Channels
# apple-silicon
# arm-architecture
# auditing-warroom
# aws
# code-review
# community-feeds
# core
# darkbytes
# doorman
# ebpf
# eclecticiq-polylogyx-extension
# extensions
# file-carving
# fim
# fleet
# foundation
# fuzzing
# general
# golang
# goquery
# infrastructure
# kolide
# linux
# macos
# officehours
# osctrl
# plugins
# process-auditing
# querycon
# queryhub
# sql
# tls
# uptycs
# website
# windows
# zeek
# zercurity
- s
seph
2 years agoIf that script isn’t working, I’d probably look at setting the permissions manually. What are they set to now? - e
Eva
2 years agoHello Seph, Yes, I do it. But I can't modify permissions for ALL APPLICATIONS PACKAGES, it have special permissions. - s
seph
2 years agoI am by no means a windows expert. - But I’d start by looking at the permissions, and trying to manually correct them.
- What are the permissions there?
- e
Eva
2 years agoI try to remove write and delete permisions but it doesn't work. They are:+ Show folder/read data. + Read extended attributes. + Write extended attributes. + Delete. + Read permissions. - s
seph
2 years agoCould you please show what you’re doing? I can’t be a second set of eyes, if I can’t see the commands you’re running - e
Eva
2 years agoThese's the groups which have permisions in
directory:osqueryd - s
seph
2 years agoCan you manually remove the ALL APPLICATIONS PACKAGES grant there? - e
Eva
2 years agoAnd ALL PACKAGES APPLICATION have the following special permisions are: - Windows doesn't allow
- s
seph
2 years agoFrom a powershell window, can you run
with the directory osquery is in?icacls.exe - e
Eva
2 years agomessage has been deleted - s
seph
2 years agoCan you runn that against the directory, not the binary? - from there
should workicacls.exe . - I’m trying to read docs about what this is, and whether or not it’s possible to remove that permission grant
- What version of windows is this?
- e
Eva
2 years agoWindows Server 2019 - It doesn't work. I think this group is used to can execute the programs. And the permissions could be correct. But I don't know why it fails.
- s
seph
2 years agoThat group has write access. osquery doesn’t like that. - You can either remove the write access, or run osquery with
flag. I’m less sure whether this represents an osquery bug.--allow_unsafe - e
Eva
2 years agoI removed it and it does't work - s
seph
2 years agoRemoved what? The permissions? What do you mean didn’t work? Windows doesn’t support removing it? - e
Eva
2 years agoI removed write permissions and osquery report the same error - s
seph
2 years agodoes icacls.exe show the permissions as gone? - I’ve copied this information into https://github.com/osquery/osquery/issues/5965 Hopefully more windows oriented people can take a look
- e
Eva
2 years agookay, Thanks! And yes, without write permission also doesn't work - s
seph
2 years agoCan you show that with icacls? - e
Eva
2 years agomessage has been deleted - s
seph
2 years agoCan you run that on the enclosing folder, not the binary? - e
Eva
2 years agomessage has been deleted - s
seph
2 years agocan you also
in that directory?get-acl - e
Eva
2 years agomessage has been deleted - s
seph
2 years agoAnd the directory please. - e
Eva
2 years agoThis is the directory - s
seph
2 years agoThgat looks like
which is the binary. Can you alsoget-acl osquerydget-acl . - e
Eva
2 years agomessage has been deleted - s
seph
2 years agoThank you. Those permissions seem to match the docs - I don’t know if I’m going to be able to dig into it. but https://github.com/osquery/osquery/issues/5965 exists at least
Join thread in Slack
View count: 2