Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
h
Harrison
10/23/2019, 3:56 PMI saw that this question was asked before but I did not see an answer so I apologize if this is repetitive. Is there any way to use osquery to get visibility into the Group Policy configurations deployed on a system?
s
seph
10/23/2019, 6:40 PMAre they in the registry?
Anyhow, the internet suggests a couple of interesting blog posts:
https://www.uptycs.com/blog/windows-regist
https://medium.com/palantir/osquery-across-the-enterprise-3c3c9d13ec55
g
Guillaume
10/23/2019, 7:02 PMMost GPO settings are in the registry
Some are very easy to query for and obvious, others are a bit of a PITA because they aren't boolean or simple values but bitmasks
for example, the password policy if I remember correctly
that being said if you have some specific examples I can probably help you out
h
Harrison
10/23/2019, 7:05 PMThanks for the responses. I would be interested in the password information and also to ensure that screen locks after a specified time of inactivity are configured.
@Guillaume Any example of a GPO would be great!
g
Guillaume
10/24/2019, 1:39 PMOK sure, so since most GPO settings are in the registry, you can usually figure out what the keys and values are by opening ADM files
Then, osquery has a "registry" table that lets you select all of it, including wildcards
s
seph
10/24/2019, 1:41 PMThe uptycs blog post had an example of this.
g
Guillaume
10/24/2019, 1:42 PMhaha I was about to post it, I wrote it 🙂
s
seph
10/24/2019, 1:42 PMI assumed 😛
g
Guillaume
10/24/2019, 1:43 PMSo there is an example with StickyKeys in it ( https://www.uptycs.com/blog/windows-registry-osquery-the-easy-way-to-ensure-users-are-secured )
The thing that makes it a bit of a pain sometimes is you have to be careful about 2 things - some policies are per computer, easy enough, and some are per user, a bit harder (use wildcards and map back to the users table). The second thing is, the simple examples are good for understanding how it works, but in reality you should also query for the existence of a key and fail on the lack of it.
ex: you are checking registry key X for value 1 by selecting it where "=1" - well, it could be set to 0, or it could also not exist