Jean M

05/24/2020, 11:25 AM
Hi! Probably you might already heard about the recent thunderspy.io and the attacks on thunderbolt ports, I was wondering if anyone explored the use of osquery to detect potential vulnerable devices? (I can think of two sources of information: thunderbolt ports and boot camp usage). Looking for hardware related tables seems to be possible to list for thunderbolt ports through pci_devices, but there’s no such table for Windows
Mike Myers

Mike Myers

05/24/2020, 11:36 PM
It looks like the only protection that exists is in-hardware: this KDMAP (Kernel DMA Protection) https://thunderspy.io/#protections-against-thunderspy Coming up with a check for this with osquery would require someone with a system new enough to have support (for this let alone have it enabled)
11:37 PM
Maybe you'd want to check for the presence of enabled Thunderbolt ports