Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
n
namali
10/27/2022, 6:39 PMHello! While running osquery on windows (osquery ATC) has anyone come across this: "Will not autoload extension with unsafe directory permissions: C:\Program Files\osquery\extensions/macadmins.exe"?
I ran it with a --allow_unsafe flag and it initialized osquery, but then I got a popup "the image file macadmins.exe is valid, but is for machine type other than the current machine". Not sure I understand what is going on here. Can someone help on this please?
I am trying to retrieve browser files using osquery_atc on Windows
s
sharvil
10/27/2022, 6:50 PMmacadmins.exe on windows sounds weird..are you trying to load a mac extension on windows?
n
namali
10/27/2022, 6:54 PMI am trying to use this ATC conf here:
"auto_table_construction": {
"chrome_history": {
"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls",
"path":"C:\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\%\\History",
"columns":["last_visited","url","title","visit_count"]
}
}
}s
sharvil
10/27/2022, 7:00 PMIt would see that something in your config is loading that extension, which is why you are seeing
"Will not autoload extension with unsafe directory permissions: C:\Program Files\osquery\extensions/macadmins.exe"?n
namali
10/27/2022, 7:08 PMThat makes sense!
I need to check if there is an extension or ATC that exists for windows browser history.
By any chance have you come across one? @sharvil?
s
sharvil
10/27/2022, 7:12 PMATC is not dependent on any extension and should work on windows too
n
namali
10/27/2022, 7:17 PMOkay. Nothing in my .conf points to the macadmins extensions. Also I checked the extensions folder in osquery - the only file within that is 'macadmins.exe'
s
sharvil
10/27/2022, 7:17 PManything in the flagfile?
n
namali
10/27/2022, 7:21 PMWhere can I find the flagfile?
I mean the way I am running this is osqueryi --config_path path\name_atc_history.conf --allow_unsafe
s
sharvil
10/27/2022, 7:26 PMcan you add
--verbosen
namali
10/27/2022, 7:30 PMThis is my conf file:
"auto_table_construction": {
"chrome_history": {
"query":"SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls",
"path":"C:\\Users\\%\\AppData\\Local\\Google\\Chrome\\User Data\\%\\History",
"columns":["last_visited","url","title","visit_count"]
}
}
}verbose output:
I1027 12:29:44.617239 3388 init.cpp:357] osquery initialized [version=5.2.2]
I1027 12:29:44.620157 3388 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions/macadmins.exe
I1027 12:29:44.621152 3388 dispatcher.cpp:78] Adding new service: WatcherRunner (000001FEC25738A0) to thread: 3560 (000001FEC25999A0) in process 12556
I1027 12:29:44.625387 3388 dispatcher.cpp:78] Adding new service: ExtensionWatcher (000001FEC250E670) to thread: 11268 (000001FEC2599A80) in process 12556
I1027 12:29:44.625387 3388 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (000001FEC4419200) to thread: 6224 (000001FEC2599B80) in process 12556
I1027 12:29:44.626385 3388 auto_constructed_tables.cpp:99] Removing stale ATC entries
I1027 12:29:44.626385 6224 interface.cpp:299] Extension manager service starting: \\.\pipe\shell.em
Using a [1mvirtual database[0m. Need help, type '.help'
osquery> E1027 12:29:49.703593 3560 watcher.cpp:702] Cannot create extension process: C:\Program Files\osquery\extensions/macadmins.exe