Title
#general
s

sonal k

10/12/2021, 12:10 PM
@Stefano Bonicatti @Mike Myers in file_events logs we are not able to identify who has done it.. Could you suggest which logs would help identify the IP of the person doing the changes in the file ...?
Mike Myers

Mike Myers

10/12/2021, 4:59 PM
I haven't thought about this so I don't have an immediate answer. Actually I don't see how the host IP address is related to file_events. If you want more information about the cause of the file change you could use
process_file_events
maybe
s

sonal k

10/12/2021, 7:42 PM
@Mike Myers In general I was looking for use cases of osquery in file monitoring like in case of any kernel changes..info regarding the person's IP who has done the changes or information about intrusion...these things can be achieved through osquery..if so..how..any links you can share..?
Mike Myers

Mike Myers

10/12/2021, 11:31 PM
It sounds like you're assuming that the scenario you want to monitor for is when a file is changed by an remote attacker in an interactive shell of some kind. In that case, you'd need to check the process responsible for the file change event you see in
process_file_events
and then determine if that process (or its parent process) had a socket connection open (
process_open_sockets
). Even then, a process could have multiple connections open. There is no direct line of cause from file change back to remote IP address. Every packet would have to be traced from ingress to process receiving it and then traced through that process's execution to perform an analysis of actions it might have caused.
11:32 PM
You might be interested in this https://clo.ng/blog/osquery_reverse_shell/
puffycid

puffycid

10/12/2021, 11:46 PM
Is the system ur trying to monitor an external webserver? As others mentioned tracing file changes to an IP will likely require multiple data sources
file_events
could be one but u will probably need another to associate it with an IP For example on windows combining the data/timestamps from
file_events
with IIS logs u may be able to associate it with an IP