Title
#general
thor

thor

09/25/2019, 4:15 AM
@Mario De Tore you might try askin in the #windows channel. I'd be curious what scheduled queries, and more importantly decorators, you have configured. Osquery has a table for enumerating the users on the system, as well as domain user profiles that have logged on to the box, so it could be that that you're seeing if you decorate your logs with the logged in user
m

Mario De Tore

09/25/2019, 4:19 AM
nothing fancy with decorators:
- SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
      - SELECT version AS osquery_version FROM osquery_info;
4:20 AM
able to recreate the windows event generation with my VM (based on our golden image) by running the processes query:
select * from processes;
4:21 AM
same windows eventing behavior regardless if query was scheduled or ad-hoc/distributed
a

alessandrogario

09/25/2019, 9:25 AM
This is happening with events enabled right?
m

Mario De Tore

09/25/2019, 9:44 AM
Nope, events are disabled now.
9:45 AM
I'm guessing its something unique to our environment vice an osquery/launcher issue.
9:46 AM
Our relationship with IT isn't exactly the greatest, so they often push system changes without giving us a heads-up.
9:46 AM
we retain configuration control for our agents though
9:46 AM
but if IT tweaks something in GPO or audit policy we usually find out about it later
a

alessandrogario

09/25/2019, 10:07 AM
Interesting, we should try to reproduce this
m

Mario De Tore

09/25/2019, 11:30 AM
Ok, if I can RCA it I'll let you know. Our Windows deployment is a bit non-standard, so likely is going to be some odd edge case.
s

seph

09/25/2019, 1:06 PM
you've isolated the query, that's a great start. next up, we should look at the code to see what it's doing.
1:18 PM
This is an optional part of the windows threat detection stuff. It’s an audit log on some API, to try to catch threat actors enumerating accounts. The microsoft recommendation seems to be adjust your rules to whitelist things. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798 If I had to guess, I think it’s probably being triggered by
getGidFromSid
or
getUidFromSid
in https://github.com/osquery/osquery/blob/master/osquery/process/windows/process_ops.cpp
packetzero

packetzero

09/25/2019, 5:51 PM
Seeing osquery cause an 4798 event is normal. The only thing you can do is to configure your event monitoring to treat it as such.
s

seph

09/25/2019, 6:10 PM
So you think there isn’t a different API we could use?
7:57 PM
Dumped into https://github.com/osquery/osquery/issues/5840 for posterity and future searches
packetzero

packetzero

09/25/2019, 11:17 PM
The users table for example, I tried to enumerate the users without causing events like 4798 or 4799, and didn't have any luck. I ended up caching users for 30 seconds to cut down a bit.