
k

Kathy Satterlee

08/11/2022, 4:30 PM
Link to Google Drive: https://drive.google.com/drive/u/0/folders/1yg2ijwcSWRwDVvA0Byy8oAPTKhRAImqa
g

Guillaume

08/11/2022, 4:46 PM
The password for the Workshop instance is : 
DEFCON2022workshop!
- your usernames are on the card I gave you - if you don’t have one yet pick it up by the projector!
k

Kathy Satterlee

08/11/2022, 5:14 PM
osquery.io/schema
g

Guillaume

08/11/2022, 6:32 PM
If you want to set up your VULN automations, use this webhook -> https://rustling-snow-6608.tines.com/webhook/0fe6acf0c2b62cdf527eeffdbcefb7a3/1ebd48b0aa19e1954791e30eda28eb69
POLICY automations : https://rustling-snow-6608.tines.com/webhook/941ed53790a7aee18ed548cd5548dbb3/d721f52270deb139f9c2a1068f3c3141
YARA example query: 
sql
SELECT * FROM yara WHERE path like ‘/root/%%’ AND sigrule IN (
    ‘rule eicar {
    strings:
    $s1 = “X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*” fullword ascii
    condition:
    all of them
}’
) AND matches=‘eicar’;
12 Views
#fleetJoin Slack
Powered by