https://github.com/osquery/osquery logo
Powered by
Title
f

fritz

01/24/2019, 7:21 PM
@R0n I wonder if you could create an augeas lens to parse: 
%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
r

R0n

01/24/2019, 7:40 PM
is there something to pull what is in the file?
like the etc_hosts
u

8p8c

01/25/2019, 2:10 AM
What do you mean by pull, R0n?
r

R0n

01/25/2019, 2:42 PM
i meant get the content from the file
u

8p8c

01/25/2019, 3:02 PM
The only two ways i know to pull content from a file like this is either a custom extension (probably simple to write, allows safely dropping privileges) OR an augeas lens and a query. In my opinion writing an extension is simpler - at least I haven’t yet grokked how the language behind augeas works, and I don’t know how it handles untrusted input from a file like this.
r

R0n

01/25/2019, 3:25 PM
something like this
https://osquery.readthedocs.io/en/stable/development/reading-files/
?
u

8p8c

01/25/2019, 3:35 PM
Yea, sort of - depends on if your aim is to include it in the core or as an extension. I’m not the gate keeper but my understanding is that one off files like this make more sense as an extension, but if this is very useful for wide userbase then it can be included in the core.
r

R0n

01/25/2019, 3:52 PM
yes, it would make more sense as an extension/plugin . i'll try to find information about extensions and how to implement them
u

8p8c

01/25/2019, 3:57 PM
https://github.com/osquery/osquery-python/blob/master/README.md and https://github.com/kolide/osquery-go/blob/master/README.md
r

R0n

01/25/2019, 4:26 PM
👍 thank you
#sqlJoin Slack
Powered by