Do you have some sort of roadmap on when this code...
# generals
seek3r
11/29/2018, 1:43 PMDo you have some sort of roadmap on when this code will be added and a release will be generated?
g
groob
11/29/2018, 1:50 PM
Rough estimate based on current code freeze/reworking of build system. January 2019.
But cc @thor who’s working on the PR. Looks like some really nice changes indeed :)
s
seek3r
11/29/2018, 2:01 PMThanks, yeah I initially found some issues on where some process did not show the Image or directory
seek3r
11/29/2018, 2:02 PMand then I was pointed to that PR
seek3r
11/29/2018, 2:02 PMSo hopefully those enhancements allow us to do deeper hunting 🙂
t
thor
11/29/2018, 3:23 PM
Yeah that PR is pretty high pri for us also, once the PR freeze ends it’ll get landed :)
thor
11/29/2018, 3:23 PM
We are still working on the windows build with buck I believe, so holding off on Windows changes for a bit?
s
seek3r
11/29/2018, 3:31 PMSure thing, @thor, since I'm working on threat hunting, we are building some queries that allow us to determine if legit process are running outside of their directory (aka process impersonation) but we can also check if more than one instance is running so that should cover our use cases
t
thor
11/29/2018, 4:11 PM
Ah cool! That sounds pretty neat! Any chance you’ll be able to open source those queries?
u
钢铁侠
12/02/2018, 3:15 AMWe also use osquery to incident response,Intrusion detection,so I am pay attention to osquery's development.Maybe we can communicate with each other @seek3r
s
seek3r
12/03/2018, 5:55 PMSure thing, we can opensource some of them. At the moment, the idea is to map them with MITRE ATT&CK so we can have a standard way to exchange information.
seek3r
12/03/2018, 5:55 PMWe also need to put an eye on performance
seek3r
12/03/2018, 5:55 PMsounds like a plan @钢铁侠
2 Views