https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
d

defensivedepth

05/14/2019, 8:06 PM
s

seph

05/14/2019, 8:19 PM
❤️ that you called out the 172/12 issue there
g

Guillaume

05/14/2019, 8:36 PM
Figured it was good enough for a quick query for most but at the same time I dislike articles that assume 172.16 to be a :16 :)
d

defensivedepth

05/14/2019, 8:49 PM
@Guillaume Updated for 
os_version
check (<= Windows 2008 R2) https://gist.github.com/defensivedepth/7a8a4f804818ca18c8ce46f8e0a8c5fd
g

Guillaume

05/14/2019, 10:59 PM
@defensivedepth would looking for os_version.version < 6.2 make more sense though?
Since client versions are impacted too and won't have a name that fits 201%
d

defensivedepth

05/15/2019, 12:13 AM
@Guillaume Yes it would, except that 
version
is a 
text
datatype and 
< 6.2
won't work. Alternatively, I think the following would catch everything 2008 R2 / Win 7 & below: 
WHERE major < 7 AND minor < 2
s

seph

05/15/2019, 12:28 AM
Is 
remote_address
the… remote_address? Is this RDP things with a remote connection, not things that are listening?
g

Guillaume

05/15/2019, 12:36 AM
Basically as soon as someone connects to you over the internet you'll see it @seph, considering how everything I ever put on the internet constantly receives connections over RDP I think it's sensible
s

seph

05/15/2019, 12:37 AM
hahahaha. Fair enough. Leveraging the constant scans as a canary mechanism
g

Guillaume

05/15/2019, 12:38 AM
Yep
d

defensivedepth

05/15/2019, 12:39 AM
@Guillaume Curious to hear how often you schedule this query in prod?
g

Guillaume

05/15/2019, 12:41 AM
I think it really does not have to be frequent. The idea here is that there's constant connections, and you weed them out over time. 60m?
👍 1
@defensivedepth it's weird I was testing some stuff with os_version.version (ex: < 11 on a Win10 box) and it worked - but it doesn't work with >. I had not even realized it was a text
your query works, because luckily there is no minor above .2 for a major below, so that is nice 🙂
some variants of XP 64 are 5.2
d

defensivedepth

05/15/2019, 12:46 AM
Ya, I dont have osquery on XP in my env, so I couldnt test that 🙂
g

Guillaume

05/15/2019, 12:48 AM
Saved by lack of legacy support 😄
😆 1
s

seph

05/15/2019, 1:03 AM
It’s an event table. So query frequency may not mean what you think.
g

Guillaume

05/15/2019, 1:04 AM
Honestly, I thought of it as a query I would run once to spot problems more than anything but yeah you're right
though the schema doesn't show it as evented... I think I need to stop staring at the 48 tabs I have open right now 🙂
s

seph

05/15/2019, 1:07 AM
blah. You’re right. It’s not evented. I dunno what query I saw that was.
You could use socket_events
d

defensivedepth

05/15/2019, 1:27 AM
socket_events is not supported on Windows 😞
6 Views
Powered by