Title
#general
Mystery Incorporated

Mystery Incorporated

04/02/2021, 11:00 AM
Hello, is it possible to rename the windows service/linux daemon so that a malicious script that gains elevated privileges doesn't just search for osqueryd running and kill it? Of course not saving in C:\Program Files\osquery would be a requirement of this.
theopolis

theopolis

04/02/2021, 1:38 PM
There is no native support for this renaming.
Mystery Incorporated

Mystery Incorporated

04/03/2021, 4:55 AM
It might be something to consider, because a malicious executable the gains elevated privilege could simply hunt for osqueryd and kill it before it can generate a log.
David J Davis

David J Davis

04/04/2021, 12:07 AM
You can install it in any folder you want, you can also have the service named anything you want. I have not tried renaming the binary.
Mystery Incorporated

Mystery Incorporated

04/05/2021, 5:16 AM
@David J Davis yea renaming the binary I feel is the issue, I tried and it wouldn't start