Title
#general
m

MaxosxOsquery

07/22/2020, 6:40 PM
Hi all.. Can someone share good Macos osquery use cases?
Jams

Jams

07/22/2020, 6:54 PM
Uptycs has an on-demand webinar specifically on focused MacOS … https://www.uptycs.com/register-for-our-webinar-osquery-and-macos-security-best-practices
s

seph

07/22/2020, 7:00 PM
That question is a bit broad to answer simple. What kind of thing are you looking for?
7:00 PM
I think most of this slack has macOS by default. So there’s a good chance anything you see here is macOS
7:01 PM
Kolide (my employer) tends to publish some pretty indepth blog posts about things. https://blog.kolide.com/
m

MaxosxOsquery

07/22/2020, 7:02 PM
Im looking for somd osquery use cases specifically to macosx.. For example select * FROM signature s JOIN launchd d ON d.program_arguments = s.path where d.name like 'com.apple.%' AND signed=0 AND d.run_at_load=1
7:02 PM
The above look for com.apple name app without signed
f

fritz

07/22/2020, 8:09 PM
@MaxosxOsquery It appears based on your question that you are looking for DFIR style macOS queries? Osquery is a relatively unopinionated tool that gives you broad visibility into various endpoint state and metadata. You could look for: • unencrypted hard disks • misconfigured firewalls • unsigned kernel extensions • etc. etc. You need to ask yourself what goals you are trying to accomplish and then we can better answer if osquery can satisfy your needs, rather than someone trying to enumerate every potential capability.
8:11 PM
Here you can find a collection of queries recommended by Palantir several years ago: https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/MacOS/osquery.conf
m

MaxosxOsquery

07/22/2020, 8:22 PM
Yes, you're correct.. Im looking for the use cases that cannot be covered by the latest EDR tools and more of threat hunting perspective .. Let me have a look at the plantir
s

seph

07/23/2020, 11:02 AM
Several EDR tools use osquery under the hood.
m

MaxosxOsquery

07/23/2020, 11:23 AM
Yes, but is there any set of query for performing threat hunting on Macos..
Jams

Jams

07/23/2020, 4:30 PM
Previously, the project came with a set of queries as part of the osquery package. However, the community & maintainers felt that providing a baseline of queries provides a false-sense of security. The power of osquery, among many, is the community has continuously extended its features by tailoring for its company use-cases, and a proven record by thread hunters to manually find malware.
4:31 PM
I don’t recall but QueryCon and Osquery@Scale conferences might have presentations focused on MacOS
s

seph

07/23/2020, 5:13 PM
Jams

Jams

07/23/2020, 6:11 PM
I assumed they were removed based on conversations during office hours.
s

seph

07/23/2020, 6:14 PM
There’s an issue somewhere… There’s general interest in removing them, or moving them to their own repo. But still shipping them in a release.
c

Carl

07/24/2020, 12:06 AM
@MaxosxOsquery we've written close to 200 of them at work, many are bespoke to us but in general OSX works by operating a series of interlocking frameworks that all leave cmdline histories
12:06 AM
my advice to you is to setup a VM and do shady stuff, pull osx malware from virustotal, etc, and look at osquery output
12:07 AM
for example, there are queries that can use mdfind which is stoplight, so you get the equivalent of system wide "grep". Or like, we have a query that checks if gatekeeper / SIP are enabled
m

MaxosxOsquery

08/23/2020, 4:36 AM
I found some macosx osquery in carbon lack community forum. https://community.carbonblack.com/t5/Query-Exchange/idb-p/query_exchange/label-name/Mac