oneiroi
09/02/2022, 2:38 PM~Library/Logs/DiagnosticReports
), then an augeas lense to parse the json values to catch these reports ?
I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅terracatta
xprotect_reports
table works correctly on macOS 12 when I wrote that article.
I tested it by running a malware test sample and saw that it created the diagnostic report as expected and that osquery parses it correctly.oneiroi
09/05/2022, 3:36 PMxprotect_reports
running theory is the test might be a skipped pattern, but I do not presently have any evidence of this, happy to hear anything you may be able to offer on this. Thanks!terracatta
oneiroi
09/09/2022, 4:22 PMterracatta
oneiroi
09/09/2022, 4:24 PMterracatta
oneiroi
09/09/2022, 4:27 PM➜ /tmp curl <https://www.eicar.com/download/eicar-com-2/>\?wpdmdl\=8842\&refresh\=631b68bd773ad1662740669 -L -so eicar-test
➜ /tmp chmod +x eicar-test
➜ /tmp ./eicar-test
./eicar-test: line 1: syntax error near unexpected token `P^'
./eicar-test: line 1: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
Throws string errors, I'm presuming your test was different ?terracatta
oneiroi
09/09/2022, 4:33 PMterracatta
oneiroi
09/09/2022, 4:44 PMterracatta
oneiroi
09/09/2022, 4:52 PMdefault 17:50:07.911772+0100 kernel AMFI: '/Users/aegishjalmur/Documents/samples/a.out' has no CMS blob?
default 17:50:07.911782+0100 kernel AMFI: '/Users/aegishjalmur/Documents/samples/a.out': Unrecoverable CT signature issue, bailing out.
default 17:50:08.669773+0100 syspolicyd GK evaluateScanResult: 2, PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE), 0, 0, 1, 0, 0, 0, 11
default 17:50:08.670181+0100 syspolicyd Prompt shown (2, 0), waiting for response: PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE)
default 17:50:12.176692+0100 kernel ASP: Security policy would not allow process: 45006, /Users/aegishjalmur/Documents/samples/a.out
team
is null
suspecting this is not creating the entryterracatta
oneiroi
09/09/2022, 4:58 PMteam
holds the malware signature, in this case that would be the mapping needed for eicar; question would be why this test is triggering xprotect as it seems evident there's no signature (current theory)terracatta
oneiroi
09/12/2022, 6:26 PMteam
set that is not 'null', an xprotect_report is generated; where xprotect triggers but team
is 'null' a report is not generated e.g.:
{
"message": {
"Count": 3,
"allowed": false,
"authority": "none",
"blockType": 2,
"cdhash": "7a190612b115d9d243c309100df0acce7531c3b3",
"class": 0,
"evaluationPath": 2,
"filename": "a.out",
"matchedRuleName": "MACOS.b17a97e",
"result": 11,
"signingID": "a.out",
"teamID": null
},
"name": "XProtectAssessmentResultData3",
"sampling": 100,
"uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
Though ^ was pulled from the /Library/Logs/DiagnosticReports/
folder 🤔{
"message": {
"Count": 1,
"allowed": false,
"authority": "no usable signature",
"blockType": 2,
"cdhash": null,
"class": 0,
"evaluationPath": 1,
"filename": "<http://eicar.com|eicar.com> 2",
"matchedRuleName": "OSX.eicar.com.i",
"result": 11,
"signingID": null,
"teamID": null
},
"name": "XProtectAssessmentResultData3",
"sampling": 100,
"uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
(which has an xprotect_reports entry)terracatta
oneiroi
09/12/2022, 7:02 PMgrep -i 'a\.out' /Library/Logs/DiagnosticReports/*
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-07-010545.0003.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"01ed682b45eb68e5556a4db398d706fa0b0f1671","fileIdentifier":"gh","fileSize":36404706,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b15fdb648373983d4ef8d31265abf12c2f9cb04b5afebdc44d66b2d9d7be478a","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1661418460,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"df10de17e78f17c3ccbf2a827fab9e7154f0629a","fileIdentifier":"gh","fileSize":36114658,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b9612ab3d0f2e56fd8f20597bca81c18ffed327149bcdac1319872163f7f12e2","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1657819043,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":3,"allowed":false,"authority":"none","blockType":2,"cdhash":"7a190612b115d9d243c309100df0acce7531c3b3","class":0,"evaluationPath":2,"filename":"a.out","matchedRuleName":"MACOS.b17a97e","result":11,"signingID":"a.out","teamID":null},"name":"XProtectAssessmentResultData3","sampling":100,"uuid":"47718d33-c81e-4953-8931-3d0b6631f538_2"}