Title
#kolide
terracatta

terracatta

04/01/2020, 9:37 PM
Dude, this is user browser history... I'm sorry i'm just not morally ok with helping you achieve that goal. What is your end goal? Perhaps there is a better way than enumerating websites people have visited in their browser.
k

k3nd0r

04/01/2020, 9:40 PM
Without a better source of logs at my disposal, this is how I was hoping to get a source of downloads for malicious files in the environment. Do you think there is a better way to achieve this with the tool?
terracatta

terracatta

04/01/2020, 9:42 PM
Yes, check out ntfs_journal_events table and file integrity monitoring. You can monitor user default download folders for any downloads that way...and you can cross reference any hashes of those files later on if you need to.
9:43 PM
https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b That is how to do it in our SaaS app but the basic premise is still there....
9:43 PM
this is likely a better way to accomplish the end goal of looking for malicious downloads
k

k3nd0r

04/01/2020, 9:43 PM
Awesome, I will check this out and give it a shot. Thanks for getting back with me
terracatta

terracatta

04/01/2020, 9:44 PM
macOS also has a FIM but the associated table is
file_events
if you need to do the same for Macs
9:44 PM
this is likely better as well because it will capture all downloads no matter what browser they are coming from
9:44 PM
you are welcome