< Mystery Incorporated> If you guys are using Launcher I wil osquery #general

<@U01DFNXHY92> If you guys are using Launcher, I w...

fritz

10/29/2020, 1:49 PM

@Mystery Incorporated If you guys are using Launcher, I will just throw out another 💯 for @seph’s awesome WMI passthrough table (

kolide_wmi

) which allows you to get things like USB devices on Windows. For example I just wrote a PoC query to do exactly that:

Copy code

WITH pnp_raw AS (
  SELECT * FROM kolide_wmi WHERE class = 'Win32_PnPEntity' AND properties = 'Availability,Caption,ClassGuid,CompatibleID,ConfigManagerErrorCode,ConfigManagerUserConfig,CreationClassName,Description,DeviceID,ErrorCleared,ErrorDescription,HardwareID,InstallDate,LastErrorCode,Manufacturer,Name,PNPClass,PNPDeviceID,PowerManagementCapabilities,PowerManagementSupported,Present,Service,Status,StatusInfo,SystemCreationClassName,SystemName'),
pivot_wmi AS (
  SELECT 
    MAX(CASE WHEN key = 'Availability' THEN value END) AS availability,
    MAX(CASE WHEN key = 'Caption' THEN value END) AS caption,
    MAX(CASE WHEN key = 'ClassGuid' THEN value END) AS class_guid,
    MAX(CASE WHEN key = 'CompatibleID' THEN value END) AS compatible_id,
    MAX(CASE WHEN key = 'ConfigManagerErrorCode' THEN value END) AS config_mgr_err_code,
    MAX(CASE WHEN key = 'ConfigManagerUserConfig' THEN value END) AS config_mgr_user_config,
    MAX(CASE WHEN key = 'CreationClassName' THEN value END) AS creation_class_name,
    MAX(CASE WHEN key = 'Description' THEN value END) AS description,
    MAX(CASE WHEN key = 'DeviceID' THEN value END) AS device_id,
    MAX(CASE WHEN key = 'ErrorCleared' THEN value END) AS error_cleared,
    MAX(CASE WHEN key = 'ErrorDescription' THEN value END) AS error_description,
    MAX(CASE WHEN key = 'HardwareID' THEN value END) AS hardware_id,
    MAX(CASE WHEN key = 'InstallDate' THEN value END) AS install_date,
    MAX(CASE WHEN key = 'LastErrorCode' THEN value END) AS last_error_code,
    MAX(CASE WHEN key = 'Manufacturer' THEN value END) AS manufacturer,
    MAX(CASE WHEN key = 'Name' THEN value END) AS name,
    MAX(CASE WHEN key = 'PNPClass' THEN value END) AS pnp_class,
    MAX(CASE WHEN key = 'PNPDeviceID' THEN value END) AS pnp_device_id,
    MAX(CASE WHEN key = 'PowerManagementCapabilities' THEN value END) AS pwr_mgmt_capabilities,
    MAX(CASE WHEN key = 'PowerManagementSupported' THEN value END) AS pwr_mgmt_supported,
    MAX(CASE WHEN key = 'Present' THEN value END) AS present,
    MAX(CASE WHEN key = 'Service' THEN value END) AS service,
    MAX(CASE WHEN key = 'Status' THEN value END) AS status,
    MAX(CASE WHEN key = 'StatusInfo' THEN value END) AS status_info,
    MAX(CASE WHEN key = 'SystemCreationClassName' THEN value END) AS system_creation_class_name,
    MAX(CASE WHEN key = 'SystemName ' THEN value END) AS system_name
  FROM pnp_raw
  GROUP BY parent)
SELECT * FROM pivot_wmi WHERE pnp_class = 'USBDevice'

Arden Shackelford

10/29/2020, 6:04 PM

And if we wanted to get this same kind of data without using Launcher, would that just mean we'd have to manually add a pack or something similar?

fritz

10/29/2020, 6:23 PM

You could try to cobble something together using

registry

queries

seph

10/29/2020, 6:32 PM

Kolide Launcher is a big osquery extension. In this case, it’s providing a custom table to access WMI. I do not think osquery has table that presents that information. So either you find another source (as Fritz says, maybe the registry); patch osquery to add a table; or find an extension that can expose it

fritz

10/29/2020, 7:39 PM

@Arden Shackelford The pattern of existing Windows tables in core osquery leaves a pretty straightforward path to adding WMI based data if you are motivated to open a PR: https://github.com/osquery/osquery/blob/master/osquery/tables/system/windows/cpu_info.cpp

fritz

10/30/2020, 1:13 AM

@Arden Shackelford an example of pursuing the

registry

table route is here:

Copy code

WITH usb_registry_raw AS (
    SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\%\%\%')
SELECT
MAX(CASE WHEN name = 'DeviceDesc' THEN data END) AS device_description,
MAX(CASE WHEN name = 'LocationInformation' THEN data END) AS usb_location,
MAX(CASE WHEN name = 'Capabilities' THEN data END) AS capabilities,
MAX(CASE WHEN name = 'Address' THEN data END) AS address,
MAX(CASE WHEN name = 'ContainerID' THEN data END) AS container_id,
MAX(CASE WHEN name = 'HardwareID' THEN data END) AS hardware_id,
MAX(CASE WHEN name = 'CompatibleIDs' THEN data END) AS compatible_ids,
MAX(CASE WHEN name = 'ClassGUID' THEN data END) AS class_guid,
MAX(CASE WHEN name = 'FriendlyName' THEN data END) AS friendly_name,
MAX(CASE WHEN name = 'Service' THEN data END) AS service,
MAX(CASE WHEN name = 'Driver' THEN data END) AS driver,
MAX(CASE WHEN name = 'Mfg' THEN data END) AS manufacturer,
MAX(CASE WHEN name = 'ConfigFlags' THEN data END) AS config_flags
FROM usb_registry_raw
GROUP BY key

Mystery Incorporated

08/07/2021, 12:37 PM

@seph does Kolide launcher still exist but I guess only for k2 now?

seph

08/07/2021, 12:38 PM

Launcher exists, and is open source. It talks grpc and jsonrpc and can be used with any server that supports those.

👍 1

2 Views

Open in Slack

Previous Next