Last month’s osquery release brought with it some exciting additions. Let’s jump in and have a quick look at some of the new features and table changes that were introduced.
For the full list of changes, check out the osquery changelog.
If you’ve ever found yourself wanting while concatenating strings in osquery, tying columns together has never felt better, thanks to the introduction of
Constructing simple, unique keys based on columns can now be achieved more cleanly. For example, let’s compare:
Using the usual concat operator
osquery> SELECT 'hello' || NULL || 'world'; 'hello'…
By now, you’ve no doubt already heard of Microsoft’s big email hack.
While attackers initially flew largely under the radar via an unknown vulnerability in the email software, the folks at Volexity observed a handful of post exploitation activities and tools that operators used to gain a foothold — one such tool being ProcDump, which attackers were observed using to dump LSASS process memory.
As a possible detection method using osquery and Fleet, check out this query from Recon InfoSec that looks for systems that accepted the ProcDump EULA. …