Hi! Probably you might already heard about the recent thunderspy.io and the attacks on thunderbolt ports, I was wondering if anyone explored the use of osquery to detect potential vulnerable devices? (I can think of two sources of information: thunderbolt ports and boot camp usage). Looking for hardware related tables seems to be possible to list for thunderbolt ports through pci_devices, but there’s no such table for Windows

It looks like the only protection that exists is in-hardware: this KDMAP (Kernel DMA Protection) https://thunderspy.io/#protections-against-thunderspy Coming up with a check for this with osquery would require someone with a system new enough to have support (for this let alone have it enabled)