Do you have some sort of roadmap on when this code will be added and a release will be generated?
11/29/2018, 1:50 PM
Rough estimate based on current code freeze/reworking of build system. January 2019.
But cc @thor who’s working on the PR. Looks like some really nice changes indeed :)
11/29/2018, 2:01 PM
Thanks, yeah I initially found some issues on where some process did not show the Image or directory
and then I was pointed to that PR
So hopefully those enhancements allow us to do deeper hunting 🙂
11/29/2018, 3:23 PM
Yeah that PR is pretty high pri for us also, once the PR freeze ends it’ll get landed :)
We are still working on the windows build with buck I believe, so holding off on Windows changes for a bit?
11/29/2018, 3:31 PM
Sure thing, @thor, since I'm working on threat hunting, we are building some queries that allow us to determine if legit process are running outside of their directory (aka process impersonation) but we can also check if more than one instance is running so that should cover our use cases
11/29/2018, 4:11 PM
Ah cool! That sounds pretty neat! Any chance you’ll be able to open source those queries?
12/02/2018, 3:15 AM
We also use osquery to incident response,Intrusion detection,so I am pay attention to osquery's development.Maybe we can communicate with each other @seek3r
12/03/2018, 5:55 PM
Sure thing, we can opensource some of them. At the moment, the idea is to map them with MITRE ATT&CK so we can have a standard way to exchange information.