Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
MaxosxOsquery
07/22/2020, 6:40 PMHi all.. Can someone share good Macos osquery use cases?
j
Jams
07/22/2020, 6:54 PMUptycs has an on-demand webinar specifically on focused MacOS … https://www.uptycs.com/register-for-our-webinar-osquery-and-macos-security-best-practices
s
seph
07/22/2020, 7:00 PMThat question is a bit broad to answer simple. What kind of thing are you looking for?
I think most of this slack has macOS by default. So there’s a good chance anything you see here is macOS
Kolide (my employer) tends to publish some pretty indepth blog posts about things. https://blog.kolide.com/
m
MaxosxOsquery
07/22/2020, 7:02 PMIm looking for somd osquery use cases specifically to macosx.. For example select * FROM signature s JOIN launchd d ON d.program_arguments = s.path where d.name like 'com.apple.%' AND signed=0 AND d.run_at_load=1
The above look for com.apple name app without signed
f
fritz
07/22/2020, 8:09 PM@MaxosxOsquery It appears based on your question that you are looking for DFIR style macOS queries? Osquery is a relatively unopinionated tool that gives you broad visibility into various endpoint state and metadata. You could look for:
• unencrypted hard disks
• misconfigured firewalls
• unsigned kernel extensions
• etc. etc.
You need to ask yourself what goals you are trying to accomplish and then we can better answer if osquery can satisfy your needs, rather than someone trying to enumerate every potential capability.
Here you can find a collection of queries recommended by Palantir several years ago: https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/MacOS/osquery.conf
👍 2
m
MaxosxOsquery
07/22/2020, 8:22 PMYes, you're correct.. Im looking for the use cases that cannot be covered by the latest EDR tools and more of threat hunting perspective .. Let me have a look at the plantir
s
seph
07/23/2020, 11:02 AMSeveral EDR tools use osquery under the hood.
m
MaxosxOsquery
07/23/2020, 11:23 AMYes, but is there any set of query for performing threat hunting on Macos..
j
Jams
07/23/2020, 4:30 PMPreviously, the project came with a set of queries as part of the osquery package. However, the community & maintainers felt that providing a baseline of queries provides a false-sense of security. The power of osquery, among many, is the community has continuously extended its features by tailoring for its company use-cases, and a proven record by thread hunters to manually find malware.
I don’t recall but QueryCon and Osquery@Scale conferences might have presentations focused on MacOS
s
seph
07/23/2020, 5:13 PMYou’re thinking of https://github.com/osquery/osquery/tree/master/packs ?
j
Jams
07/23/2020, 6:11 PMI assumed they were removed based on conversations during office hours.
s
seph
07/23/2020, 6:14 PMThere’s an issue somewhere… There’s general interest in removing them, or moving them to their own repo. But still shipping them in a release.
c
Carl
07/24/2020, 12:06 AM@MaxosxOsquery we've written close to 200 of them at work, many are bespoke to us but in general OSX works by operating a series of interlocking frameworks that all leave cmdline histories
my advice to you is to setup a VM and do shady stuff, pull osx malware from virustotal, etc, and look at osquery output
for example, there are queries that can use mdfind which is stoplight, so you get the equivalent of system wide "grep". Or like, we have a query that checks if gatekeeper / SIP are enabled
m
MaxosxOsquery
08/23/2020, 4:36 AMI found some macosx osquery in carbon lack community forum. https://community.carbonblack.com/t5/Query-Exchange/idb-p/query_exchange/label-name/Mac