Hello! I'm running osquery on Windows. The service...
# generalr
Ronald Ratzlaff
06/03/2024, 10:53 PMHello! I'm running osquery on Windows. The service is starting and running without issues, and the logger_plugin is set to 'filesystem'. Howerver I get zero results in the osqueryd.results.log file. What am I missing?
s
seph
06/04/2024, 2:15 AM
Do you have any scheduled queried to produce results?
r
Ronald Ratzlaff
06/04/2024, 6:08 PMI have multiple. I've been using a config file and flags file for windows I found on github.
Here's the flags file:
--allow_unsafe--config_path="c:\Program Files\osquery\osquery.conf"--disable_events=true--disable_tables=windows_events--host_identifier=hostname--logger_min_status=1--logger_plugin=filesystem--verbose=true{"options": {"logger_snapshot_event_type": "true","schedule_splay_percent": 10},"platform": "windows","schedule": {"appcompat_shims": {"query": "SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe');","interval": 60,"description": "Appcompat shims (.sdb files) installed on Windows hosts."},"bitlocker_info_snapshot": {"query": "SELECT * FROM bitlocker_info;","interval": 60,"description": "Disk encryption status and information snapshot query."},"certificates": {"query": "SELECT * FROM certificates WHERE path!='Other People';","interval": 60,"description": "List all certificates in the trust store","removed": false},"certificates_snapshot": {"query": "SELECT * FROM certificates WHERE path!='Other People';","interval": 60,"description": "List all certificates in the trust store (snapshot query)","snapshot": true},"chocolatey_packages": {"query": "SELECT * FROM chocolatey_packages;","interval": 3600,"description": "List installed Chocolatey packages"},"chrome_extensions": {"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);","interval": 3600,"description": "List installed Chrome Extensions for all users"},"chrome_extensions_snapshot": {"query": "SELECT * FROM users CROSS JOIN chrome_extensions USING (uid);","interval": 28800,"description": "Snapshot query for Chrome extensions"},"drivers": {"query": "SELECT * FROM drivers;","interval": 3600,"description": "List in-use Windows drivers"},"drivers_snapshot": {"query": "SELECT * FROM drivers;","interval": 28800,"description": "Drivers snapshot query","snapshot": true},"etc_hosts": {"query": "SELECT * FROM etc_hosts;","interval": 3600,"description": "List the contents of the Windows hosts file"},"ie_extensions": {"query": "SELECT * FROM ie_extensions;","interval": 3600,"description": "List installed Internet Explorer extensions"},"kernel_info": {"query": "SELECT * FROM kernel_info;","interval": 3600,"description": "List the kernel path, version, etc."},"network_interfaces_snapshot": {"query": "SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details d USING (interface);","interval": 600,"description": "Retrieve the interface name, IP address, and MAC address for all interfaces on the host.","snapshot": true},"os_version": {"query": "SELECT * FROM os_version;","interval": 60,"description": "List the version of the resident operating system"},"os_version_snapshot": {"query": "SELECT * FROM os_version;","interval": 28800,"description": "Operating system version snapshot query","snapshot": true},"osquery_info": {"query": "SELECT * FROM osquery_info;","interval": 28800,"description": "Information about the resident osquery process","snapshot": true},"patches": {"query": "SELECT * FROM patches;","interval": 3600,"description": "Lists all the patches applied","removed": false},"patches_snapshot": {"query": "SELECT * FROM patches;","interval": 28800,"description": "Patches snapshot query","snapshot": true},"pipes": {"query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);","interval": 3600,"description": "Named and Anonymous pipes.","removed": false},"pipes_snapshot": {"query": "SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, pipes.name, pid FROM pipes JOIN processes USING (pid);","interval": 28800,"description": "Pipes snapshot query","snapshot": true},"programs": {"query": "SELECT * FROM programs;","interval": 3600,"description": "Lists installed programs"},"programs_snapshot": {"query": "SELECT * FROM programs;","interval": 28800,"description": "Programs snapshot query","snapshot": true},"scheduled_tasks": {"query": "SELECT * FROM scheduled_tasks;","interval": 3600,"description": "Lists all of the tasks in the Windows task scheduler"},"scheduled_tasks_snapshot": {"query": "SELECT * FROM scheduled_tasks;","interval": 28800,"description": "Scheduled Tasks snapshot query","snapshot": true},"services": {"query": "SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START';","interval": 3600,"description": "Lists all installed services configured to start automatically at boot"},"services_snapshot": {"query": "SELECT * FROM services;","interval": 28800,"description": "Services snapshot query","snapshot": true},"shared_resources": {"query": "SELECT * FROM shared_resources;","interval": 3600,"description": "Displays shared resources on a computer system running Windows. This may be a disk drive, printer, interprocess communication, or other sharable device."},"shared_resources_snapshot": {"query": "SELECT * FROM shared_resources;","interval": 28800,"description": "Shared resources snapshot query","snapshot": true},"system_info": {"query": "SELECT * FROM system_info;","interval": 3600,"description": "System information for identification."},"system_info_snapshot": {"query": "SELECT * FROM system_info;","interval": 28800,"description": "System info snapshot query","snapshot": true},"uptime": {"query": "SELECT * FROM uptime;","interval": 3600,"description": "System uptime","snapshot": true},"users": {"query": "SELECT * FROM users;","interval": 3600,"description": "Local system users."},"users_snapshot": {"query": "SELECT * FROM users;","interval": 28800,"description": "Users snapshot query","snapshot": true},"windows_crashes": {"query": "SELECT * FROM windows_crashes;","interval": 3600,"description": "Extracted information from Windows crash logs (Minidumps).","removed": false},"wmi_cli_event_consumers": {"query": "SELECT * FROM wmi_cli_event_consumers;","interval": 3600,"description": "WMI CommandLineEventConsumer, which can be used for persistence on Windows. See <https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf> for more details."},"wmi_cli_event_consumers_snapshot": {"query": "SELECT * FROM wmi_cli_event_consumers;","interval": 28800,"description": "Snapshot query for WMI event consumers.","snapshot": true},"wmi_event_filters": {"query": "SELECT * FROM wmi_event_filters;","interval": 3600,"description": "Lists WMI event filters."},"wmi_event_filters_snapshot": {"query": "SELECT * FROM wmi_event_filters;","interval": 28800,"description": "Snapshot query for WMI event filters.","snapshot": true},"wmi_filter_consumer_binding": {"query": "SELECT * FROM wmi_filter_consumer_binding;","interval": 3600,"description": "Lists the relationship between event consumers and filters."},"wmi_filter_consumer_binding_snapshot": {"query": "SELECT * FROM wmi_filter_consumer_binding;","interval": 28800,"description": "Snapshot query for WMI filter consumer bindings.","snapshot": true},"wmi_script_event_consumers": {"query": "SELECT * FROM wmi_script_event_consumers;","interval": 3600,"description": "WMI ActiveScriptEventConsumer, which can be used for persistence on Windows. See <https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf> for more details."},"wmi_script_event_consumers": {"query": "SELECT * FROM wmi_script_event_consumers;","interval": 28800,"description": "Snapshot query for WMI script event consumers.","snapshot": true}},"packs": {"performance-metrics": "packs/performance-metrics.conf","security-tooling-checks": "packs/security-tooling-checks.conf","unwanted-chrome-extensions": "packs/unwanted-chrome-extensions.conf","windows-application-security": "packs/windows-application-security.conf","windows-compliance": "packs/windows-compliance.conf","windows-registry-monitoring": "packs/windows-registry-monitoring.conf","windows-attacks": "packs/windows-attacks.conf"}}76 Views