Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
j
Jaylen
07/08/2021, 5:02 AMHi all , I am new to os query. I have a question and this is based on my understanding. can os query alert on short live process such a malware activity ( opening cmd.exe from winword) and if that process is terminated with in a very short time can we monitor those. because a query on os query will return results only when we run the search. what if we were not running the search at the time of malware activity. It would a potential miss right.
p
puffycid
07/08/2021, 10:32 AMI just checked osquery schema for 4.9.0 and I don't think osquery has any process monitoring event tables for windows? The proc events table is Linux and Mac only?
🙁
If process auditing is enabled on windows U could try parsing the windows event logs (4688) and reconstruct process trees to see if if winword spawned cmd
But those logs typically roll fast
Other tables/ideas that could provide insight on historical winword spawning cmd could be:
Shimcache-the table shows files that were executed in the order they were executed from bottom to top. So if u see cmd following winword it may be an indicator that winword spawned it (but it could also be the user opening winword and then manually opening cmd)
Prefetch-if winword.exe accessed cmd.exe within the first 10 seconds of execution it could be an indicator of winword launching cmd.exe
Office_mru- it won't show cmd.exe but usually malicious docs/phishes launch cmd. Office_mru shows recently opened office files. Which could be helpful
None of the tables above will show process args (except the event logs if u have any)
Also I don't think osquery does any alerting, a management tool is required to generate the alert. Osquery would just provide the data
Hope that helps a bit
:ty: 1
Others may have additional ideas
s
seph
07/08/2021, 10:55 AMAs you noticed, osquery generally returns data based on time of query. To handle the case you describe, there is also an event model. The evented tables use event based apis and store data until its queried.
Though there may not be an appropriate evented table for your needs. (As puffycid describes)
:ty: 1
j
Jaylen
07/08/2021, 12:00 PMYeah guys thanks for your suggestions
s
seph
07/08/2021, 12:30 PMHrm... this should be in the windows events. And there is an evented table for that
j
Jaylen
07/08/2021, 2:00 PMYeah event id 4688.
s
seph
07/08/2021, 2:03 PMhttps://osquery.io/schema/4.9.0#windows_events is an evented table. It can also be very high volume if you configure all the sources.
I don’t have a handy doc for it, but you’ll need to work through the command line options to enable events, and enable this kind of event. https://osquery.readthedocs.io/en/stable/installation/cli-flags/#daemon-runtime-control-flags
Look for
Windows-only events controlj
Jaylen
07/08/2021, 4:52 PMThanks seph