Title
#general
j

Jaylen

07/08/2021, 5:02 AM
Hi all , I am new to os query. I have a question and this is based on my understanding. can os query alert on short live process such a malware activity ( opening cmd.exe from winword) and if that process is terminated with in a very short time can we monitor those. because a query on os query will return results only when we run the search. what if we were not running the search at the time of malware activity. It would a potential miss right.
puffycid

puffycid

07/08/2021, 10:32 AM
I just checked osquery schema for 4.9.0 and I don't think osquery has any process monitoring event tables for windows? The proc events table is Linux and Mac only?🙁 If process auditing is enabled on windows U could try parsing the windows event logs (4688) and reconstruct process trees to see if if winword spawned cmd But those logs typically roll fast Other tables/ideas that could provide insight on historical winword spawning cmd could be: Shimcache-the table shows files that were executed in the order they were executed from bottom to top. So if u see cmd following winword it may be an indicator that winword spawned it (but it could also be the user opening winword and then manually opening cmd) Prefetch-if winword.exe accessed cmd.exe within the first 10 seconds of execution it could be an indicator of winword launching cmd.exe Office_mru- it won't show cmd.exe but usually malicious docs/phishes launch cmd. Office_mru shows recently opened office files. Which could be helpful None of the tables above will show process args (except the event logs if u have any) Also I don't think osquery does any alerting, a management tool is required to generate the alert. Osquery would just provide the data Hope that helps a bit
10:42 AM
Others may have additional ideas
s

seph

07/08/2021, 10:55 AM
As you noticed, osquery generally returns data based on time of query. To handle the case you describe, there is also an event model. The evented tables use event based apis and store data until its queried. Though there may not be an appropriate evented table for your needs. (As puffycid describes)
j

Jaylen

07/08/2021, 12:00 PM
Yeah guys thanks for your suggestions
s

seph

07/08/2021, 12:30 PM
Hrm... this should be in the windows events. And there is an evented table for that
j

Jaylen

07/08/2021, 2:00 PM
Yeah event id 4688.
s

seph

07/08/2021, 2:03 PM
https://osquery.io/schema/4.9.0#windows_events is an evented table. It can also be very high volume if you configure all the sources. I don’t have a handy doc for it, but you’ll need to work through the command line options to enable events, and enable this kind of event. https://osquery.readthedocs.io/en/stable/installation/cli-flags/#daemon-runtime-control-flags
2:04 PM
Look for
Windows-only events control
in that doc
j

Jaylen

07/08/2021, 4:52 PM
Thanks seph