@qwxlea @dhrystone @EpiphanicSynchronicity

i use 1blocker on safari but i also have a whole-house dns server that consults adguard home and it's been great. my biggest concern there is the scareware shit that is usually a variation of OMG TAP HERE FOR MY EXPLOIT BEFORE SOME OTHER SCUMBAG ROOTS YOU!1 attacks.

but i also have UTM in-line, and iot on its own vlans, a honeynet, so, if someone wants to james bond me with a 0day, i'm honored, but i will write and publish an #ioc for #osquery

Hello friends! If you are curious about open source contributions, go see my amazing coworker @cc_codes at Nebraska.code() in July. Her keynote, The Power of Open-Source: How To Contribute To and Manage Communities, will be super interesting!

https://nebraskacode.amegala.com

#dev #osquery #opensource

The default password policy on #macOS isn't really that impressive. But #osquery is definitely impressive. #infosec

Played with OSQuery today for the 1st time. I had no idea this was created by Facebook (now Meta). Prior to messing with it on TryHackMe, I've never heard of it.

Is this tool used widely in the infosec community?

#OSQueryi
#OSQuery
#TryHackMe

An #infosec #ai generated #poetry #thread for the #weekend featuring #osquery, #splunk, #sentinel and a #finance manager in dispair. (1/4)

osquery-defense-kit v1.8.0 is out & is our biggest release ever, containing 60+ new #osquery queries and proper CI! https://github.com/chainguard-dev/osquery-defense-kit

This is the first release that's tuned to work well on VM-based #Linux environments and the first with generalized #rootkit detection.

osqtool v1.2.0 is out & stable: if you've ever had to work with #osquery pack files, it probably has something for you! https://github.com/chainguard-dev/osqtool

New is a simple "run" command for osquery pack files or directories of queries.

Some of our brilliant #ThreatIntel team members, Amit Malik and Pratik Jeware from Uptycs, talking about #macOS #malware and the ways to leverage #osquery for detection at Nullcon.

#ThreatDetection #DFIR
https://youtu.be/UjttDseKXaA

I'm pretty proud of this query, as it's the culmination of #osquery tricks I've learned over the last 6 months: https://github.com/chainguard-dev/osquery-defense-kit/blob/main/detection/initial_access/sketchy-mounted-diskimage.sql

In particular, the multiple unnatural joins using synthetically concatenated data; used to find the download URL for a likely matching DMG + finding paths to apps located within the mounts.

The downside is that if a mounted disk image has a symlink to "/" or "/Applications", the query will follow it due to #osquery limitations, which causes a performance hit.

Wow. Super impressed with Fleet once I figured out to use the --insecure option to not fight with cert errors on my home network. The most amazing thing was how fleetctl downloaded Docker images on a Linux box to create the MSI installer for my Windows 10 hosts 👏​ #osquery -- next on to see if works on ARM Linux

Introducing #osqtool v1.0: https://github.com/chainguard-dev/osqtool

It's a swiss-army tool for testing, creating, and manipulating #osquery query packs.

Got a directory full of SQL files and want to archive it into a query pack?

`osqtool pack <directory>`

want to ensure that none of the queries in it will consume more than 15 minutes across a day of querying by multiplying the interval vs runtime duration?

`osqtool -max-query-daily-duration=15m verify <pack|directory>`

Go forth and enjoy!

Security folks, does osquery have a role in your security life? In what way?

I’d been aware of it and it seemed impressive. Finally, yesterday I gave it a go on my desktop and I really dig it. But I’m not sure what I ultimately could or should do with it at an enterprise scale with a distributed workforce. I talked to someone who forked it and used it as EDR which was cool. Telemetry plus inventory querying in the same agent. I can get behind that. Any other fancy use cases out there? #osquery

#osquery defense kit v1.6.0 just dropped with some new #blueteam queries:

- unencrypted #GCP service account keys
- unexpected #sysctl calls
- unexpected #xattr calls
- unexpected file made #executable
- unexpected Security.Framework program

If nothing else, I hope the queries are useful ideas for others! Have a great weekend. 🌴

I wrote my first CFPsince the pandemic, for #CackalackyCon - a local InfoSec conference.

Working title: "Uncovering nation-state actors with #osquery"

New blog post outlining some of the #detection techniques we use with #osquery

https://unfinished.bike/behavioral-detection-of-macos-malware-using-osquery

@bea We had a lot of good speakers talking about how they're using #osquery at places like Netflix, Hashicorp, and Stripe. Videos should be released in the next few weeks. You could also ask on the osquery Slack channel.

https://www.osqueryatscale.com/

https://join.slack.com/t/osquery/shared_invite/zt-1m0qfip1y-~Z3GcOhp0E89EQBdco1lLA

Happy to see awesome tools like MISP (17th), Wireshark, Atomic Read Team, OSQUERY and wazuh on this list: https://opensourcesecurityindex.io/

#MISP #AtomicRedTeam #Wazuh #Wireshark #Sigma #OSQUERY

@enscroot If you want to detect based on the Mutex then you could use #OSQUERY

"select object_name, object_type from winbaseobj where object_type = 'Mutant' AND object_name LIKE %mutant--regex-%"

Hey #InfoSec, are people still rolling out osquery for things? I’ve seen a couple of projects for deploying it at/on kubernininis, but nothing has really convinced me they’re super well matched? #OSQuery #HashTags

@ackroyd Nice, some of the CobaltStrike rules recently released by Chronicle would detect. Will shortly publish a few #osquery queries for BRC4 detection.