So maybe for my entire fleet I can save to C:/ProgramData/JimBob and I can name my service bobjimmyd and then the bad process will have to actually parse each service or each folder path looking for osquery instead of one quick filesystem or service exists check.

Because if they know that literally everyone who uses osqueryd has the service name osqueryd, then they only need to look for that. We make it far too easy for them why?

I notice Bitdefender enterprise is good in that it lets you remotely deploy to different paths even at a policy level. I think they realise that being in the one path consistently is insane. It's like standing on top of a hill with no trees with artillery zeroing in on you, why do that to yourself on purpose?

So if a process starts hashing binaries AV should see that behaviour and neuter it

There are many legitimate reasons to terminate a process. how many legitimate reasons are there to start sha1 every bin file? not too many I'd think

Look to the kayesa ransomware, it was using known paths to kill AV and do damage.

we're not saying the system is more secure, we are simply hardening our tools from attack

Like setting kernel settings in sysctl.conf to harden the kernel from attack

ASLR in RAM is another example, randomising the layout of process memory in RAM so that an attacker cannot predict the memory address of our processes. That's not security by obscurity despite it actually obscuring something, that's hardening.

"it just adds some extra steps" and extra steps means what?....... a greater chance of detection!!! Thus achieving a desirable outcome for us. As I said there only appears to be positives and no negatives from doing it, so why are we not doing it? The security by obscurity card does not fly here.

like if youre logging in as root with the password of toor with a weak cipher and a vulnerable version it doesnt matter what port it runs on

just like here, you can change the osquery install location or service name but if the system itself isnt secure it doesnt matter

look at the differences between cryptography and encoding

And @Mike Myers does raise an interesting point of the threat model osquery operates too

In saying that, I still think if it's not hard for the devs to enable (I tried to do it manually and the service just refused to start) I think there is a bit to be gained by allowing us to not plaster osqueryd everywhere as osqueryd. I think we can install to a different file path at the moment anyway right? At least on windows which is the bulk of my focus with this topic. I think it would be good to be able to run our service as a different name combined with different file path just to make the evil drops job harder and hopefully we can catch it first. I don't feel like this is trying to add a security assertion, merely a frustrater for the baddies. Given that I can see no disadvantages for us to do it, again the question comes back to why aren't we doing it?

I think for windows it'd just be the service name