Title
#eclecticiq-polylogyx-extension
l

lvferdi

05/17/2022, 12:03 PM
Good Morning. When looking in the extension log I can see references to a cert and attempted connections to a management server. Can this be disabled as we are not using that functionality of this extension.
h

himanshu

05/18/2022, 5:12 AM
can you share extension log file and point to the logs for attempted server connection? location:
<programfiles>\plgx_osquery\
o

OpenPlgx

05/18/2022, 9:15 AM
Or maybe the specific lines?
l

lvferdi

05/18/2022, 1:12 PM
the line is
plgx_tls.cpp:192: tls_server_certs is: \Program Files\osquery\certs\cert.pem
When I navigate to that directory there is a cert there which I did not install. If I monitor the socket connections (using the extension itself) I can see attempted connections with these 4 IP addresses in the past 48 hours:
208.111.179.129
72.21.81.240
8.253.38.248
104.18.20.226
h

himanshu

05/18/2022, 4:33 PM
when you install osquery via its msi installer, a default pem file is installed by osquery. this is the same file
\Program Files\osquery\certs\cert.pem
. extension just enumerates certain osquery flags including
tls_server_certs
when it is launched but doesn't try to make any connection to any server. for osquery\extension to communicate to a server,
tls_hostname
has to be provided in osquery.flags file. since the default flags provided with extension dont have any server related flag, it wont attempt to connect to any server.
4:36 PM
regarding socket connections, it may be created by any application running in the environment, could be a browser activity as well. @OpenPlgx please add if needed.
o

OpenPlgx

05/18/2022, 4:44 PM
@lvferdi, is your osquery manage thru TLS? The extension uses osquery APIs to read osquery flags. This could force osquery's config plug-in to fetch the config. If the config is TLS, it could force a network connection. Other than than, extension doesn't do any socket activity.
l

lvferdi

05/18/2022, 6:35 PM
no it is not managed via TLS server and the connections are from the extension I am running wireshark to capture it now
6:36 PM
Also that cert is removed during install by our install process which is why I was surprised to see it there
o

OpenPlgx

05/19/2022, 6:32 AM
Interesting. What destination port are these connections on? Let me spin up an instance and see if we get any such activity..The best I can think of is some internal library in osquery SDK..but well, will get back with some debugs
11:38 AM
We ran a test in the lab with only following blob enabled in the config for osquery and didn't see any event. "win_socket_events": { "process_name": { "include": { "values": [ "osquery", "plgx" ] } } },
11:38 AM
Is there any other endpoint security product on the system that might be injecting code in other processes?
l

lvferdi

05/19/2022, 1:30 PM
There is a disabled defender and Sysmon and osquery on this box, that is it. I will grab the ports momentarily
1:40 PM
All port 80
1:49 PM
Here is what I can see
h

himanshu

05/20/2022, 8:58 AM
can you confirm if it is reproducible on an another vanilla vm having no other security software or tool? (defender being installed and enabled is ok)
o

OpenPlgx

05/20/2022, 9:33 AM
@lvferdi,1. Do you have SSL events enabled? 2. I believe these lookups are going outbound for Certificate validations/ checking CRLs. The extension using Windows APIs for certificate validations in image_load_events and ssl events. The IP address you mentioned is a Cloudflare IP and has been used to host [https://ocsp2.globalsign.com/] as shown in the VirusTotal reputation of the URL. https://www.virustotal.com/gui/url/83102acd5700e6a7d644f55899b098261b6972ccde6ead25a4d0cfda00b7520c/details Final URLhttps://www.globalsign.com/en/ Serving IP Address104.18.21.226
l

lvferdi

05/20/2022, 3:40 PM
I do have ssl enabled that makes sense, I will confirm with my pcap today. Thank you
h

himanshu

05/20/2022, 6:54 PM
as @OpenPlgx also mentioned, image load events can also trigger these lookups