Open in app
Mike Thomas
1 Follower
About

Sign in

Open in app

·1 day ago

Last month’s osquery release brought with it some exciting additions. Let’s jump in and have a quick look at some of the new features and table changes that were introduced.

For the full list of changes, check out the osquery changelog.

New features

If you’ve ever found yourself wanting while concatenating strings in osquery, tying columns together has never felt better, thanks to the introduction of concat and concat_ws functions.

Constructing simple, unique keys based on columns can now be achieved more cleanly. For example, let’s compare:

Using the usual concat operator ||returns NULL

osquery> SELECT 'hello' || NULL || 'world'; 'hello'…

Read more in Fleet Device Management · 4 min read

·Mar 11

By now, you’ve no doubt already heard of Microsoft’s big email hack.

While attackers initially flew largely under the radar via an unknown vulnerability in the email software, the folks at Volexity observed a handful of post exploitation activities and tools that operators used to gain a foothold — one such tool being ProcDump, which attackers were observed using to dump LSASS process memory.

As a possible detection method using osquery and Fleet, check out this query from Recon InfoSec that looks for systems that accepted the ProcDump EULA. …

Read more in Fleet Device Management · 1 min read

Mike Thomas

About

Help

Legal

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store