puffycid
07/01/2021, 9:53 PMseph
07/01/2021, 11:03 PMtheopolis
07/02/2021, 2:17 AMpuffycid
07/02/2021, 2:28 AMdefensivedepth
07/02/2021, 12:05 PMalessandrogario
07/02/2021, 5:00 PMseph
07/02/2021, 5:04 PMalessandrogario
07/02/2021, 5:04 PMdefensivedepth
07/02/2021, 5:18 PMseph
07/02/2021, 5:21 PMalessandrogario
07/02/2021, 5:24 PMseph
07/02/2021, 5:25 PMalessandrogario
07/02/2021, 5:25 PMseph
07/02/2021, 5:26 PMdefensivedepth
07/02/2021, 5:26 PMalessandrogario
07/02/2021, 5:27 PMseph
07/02/2021, 5:27 PMdefensivedepth
07/02/2021, 5:28 PMalessandrogario
07/02/2021, 5:28 PMdefensivedepth
07/02/2021, 5:30 PMalessandrogario
07/02/2021, 5:31 PMdefensivedepth
07/02/2021, 5:47 PMalessandrogario
07/02/2021, 5:48 PMseph
07/02/2021, 6:37 PMalessandrogario
07/02/2021, 6:39 PMseph
07/02/2021, 6:41 PMalessandrogario
07/02/2021, 6:42 PMseph
07/02/2021, 6:42 PMalessandrogario
07/02/2021, 6:42 PMseph
07/02/2021, 6:43 PMalessandrogario
07/02/2021, 6:44 PMseph
07/02/2021, 6:47 PMwhere _signature = xxxx
for example. But that can get heavy.
How does this stuff get managed? Do we compiled a list of sensitive vs not? Or is this a giant runtime configuration?
Who would actually use this?alessandrogario
07/02/2021, 6:48 PMseph
07/02/2021, 6:49 PMalessandrogario
07/02/2021, 6:49 PMseph
07/02/2021, 6:50 PMalessandrogario
07/02/2021, 6:51 PMseph
07/02/2021, 6:57 PMI think the problem is that a query can be easily edited by whoever has access to it; a query could have a number of required access as metadata sureOh, the auth tokens would have to have signed the query. Obviously 😛
otherwise a file that osquery can’t touch and that the user can open to verify what’s allowed and what’s bannedI think you’re asking for things not really possible in current OS design
alessandrogario
07/02/2021, 6:58 PMseph
07/02/2021, 6:59 PMalessandrogario
07/02/2021, 6:59 PMseph
07/02/2021, 6:59 PMalessandrogario
07/02/2021, 7:00 PMseph
07/02/2021, 7:03 PMalessandrogario
07/02/2021, 7:04 PMseph
07/02/2021, 7:16 PMpuffycid
07/02/2021, 9:13 PMalessandrogario
07/02/2021, 9:38 PMzwass
07/03/2021, 12:22 AMmikermcneil
07/03/2021, 1:12 AMlike for example ATC could refuse to open Chrome databases (or censor parts of its content)this is a cool idea and something that hadn't occurred to me. sounds like it could be a lot of work?
puffycid
07/03/2021, 1:52 AMmikermcneil
07/03/2021, 2:02 AMpuffycid
07/03/2021, 2:11 AMmikermcneil
07/03/2021, 2:15 AMpuffycid
07/03/2021, 2:26 AMmikermcneil
07/03/2021, 2:33 AMpuffycid
07/03/2021, 4:48 AMgrahamgilbert
07/03/2021, 5:53 AMpuffycid
07/03/2021, 6:07 AMalessandrogario
07/03/2021, 9:55 AMpuffycid
07/03/2021, 4:01 PMalessandrogario
07/03/2021, 4:34 PMBut once osquery is deployed the only to add an extension then is through an upgrade or redeploying the whole agent again
This is not true, and using an extension actually provides more upgrade options. If it is in core, you have to redeploy everything. If it is an extension, you have a chance to just upgrade that instead of the whole agentpuffycid
07/03/2021, 5:19 PMalessandrogario
07/03/2021, 5:22 PMpuffycid
07/03/2021, 5:23 PMBrowser history - From a forensic/incident response perspective browser history is a valuable artifact/data that can help an analyst investigating a system for malicious activity. Its an artifact that may be able to help answer the question "what happened on this system, what did the attacker do?". From the office hours/chat it was mentioned that there was concern for abuse.
Would adding a flag similar to the carver table partially address this issue? Also wouldn't the remote management software be responsible for maintaining table access and monitoring for abuse? Osquery is just an agent, and would it be best if osquery had the capability to grab data that is relevant but leave it to the management software/organization/company to handle which table is sensitive?
For example a management tool could allow the table to be used or enabled if an "incident" has been declared or malware is detected on a system the tool could allow the osquery analyst to collect the data. But if malware or an "incident" is not active then that tool could disable the table or not allow it be query.
Though this idea would be tool/organization specific?
Ive always considered osquery to be a "neutral" agent/security software and it lets other companies decide how it is used whether for forensics, device management/visibility, vulnerability management, etc and lets companies decide its own policies on its features.
email - While email it could be forensically valuable, it doesn't really provide answers on "what happened on this system, what did the attacker do?" With the exception of maybe phishing evidence. IMO any sort of email parsing would be best as extension. For example, outlook files (PST/OST) are often huge (ive seen 6GB - 20+GB file sizes). Parsing those files would be difficult and would likely require a third party library like libpff and would return huge amounts of data.
messages caches - Again while it could forensically valuable its also very application specific. There are probably 100+ messaging applications and creating tables for each application is unreasonable imo. I think the carver table would be best to handle message caches. Just carve the file and view in another tool.
contact information - I don't think there is a real forensic value for contact info so im ok with not including the table/feature or at least I don't really see a need for it if there are privacy concerns. I think the carver could handle getting this type of info.
Private Key Data - Again I think the carver table would handle this type of data a dedicated table is probably not needed.
alessandrogario
07/08/2021, 8:05 AMfritz
07/08/2021, 1:41 PMalessandrogario
07/08/2021, 1:44 PMfritz
07/08/2021, 1:47 PMalessandrogario
07/08/2021, 1:47 PMfritz
07/08/2021, 1:47 PMHistory
sqlite DB is that it does not just contain browser history but things like Download Historyalessandrogario
07/08/2021, 1:49 PMfritz
07/08/2021, 1:50 PMalessandrogario
07/08/2021, 1:50 PMfritz
07/08/2021, 1:51 PMfile
table and reading the names of directories/files.alessandrogario
07/08/2021, 1:56 PMfritz
07/08/2021, 1:56 PMalessandrogario
07/08/2021, 1:57 PMfritz
07/08/2021, 1:57 PMalessandrogario
07/08/2021, 1:58 PMfritz
07/08/2021, 1:58 PMalessandrogario
07/08/2021, 2:01 PMfritz
07/08/2021, 2:07 PMalessandrogario
07/08/2021, 2:09 PMfritz
07/08/2021, 2:12 PMalessandrogario
07/08/2021, 2:15 PM