Dude, this is user browser history... I'm sorry i'...
# kolidet
terracatta
04/01/2020, 9:37 PM
Dude, this is user browser history... I'm sorry i'm just not morally ok with helping you achieve that goal. What is your end goal? Perhaps there is a better way than enumerating websites people have visited in their browser.
k
k3nd0r
04/01/2020, 9:40 PMWithout a better source of logs at my disposal, this is how I was hoping to get a source of downloads for malicious files in the environment. Do you think there is a better way to achieve this with the tool?
t
terracatta
04/01/2020, 9:42 PM
Yes, check out ntfs_journal_events table and file integrity monitoring. You can monitor user default download folders for any downloads that way...and you can cross reference any hashes of those files later on if you need to.
terracatta
04/01/2020, 9:43 PM
https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b
That is how to do it in our SaaS app but the basic premise is still there....
terracatta
04/01/2020, 9:43 PM
this is likely a better way to accomplish the end goal of looking for malicious downloads
k
k3nd0r
04/01/2020, 9:43 PMAwesome, I will check this out and give it a shot. Thanks for getting back with me
t
terracatta
04/01/2020, 9:44 PM
macOS also has a FIM but the associated table is
file_eventsterracatta
04/01/2020, 9:44 PM
this is likely better as well because it will capture all downloads no matter what browser they are coming from
terracatta
04/01/2020, 9:44 PM
you are welcome
2 Views