September 24th 2021 – Added Vagrant to spin up Fleet on Ubuntu 20.04 and updated Ansible playbook to use TARs.August 29th 2021 – Added instructions to install/setup Osquery on macOS Big Sur.August 29th 2021 – Updated Docker from Fleet v4.0.1 to v4.2.3.July 15th 2021 – Updated Docker from Fleet v3.7.1 to v4.0.1.Create a query pack on Fleet with UI and FleetCTL CLI tool.Create a saved query on Fleet with UI and FleetCTL CLI tool.Create a live query on Fleet with UI and FleetCTL CLI tool.
#EXAMPLE OSQUERY CONFIG HOW TO#
Lastly, I will end by demonstrating how to use the FleetDM WebGUI and FleetCTL tool to manage FleetDM and interact with your Osquery agents.
#EXAMPLE OSQUERY CONFIG MANUAL#
Additionally, there are Ansible playbooks for deploying the Osquery agent on Windows and Ubuntu with manual instructions as well. This blog post generated an Ansible playbook, Docker-composes for Swarm and non-swarm, Vagrant to create a VM, and manual instructions for installing FleetDM on Ubuntu 20.04. We’ll call the column we are creating sid.The purpose of this blog post is to provide multiple methods on how to install/setup FleetDM, how to deploy Osquery, and demonstrate how to use features of FleetDM + FleetCTL. Then, we need to map this to the user table, on the uuid field. Therefore, we will use split(path, ‘\’, 1), to obtain the first value located between backslashes in path. In this case, we want the first value, returned after a backslash, to be its own column. The registry, like many things in Windows, is separated by backslashes. Split allows us to specify that a column be separated, and to create a new column with only that part of the value. Osquery supports SQL additions, including split. So while the registry table doesn’t have a column with the SID, the path column does contain the SID. The SID is exactly what is used to separate users in the registry. Generic accounts and groups on Windows have the same SID on every installation, but each account created has a random SID. If you are not familiar with SIDs, they are unique identifiers for users, groups and logon sessions. The users table contains none of these, but contains uuid, which, on Windows, returns the SID(Security Identifier). The registry table contains: key, path, name, type, data, mtime To join tables, we need a row with common data. The results are there, but, as someone trying to understand what user is impacted by what setting, they are not very readable.įortunately, using SQL, we can easily join tables together, and the users table contains the data we are looking for. This query returns the Sticky Keys configuration values found for every user. Unless a user needs sticky keys, that value should actually be set to 506, to prevent abuse to elevate privileges, as it is the value that gets written when sticky keys are disabled completely.
WHERE key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd' Osquery allows us to query the registry for those values very easily.įor example, this query returns the settings related to Microsoft LAPS. GPOs are usually just a way to get a set of specific values configured in the registry. Let’s consider GPOs, which most organizations with a Windows environment and Domain use. Fortunately, osquery solves that for us.Ī central, hierarchical database used in Windows 98, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users, applications, and hardware devices, the Windows Registry can be used by the kernel, device drivers, services, Security Accounts Manager, and user interfaces.Īs the Windows Registry is a database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry, it functions as a repository resource of information that Windows continually references during operation. This is something that is not always easy to do with standard tools in Windows, or with the right level of performance.
Attackers look to find specific configurations, credentials, or any information that can help them further attack systems, while defenders can use the registry to ensure that settings are configured as they are expected to.
#EXAMPLE OSQUERY CONFIG FULL#
The Windows registry is full of information, and with the proper tools, can be a gold mine for attackers and defenders alike.
0 kommentar(er)
