osquery #windows

himanshu

02/09/2021, 3:28 PM

hi, i am trying to use

character_frequencies

map specified here (https://github.com/osquery/osquery/blob/4.6.0/tools/deployment/osquery.example.conf) with osquery 4.5.0. but osquery reports error while parsing the config

"The character_frequencies configuration entity array is not valid. Entry #0 is not a double"

.. while looking at osquery code, it seems the value 0.0 in character_frequencies map json is stored as just 0 in character_frequencies_array for which

character_frequencies_array[i].IsDouble()

check is not working. while other values in character_frequencies map such as

0.00045

are stored and parsed correctly. please suggest / confirm in this regard. thanks in advance.

Valentín

02/16/2021, 5:19 PM

Does anybody know to connect to a Windows named pipe through Apache Thrift in Java?

George

02/18/2021, 8:55 AM

I'm using the kolide launcher for osquery and whenever I install the package onto a Windows host, the application log gets spammed with Event log 1,

caller=level.go:63 level=info caller=log.go:69 component=osquery level=stderr msg="...

messages, has anyone else seen this issue?

defensivedepth

03/23/2021, 1:34 PM

In your poc, is sysmon still outputting events to the eventlog? Your poc just allows us to more easily manipulate the sysmon data without having to use the

windows_events

table to ship the sysmon logs?

03/23/2021, 5:15 PM

so, sysmon is running on the host and osquery consumes the data

Mike Myers

03/23/2021, 5:40 PM

is it necessary to enable the appropriate ETW providers first? If so, is that a persistent change to the system state? This is where osquery has trouble trying to adhere to its principles of "don't change system state", but I think it's worth a discussion (other auditing sources can be enabled with registry changes)

Stefano Bonicatti

03/26/2021, 12:16 PM

If desired we can put

INCREMENTAL

under a CMake option for the project, but

/MP

varies a lot depending on the target being built and the amount of targets/projects that are building at the same time.

metalgearsolid

03/30/2021, 10:20 AM

Hello, does anyone have experience with the

windows_eventlog

table and figuring out what command to run to check what channels are available from the endpoint? I did a simple

select channel from windows_eventlog where channel like '%'

and seems like that does not work, wondering if anyone has a workaround to share? Thanks!

manu

04/03/2021, 2:56 AM

Copy code

osquery> select * from osquery_events;
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| name                                      | publisher                | type       | subscriptions | events | refreshes | active |
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+
| SysmonEtwEventPublisher                   | SysmonEtwEventPublisher  | publisher  | 23            | 0      | 0         | 1      |
| WindowsEventLogPublisher                  | WindowsEventLogPublisher | publisher  | 2             | 0      | 0         | 1      |
| ntfs_event_publisher                      | ntfs_event_publisher     | publisher  | 0             | 0      | 0         | 0      |
| ntfs_journal_events                       | ntfs_event_publisher     | subscriber | 0             | 0      | 0         | 1      |
| powershell_events                         | WindowsEventLogPublisher | subscriber | 1             | 0      | 0         | 1      |
| sysmon_clipboard_events                   | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_dnsquery_events                    | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_driver_loaded_events               | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_file_created_events                | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_file_delete_events                 | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_filestream_created_events          | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_image_load_events                  | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_network_connection_events          | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_pipe_connected_events              | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_pipe_created_events                | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_process_accessed_events            | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_process_create_events              | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_process_tampering_events           | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_process_terminate_events           | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_raw_access_read_events             | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_registry_added_deleted_events      | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_registry_renamed_events            | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_registry_valueset_events           | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_remote_thread_events               | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_service_state_events               | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_wmievent_consumer_events           | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_wmievent_consumer_to_filter_events | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| sysmon_wmievent_filtering_events          | SysmonEtwEventPublisher  | subscriber | 1             | 0      | 0         | 1      |
| windows_events                            | WindowsEventLogPublisher | subscriber | 1             | 0      | 0         | 1      |
+-------------------------------------------+--------------------------+------------+---------------+--------+-----------+--------+

🦜 1

🎉 1

🔥 1

🥇 2

theopolis

04/03/2021, 8:03 PM

The config supports

Copy code

{
  "events": {
    "disable_subscribers": [
      "sysmon_wmievent_filtering_events"
    ]
  }
}

👑 1

Hello_There

04/07/2021, 2:38 PM

good morning, I have a question and problem, I made a query to bring powershell events through the powershell_events table: I created a pack with this query select * from powershell events But when I did it started to get a flood of events and the traffic went up from 150MB to 1GB I realized after 5 min later .... When I realized I stopped the pack, even excludes it but still this event keeps coming is there anything to be done so that the hosts stop sending or just wait to normalize?

✅ 1

terracatta

04/19/2021, 4:14 PM

@MarkMurdock we built all of our launcher tables on https://github.com/osquery/osquery-go (which we recently transferred over to the Osquery community) I would read through that for more info as well.

MarkMurdock

04/27/2021, 8:32 PM

I've got Launcher and OSQuery built and working on Windows (connected to FleetDM). Do I need to do anything special to query kolide_wmi from FleetDM? I have tried a couple of basic queries but am just getting errors. For example, a query I tried was: SELECT parent,key,value,class FROM kolide_wmi WHERE class = 'Win32_OptionalFeature'

grahamgilbert

04/29/2021, 3:45 PM

Hi folks, is there any chance of a 4.8 nuget being published soon?

Nithin Sade

05/11/2021, 3:18 AM

Hi Folks, tl;dr I am new here and I am wondering if the current master branch is expected to fail tests. I am currently working on adding a few tables but before doing anything, I thought I'd run unit tests on the master branch. I believe only 1% of the tests are passing. Am I doing something wrong here?

Chad Priest

05/14/2021, 4:09 PM

Hello - We are looking to run Yara rules on windows machines from FleetDM and came across the Polylogyx osq-ext-bin repo (found here: https://github.com/polylogyx/osq-ext-bin) for our SASS offering but it seems like we won't be able to use this due to the license agreement for our commercial product. I was wondering if anyone might know of an alternative to this?

zwass

05/18/2021, 4:45 PM

This seems like a great opportunity for Uptycs to contribute to osquery.

🙏 1

➕ 1

Hello_There

05/18/2021, 7:18 PM

Hi all, I have a doubt that can be a little stupid. Is there a table to monitor new devices on windows or to monitor new devices plugged into the USB? I know that for linux there is a table, but for Windows I didn't notice the most suitable one.

ananta

06/04/2021, 5:01 PM

can anyone point me to resources where i can learn more about event based tables in windows.

Aman Kumar Chagti

06/11/2021, 8:41 AM

@Stefano Bonicatti Hi, I am New there. Can you plz help. Is there any way that we can access group policies from osquery in windows 10??

Aman Kumar Chagti

06/12/2021, 7:26 AM

How can i install osqueryi (shell version) on windows 10??

Mystery Incorporated

06/13/2021, 5:52 AM

Hi guys, how do I utilise the log rolling functionality in windows that was coded in the latest build? or is it just happening automagically out of the box with some defaults?

zwass

06/22/2021, 10:00 PM

Is anyone aware of something in osquery (4.5.0) that could be making this WMI call?

SELECT * FROM Win32_Process WHERE ProcessId=2500

I can't find anything that refers to

Win32_Process

except within one of the WMI tests.

Sebastiaan

07/03/2021, 6:15 PM

Hi! I have a quick question, on windows I keep getting: "FRN pathname lookup failed, trying parent: Failed to open file in volume C:\. Error: The specified path is invalid." after I enabled ntfs_event_publisher does anyone know how to fix this issue?

Aman Kumar Chagti

07/05/2021, 10:38 AM

Hii, if there is any way to retrieve aall installed packages on my windows server using osquery

fritz

07/06/2021, 8:30 PM

@Utsav Shah if you are running osquery as sudo/root it should be able to pull from any SID in HKEY_USERS

MoodyMudit

07/14/2021, 7:33 AM

Hi, is there a way to get process events in windows using osqueryd? I know that we can use process_events table for Linux, but is there something similar for windows too?

Julia Cox

08/12/2021, 2:33 PM

thanks, I didn't know about that target! Will give it a try

Julia Cox

08/12/2021, 2:33 PM

should I also turn of the auto configure option in visual studio for cmake projects?

Julia Cox

08/12/2021, 5:32 PM

for the record running that

prepare_for_ide

target and disabling automatic cmake configuration in visual studio fixed my problems! Thank you!

🎉 2

😮 1