puffycid
07/01/2021, 9:53 PMseph
theopolis
puffycid
07/02/2021, 2:28 AMpuffycid
07/02/2021, 2:45 AMdefensivedepth
07/02/2021, 12:05 PMalessandrogario
alessandrogario
alessandrogario
seph
alessandrogario
alessandrogario
alessandrogario
defensivedepth
07/02/2021, 5:18 PMseph
alessandrogario
alessandrogario
alessandrogario
seph
alessandrogario
seph
defensivedepth
07/02/2021, 5:26 PMdefensivedepth
07/02/2021, 5:27 PMalessandrogario
seph
defensivedepth
07/02/2021, 5:28 PMalessandrogario
defensivedepth
07/02/2021, 5:30 PMdefensivedepth
07/02/2021, 5:30 PMalessandrogario
defensivedepth
07/02/2021, 5:47 PMalessandrogario
alessandrogario
seph
seph
alessandrogario
seph
alessandrogario
seph
alessandrogario
alessandrogario
alessandrogario
seph
alessandrogario
alessandrogario
alessandrogario
alessandrogario
seph
where _signature = xxxx
for example. But that can get heavy.
How does this stuff get managed? Do we compiled a list of sensitive vs not? Or is this a giant runtime configuration?
Who would actually use this?alessandrogario
seph
seph
alessandrogario
alessandrogario
seph
alessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
seph
I think the problem is that a query can be easily edited by whoever has access to it; a query could have a number of required access as metadata sureOh, the auth tokens would have to have signed the query. Obviously 😛
seph
otherwise a file that osquery can’t touch and that the user can open to verify what’s allowed and what’s bannedI think you’re asking for things not really possible in current OS design
alessandrogario
alessandrogario
seph
alessandrogario
seph
alessandrogario
seph
alessandrogario
alessandrogario
seph
seph
seph
puffycid
07/02/2021, 9:13 PMpuffycid
07/02/2021, 9:35 PMalessandrogario
alessandrogario
zwass
zwass
mikermcneil
07/03/2021, 1:12 AMlike for example ATC could refuse to open Chrome databases (or censor parts of its content)this is a cool idea and something that hadn't occurred to me. sounds like it could be a lot of work?
puffycid
07/03/2021, 1:52 AMpuffycid
07/03/2021, 2:00 AMmikermcneil
07/03/2021, 2:02 AMmikermcneil
07/03/2021, 2:06 AMpuffycid
07/03/2021, 2:11 AMmikermcneil
07/03/2021, 2:15 AMpuffycid
07/03/2021, 2:26 AMmikermcneil
07/03/2021, 2:33 AMpuffycid
07/03/2021, 4:48 AMgrahamgilbert
07/03/2021, 5:53 AMpuffycid
07/03/2021, 6:07 AMalessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
alessandrogario
puffycid
07/03/2021, 4:01 PMalessandrogario
alessandrogario
But once osquery is deployed the only to add an extension then is through an upgrade or redeploying the whole agent again
This is not true, and using an extension actually provides more upgrade options. If it is in core, you have to redeploy everything. If it is an extension, you have a chance to just upgrade that instead of the whole agentalessandrogario
alessandrogario
puffycid
07/03/2021, 5:19 PMalessandrogario
puffycid
07/03/2021, 5:23 PMpuffycid
07/08/2021, 2:06 AMBrowser history - From a forensic/incident response perspective browser history is a valuable artifact/data that can help an analyst investigating a system for malicious activity. Its an artifact that may be able to help answer the question "what happened on this system, what did the attacker do?". From the office hours/chat it was mentioned that there was concern for abuse.
Would adding a flag similar to the carver table partially address this issue? Also wouldn't the remote management software be responsible for maintaining table access and monitoring for abuse? Osquery is just an agent, and would it be best if osquery had the capability to grab data that is relevant but leave it to the management software/organization/company to handle which table is sensitive?
For example a management tool could allow the table to be used or enabled if an "incident" has been declared or malware is detected on a system the tool could allow the osquery analyst to collect the data. But if malware or an "incident" is not active then that tool could disable the table or not allow it be query.
Though this idea would be tool/organization specific?
Ive always considered osquery to be a "neutral" agent/security software and it lets other companies decide how it is used whether for forensics, device management/visibility, vulnerability management, etc and lets companies decide its own policies on its features.
email - While email it could be forensically valuable, it doesn't really provide answers on "what happened on this system, what did the attacker do?" With the exception of maybe phishing evidence. IMO any sort of email parsing would be best as extension. For example, outlook files (PST/OST) are often huge (ive seen 6GB - 20+GB file sizes). Parsing those files would be difficult and would likely require a third party library like libpff and would return huge amounts of data.
messages caches - Again while it could forensically valuable its also very application specific. There are probably 100+ messaging applications and creating tables for each application is unreasonable imo. I think the carver table would be best to handle message caches. Just carve the file and view in another tool.
contact information - I don't think there is a real forensic value for contact info so im ok with not including the table/feature or at least I don't really see a need for it if there are privacy concerns. I think the carver could handle getting this type of info.
Private Key Data - Again I think the carver table would handle this type of data a dedicated table is probably not needed.
puffycid
07/08/2021, 2:07 AMalessandrogario
alessandrogario
fritz
07/08/2021, 1:41 PMalessandrogario
fritz
07/08/2021, 1:47 PMalessandrogario
fritz
07/08/2021, 1:47 PMHistory
sqlite DB is that it does not just contain browser history but things like Download Historyfritz
07/08/2021, 1:49 PMalessandrogario
fritz
07/08/2021, 1:50 PMalessandrogario
fritz
07/08/2021, 1:51 PMfritz
07/08/2021, 1:52 PMfritz
07/08/2021, 1:54 PMfritz
07/08/2021, 1:54 PMfritz
07/08/2021, 1:55 PMfile
table and reading the names of directories/files.alessandrogario
fritz
07/08/2021, 1:56 PMalessandrogario
fritz
07/08/2021, 1:57 PMalessandrogario
fritz
07/08/2021, 1:58 PMalessandrogario
alessandrogario
alessandrogario
fritz
07/08/2021, 2:07 PMfritz
07/08/2021, 2:07 PMalessandrogario
alessandrogario
fritz
07/08/2021, 2:12 PMalessandrogario