https://github.com/osquery/osquery logo
Powered by
a

alessandrogario

05/03/2020, 11:07 AM
but I'm not sure how it would look like to fetch data from a file
s

SK

05/03/2020, 11:18 AM
Hey @alessandrogario thanks for your response. With this commit will there be a possibility to input a file? To run the queries on?
And just saw https://github.com/osquery/osquery/commit/b8a1c68afd2678988fc311c7a4e692f90d111bec, will this mean that the windows_events table will parse the data returned correctly and make it possible to like make smarter queries based on the data in the event?
a

alessandrogario

05/03/2020, 1:25 PM
There is no support for receiving data from files, but this PR can make it possible if a good interface is found
I don't know how this interface would look like, but it's something like 
osqueryi --publisher_data=something
This is just a silly example, I think that in order to get this kind of usage approved, the interface should be generic enough so that it can be applied to all publishers
Does it make sense to implement it, given that it would only work for event-based tables and everything else (such a 
processes
, 
users
, etc...) is instead taken from the live system? What kind of use case there is here?
A design, documented in a blueprint issue, should be proposed so that people can discuss about it
s

SK

05/03/2020, 1:52 PM
The use case would be to be able to replay attacks to improve detection based on Windows events. But you are right the use case is not that generic. Maybe I need to find a way to re-ingest the data in the Windows Events logs.
a

alessandrogario

05/03/2020, 1:57 PM
The proper way to make this work is to have osquery work on a memory dump, so that non-evented tables will take data from there
while evented tables replay pre-recorded data
this is not easy to implement though
s

SK

05/03/2020, 2:42 PM
Yes might be an interesting approach, but will try to get a way to replay evtx files in a VM see what can be done that way.
4 Views
Powered by