Hi all , I am new to os query. I have a question and this is based on my understanding. can os query alert on short live process such a malware activity ( opening cmd.exe from winword) and if that process is terminated with in a very short time can we monitor those. because a query on os query will return results only when we run the search. what if we were not running the search at the time of malware activity. It would a potential miss right.
07/08/2021, 10:32 AM
I just checked osquery schema for 4.9.0 and I don't think osquery has any process monitoring event tables for windows? The proc events table is Linux and Mac only?
If process auditing is enabled on windows U could try parsing the windows event logs (4688) and reconstruct process trees to see if if winword spawned cmd
But those logs typically roll fast
Other tables/ideas that could provide insight on historical winword spawning cmd could be:
Shimcache-the table shows files that were executed in the order they were executed from bottom to top. So if u see cmd following winword it may be an indicator that winword spawned it (but it could also be the user opening winword and then manually opening cmd)
Prefetch-if winword.exe accessed cmd.exe within the first 10 seconds of execution it could be an indicator of winword launching cmd.exe
Office_mru- it won't show cmd.exe but usually malicious docs/phishes launch cmd. Office_mru shows recently opened office files. Which could be helpful
None of the tables above will show process args (except the event logs if u have any)
Also I don't think osquery does any alerting, a management tool is required to generate the alert. Osquery would just provide the data
Hope that helps a bit
Others may have additional ideas
07/08/2021, 10:55 AM
As you noticed, osquery generally returns data based on time of query. To handle the case you describe, there is also an event model. The evented tables use event based apis and store data until its queried.
Though there may not be an appropriate evented table for your needs. (As puffycid describes)
07/08/2021, 12:00 PM
Yeah guys thanks for your suggestions
07/08/2021, 12:30 PM
Hrm... this should be in the windows events. And there is an evented table for that