defensivedepth
09/20/2021, 1:04 PMJuan Alvarez
09/23/2021, 7:21 AMMike Myers
09/24/2021, 5:59 PMdefensivedepth
11/15/2021, 2:33 PMWSC_SECURITY_PROVIDER::WSC_SECURITY_PROVIDER_ANTISPYWARE should be used only in operating systems prior to Windows 10, version 1607. As of Windows 10, version 1607, WSC continues to track the status for antivirus, but not for anti-spyware.
Ran across that note here: https://docs.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider
The antispyware column in this table relies on this: https://osquery.io/schema/5.0.1/#windows_security_center
I have confirmed that on a Win10 v20H2, osquery still returns Good
for this column.
I am thinking we probably need to deprecate that column. Thoughts?Aman Kumar Chagti
11/28/2021, 7:07 AMdefensivedepth
11/29/2021, 2:42 PMwindows_security_products
(https://osquery.io/schema/5.0.1/#windows_security_products) no longer works after upgrading to v5.
Just confirmed with a fresh install of 4.9.0, works as expected. Same system, install 5.0.1 and when I try to query the table, osqueryi exits.
Faulting application name: osqueryi.exe, version: 5.0.1.0, time stamp: 0x6131a086
Faulting module name: osqueryi.exe, version: 5.0.1.0, time stamp: 0x6131a086
Exception code: 0xc0000005
Fault offset: 0x00000000008e00f6
Faulting process id: 0x24f8
Faulting application start time: 0x01d7e52e0c77561a
Faulting application path: C:\Program Files\osquery\osqueryi.exe
Faulting module path: C:\Program Files\osquery\osqueryi.exe
Report Id: 4087572f-a5c1-47e7-a1e5-496279fcf399
Faulting package full name:
Faulting package-relative application ID:
defensivedepth
11/29/2021, 7:44 PMwindows_security_center
works, but windows_security_products
crashes osquery. On my test system, results were returned / osquery didnt crash after about 5 min of uptime.Julian Scala
12/01/2021, 6:49 PMUTC","unixTime":"1638380224","severity":"2","filename":"aws_util.cpp","line":"214","message":"Exception making HTTP request to URL (https:\/\/kinesis.us-east-1.amazonaws.com): Failed to connect to <http://kinesis.us-east-1.amazonaws.com:443|kinesis.us-east-1.amazonaws.com:443>: The requested name is valid, but no data of the requested type was found","version":"4.9.0"}
We are using Kinesis logger plugin, all of our endpoints are able to publish but a small sub-set is throwing this error.Julia Cox
12/13/2021, 5:10 PMCyberUnify
12/21/2021, 9:53 AMzhong
12/21/2021, 8:34 PMwindows_events
using SELECT * FROM windows_events WHERE keywords = "Audit Success";
, but getting this output. How would I go about enabling events?Juan Alvarez
12/22/2021, 11:48 AMlogger_tls_max_lines
to the maximum (99999). Any suggested configuration or experience from somebody?fritz
12/28/2021, 3:37 PMkolide_windows_updates
tableAdam S
12/30/2021, 3:19 AMthor
CyberUnify
01/07/2022, 8:08 AMAdam S
01/07/2022, 3:18 PMTed Dorosheff
01/22/2022, 2:40 PMosqueryi.exe --flagfile=osquery.flags
from C:\Program Files\osquery. remote config (fleetDM) is successfully loaded, as corroborated by running --tls_dump
in another separate process at another time (no conflicting PIDs).
2. within osqueryi.exe run select * from osquery_events;
. ntfs_journal_events and powershell_events is active.
3. From powershell (though i have also tested via UI and CMD shell) write text files to directories monitored via file_paths
. ex: - 'C:\Windows\Temp\'
is listed in `file_paths`and i write text files to this directory, as well as modify existing files within this directory.
4. back in my osqueryi.exe shell, run select * from osquery_events;
again and see that those test events have still not changed the events counter for ntfs_journal_events
or powershell_events
. Both of those tables still read 0 events.Ted Dorosheff
01/22/2022, 2:46 PMfile_paths
. have tried all listed variants:
C:\Windows\Temp\ <- should monitor for changes to files/directories within Temp
C:\Windows\Temp\% <- same as above
C:\Windows\Temp\%% <- monitor for changes to files/directories recursively within Temp
Is my logic on the wildcards correct?Ted Dorosheff
01/24/2022, 3:54 PMosquery> I0124 07:36:52.546579 8828 eventfactory.cpp:352] The minimum events expiration timeout for ntfs_journal_events has been adjusted: 240
However, after performing my same test to see if i can generate some events in the ntfs_journal_events table, i'm still not getting anything. Once again my testing procedure is:
1. In an admin shell, run osqueryi.exe --flagfile=osquery.flags
. The interactive shell starts without issue.
2. run `select * from osquery_events`confirming active subscribers/publishers, including ntfs_journal_events (both the event publisher and subscriber are active)
3. modify file C:\Windows\Temp\test.txt. Modifications include additional text as well as change permissions.
4. repeat step 2 in the same admin shell, observe no change to event count of ntfs_journal_events. I also confirmed this by running select * from ntfs_journal_events;
which returned nothing.defensivedepth
01/25/2022, 10:34 AMTed Dorosheff
02/04/2022, 2:17 PMntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Temporary Internet Files\ while building FRN set
In the case of the file path listed above, i believe the reason that this error occurred is because that path does not actually exist. I figured that osquery was trying to add the directory because the path was listed in my file_paths
within config. However it does not! So that is odd behavior.
Though "C:\\Users\\%\\AppData\\Local\\%" is listed in my config, and so logically osquery enumerates Local and monitors everything within, why would it try to add a directory that is not within local? How does it even know about the directory "Temporary Internet Files" ?
"file_paths": {
"windows": [
"C:\\Windows\\%",
"C:\\Windows\\Temp\\%",
"C:\\Windows\\System32\\drivers\\%",
"C:\\Windows\\SysWOW64\\drivers\\%",
"C:\\Windows\\System32\\Wbem\\%",
"C:\\Windows\\SysWOW64\\Wbem\\%",
"C:\\Windows\\System32\\WindowsPowerShell\\%",
"C:\\Windows\\SysWOW64\\WindowsPowerShell\\%",
"C:\\Windows\\Tasks\\%",
"C:\\Windows\\System32\\Tasks\\%",
"C:\\Windows\\AppPatch\\Custom\\%"
],
"Users": [
"C:\\Users\\%\\AppData\\Roaming\\%",
"C:\\Users\\%\\AppData\\Local\\%",
"C:\\Users\\%\\AppData\\Local\\Temp\\%",
"C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%",
"C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%",
"C:\\Users\\%\\Default\\%"
]
},
"exclude_paths": {
"windows": [
"C:\\Windows\\system32\\DriverStore\\Temp\\%",
"C:\\Windows\\system32\\wbem\\Performance\\%",
"C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%",
"C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%",
"C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%"
]
}
Ted Dorosheff
02/07/2022, 3:13 PMHugh (Zercurity)
02/16/2022, 8:47 PMSELECT
COUNT(*) AS passed
FROM
registry
WHERE
key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'
AND name = 'NoAutoUpdate'
AND data = '0';
Hugh (Zercurity)
02/16/2022, 8:48 PMdram
02/18/2022, 11:30 PMLuke Wolfenden
02/24/2022, 3:32 PMMarkMurdock
02/25/2022, 5:50 AMOjas
02/25/2022, 7:27 AMTed Dorosheff
02/25/2022, 9:51 PMfile_paths:
Users:
- 'C:\\Users\\%\\AppData\\Roaming\\%'
- 'C:\\Users\\%\\AppData\\Local\\%'
- 'C:\\Users\\%\\AppData\\Local\\temp\\%'
- 'C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%'
- 'C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%'
- 'C:\\Users\\%\\Default\\%'
Windows:
- 'C:\\Windows\\%'
- 'C:\\Windows\\Temp\\%'
- 'C:\\Windows\\System32\\Drivers\\%'
- 'C:\\Windows\\SysWOW64\\Drivers\\%'
- 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\%'
- 'C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\%'
- 'C:\\Windows\\System32\\Wbem\\%'
- 'C:\\Windows\\SysWOW64\\Wbem\\%'
- 'C:\\Windows\\System32\\WindowsPowerShell\\%'
- 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\%'
- 'C:\\Windows\\Tasks\\%'
- 'C:\\Windows\\System32\\Tasks\\%'
- 'C:\\Windows\\AppPatch\\Custom\\%'
- 'C:\\Windows\\system32\\DriverStore\\Temp\\%'
- 'C:\\Windows\\system32\\wbem\\Performance\\%'
- 'C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%'
- 'C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%'
- 'C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%'
ProgramData:
- 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%'
- 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%'
exclude_paths:
Windows:
- 'C:\\Windows\\Prefetch\\%'