Seth Hanford
10/04/2021, 6:10 PMsharvil
10/04/2021, 6:13 PM--verbose
flag to your query and paste the logs?Seth Hanford
10/04/2021, 6:16 PM<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<integer>1</integer>
<key>CodeRequirement</key>
<string>identifier "io.osquery.agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "3522FA9PXF"</string>
<key>Identifier</key>
<string>io.osquery.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
osquery_enterprise shanford$ sudo osqueryi --verbose
Password:
I1004 11:26:59.352649 96513472 init.cpp:357] osquery initialized [version=5.0.1]
I1004 11:26:59.353475 96513472 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /var/osquery/extensions.load
I1004 11:26:59.353616 96513472 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x7f86497044b8) to thread: 0x70000bb0a000 (0x7f86497043c0) in process 23375
I1004 11:26:59.353642 96513472 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x7f86497045c8) to thread: 0x70000bb8d000 (0x7f86497048b0) in process 23375
I1004 11:26:59.353660 96513472 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1004 11:26:59.353729 196661248 interface.cpp:299] Extension manager service starting: /Users/shanford/.osquery/shell.em
I1004 11:26:59.353819 96513472 init.cpp:618] Error reading config: config file does not exist: /var/osquery/osquery.conf
Using a virtual database. Need help, type '.help'
osquery> .mode line
osquery> .connect /var/osquery/osquery.em
Connected to extension socket /var/osquery/osquery.em for debugging
[*]osquery> select * from safari_browser_history;
[*]osquery> select * from chrome_browser_history limit 1;
path = /Users/shanford/Library/Application Support/Google/Chrome/Default/History
sharvil
10/04/2021, 6:50 PMseph
Seth Hanford
10/04/2021, 7:35 PMpuffycid
10/05/2021, 3:26 AMosquery> select * from safari_history;
path = /Users/puffycid/Library/Safari/History.db
id = 94
url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
osquery> select * from safari_history;
path = /Users/puffycid/Library/Safari/History.db
id = 94
url = <https://www.google.com/search?client=safari&rls=en&q=safari+15+history&ie=UTF-8&oe=UTF-8>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
path = /Users/puffycid/Library/Safari/History.db
id = 95
url = <https://www.google.com/search?q=safari+15+forensics&client=safari&rls=en&ei=y8NbYfP7DZGu5NoP2N6aiAc&ved=0ahUKEwizjc_Cp7LzAhURF1kFHVivBnEQ4dUDCA0&uact=5&oq=safari+15+forensics&gs_lcp=Cgdnd3Mtd2l6EAMyBQghEKABOgcIABBHELADOgUIABCABDoJCAAQyQMQFhAeOgcIIRAKEKABSgQIQRgAUKtZWJZhYKRiaARwAngAgAFpiAHEBZIBAzguMZgBAKABAcgBCMABAQ&sclient=gws-wiz>
domain_expansion = google
visit_count = 2
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
path = /Users/puffycid/Library/Safari/History.db
id = 96
url = <https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/>
domain_expansion =
visit_count = 1
daily_visit_counts = d
weekly_visit_counts =
autocomplete_triggers =
should_recompute_derived_visit_counts = 0
visit_count_score = 100
status_code = 0
i haven't done a deep dive into the db, but a quick glance on twitter/forensic/dfir chats i dont see anything related about db changes for version 15 (doesn't mean there aren't any changes)
my device is not under MDM so not 100% sure if its related to that or something else?Seth Hanford
10/05/2021, 10:55 AM