Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Martin Langhoff
12/17/2020, 5:54 PMHow are rules like “*Plain-text Github 2FA Recovery Codes Detected”* implemented?
• it’s misfiring for my laptop, I have encrypted the file, but it still complains
• we might want to add custom rules of our own, is there a workflow for that?
t
terracatta
12/17/2020, 5:57 PMHi Martin, can you tell me how you encrypted the file?
m
Martin Langhoff
12/17/2020, 6:01 PMI used sshenc, which uses ssh keys to do something similar to what gpg would do.
the result is an ASCII file with contents like:
-- encrypted with <https://sshenc.sh/>
-- keys
-- key
Base64 encoded datat
terracatta
12/17/2020, 6:13 PMWe detect the github codes based on extended file attributes that are likely not impacted by your encryption process.
m
Martin Langhoff
12/17/2020, 6:15 PMI def made a new file… the process is a bit like
openssl --flags flags < file > file.encryptedt
terracatta
12/17/2020, 6:15 PMit's likely it copied the file and its extended attributes
let me see if I can find the command line for showing that
and show you how to remove those attributes
so that the file no longer alerts
xattr -l <filename>in your case you want to remove any extended attributes named
com.apple.metadata:kMDItemWhereFromswhich can be done with
xattr -d metadata:kMDItemWhereFroms <file>m
Martin Langhoff
12/17/2020, 6:33 PMthe file has no xattrs
t
terracatta
12/17/2020, 6:37 PMhmmm
ok well I would rename it slightly, the recheck will pass, and then it shouldn't be redetected
or you can just ignore the failure as well
m
Martin Langhoff
12/17/2020, 7:12 PMyeah, I can ignore it. but I’m also learning about the system 🙂
are the actual rules visible by admin? editable by admin?
t
terracatta
12/17/2020, 8:03 PMHi Martin, the rules are not all visible but you can kind of infer them from look at a device's osquery config by clicking into a device, choosing actions, and then choosing "View Osquery Config..." you can sometimes reference a check ID
🙌 1
m
Martin Langhoff
12/17/2020, 8:06 PMthank you