https://github.com/osquery/osquery logo
Powered by
#eclecticiq-polylogyx-extension
Title
# eclecticiq-polylogyx-extension
l

lvferdi

05/17/2022, 12:03 PM
Good Morning. When looking in the extension log I can see references to a cert and attempted connections to a management server. Can this be disabled as we are not using that functionality of this extension.
h

himanshu

05/18/2022, 5:12 AM
can you share extension log file and point to the logs for attempted server connection? location: 
<programfiles>\plgx_osquery\
o

OpenPlgx

05/18/2022, 9:15 AM
Or maybe the specific lines?
l

lvferdi

05/18/2022, 1:12 PM
the line is
Copy code
plgx_tls.cpp:192: tls_server_certs is: \Program Files\osquery\certs\cert.pem
When I navigate to that directory there is a cert there which I did not install. If I monitor the socket connections (using the extension itself) I can see attempted connections with these 4 IP addresses in the past 48 hours:
Copy code
208.111.179.129
72.21.81.240
8.253.38.248
104.18.20.226
h

himanshu

05/18/2022, 4:33 PM
when you install osquery via its msi installer, a default pem file is installed by osquery. this is the same file 
\Program Files\osquery\certs\cert.pem
. extension just enumerates certain osquery flags including 
tls_server_certs
when it is launched but doesn't try to make any connection to any server. for osquery\extension to communicate to a server, 
tls_hostname
has to be provided in osquery.flags file. since the default flags provided with extension dont have any server related flag, it wont attempt to connect to any server.
regarding socket connections, it may be created by any application running in the environment, could be a browser activity as well. @OpenPlgx please add if needed.
o

OpenPlgx

05/18/2022, 4:44 PM
@lvferdi, is your osquery manage thru TLS? The extension uses osquery APIs to read osquery flags. This could force osquery's config plug-in to fetch the config. If the config is TLS, it could force a network connection. Other than than, extension doesn't do any socket activity.
l

lvferdi

05/18/2022, 6:35 PM
no it is not managed via TLS server and the connections are from the extension I am running wireshark to capture it now
Also that cert is removed during install by our install process which is why I was surprised to see it there
o

OpenPlgx

05/19/2022, 6:32 AM
Interesting. What destination port are these connections on? Let me spin up an instance and see if we get any such activity..The best I can think of is some internal library in osquery SDK..but well, will get back with some debugs
We ran a test in the lab with only following blob enabled in the config for osquery and didn't see any event. "win_socket_events": { "process_name": { "include": { "values": [ "*osquery*", "*plgx*" ] } } },
Is there any other endpoint security product on the system that might be injecting code in other processes?
l

lvferdi

05/19/2022, 1:30 PM
There is a disabled defender and Sysmon and osquery on this box, that is it. I will grab the ports momentarily
All port 80
Here is what I can see
h

himanshu

05/20/2022, 8:58 AM
can you confirm if it is reproducible on an another vanilla vm having no other security software or tool? (defender being installed and enabled is ok)
o

OpenPlgx

05/20/2022, 9:33 AM
@lvferdi, 1. Do you have SSL events enabled? 2. I believe these lookups are going outbound for Certificate validations/ checking CRLs. The extension using Windows APIs for certificate validations in image_load_events and ssl events. The IP address you mentioned is a Cloudflare IP and has been used to host [https://ocsp2.globalsign.com/] as shown in the VirusTotal reputation of the URL. https://www.virustotal.com/gui/url/83102acd5700e6a7d644f55899b098261b6972ccde6ead25a4d0cfda00b7520c/details Final URLhttps://www.globalsign.com/en/ Serving IP Address104.18.21.226
l

lvferdi

05/20/2022, 3:40 PM
I do have ssl enabled that makes sense, I will confirm with my pcap today. Thank you
h

himanshu

05/20/2022, 6:54 PM
as @OpenPlgx also mentioned, image load events can also trigger these lookups
5 Views
Powered by