https://github.com/osquery/osquery logo
Title
s

sean.cavanaugh

10/31/2019, 5:12 PM
I’ve got an issue with the
processes
table returning incorrect data on
3.4.0.
with the
conhost.exe_incorrect_path
query in the windows attack pack. The query
SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!='';
returned
conhost.exe
for the
name
field, but it returned
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
for the
path
value with a
cmdline
value for the
chrome.exe
entry listed in
path
.
t

theopolis

10/31/2019, 5:35 PM
It looks like the query and results are ok. The query is filtering based on “name” but you’re talking about values seen on “cmdline”, maybe I’m confused?
s

sean.cavanaugh

10/31/2019, 7:03 PM
yes the query is correct, but the underlying process event seems to be confused since it lists a path and cmdline for a chrome process and not conhost