Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
thor
09/25/2019, 4:15 AM@Mario De Tore you might try askin in the #windows channel. I'd be curious what scheduled queries, and more importantly decorators, you have configured. Osquery has a table for enumerating the users on the system, as well as domain user profiles that have logged on to the box, so it could be that that you're seeing if you decorate your logs with the logged in user
m
Mario De Tore
09/25/2019, 4:19 AMnothing fancy with decorators:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
- SELECT version AS osquery_version FROM osquery_info;able to recreate the windows event generation with my VM (based on our golden image) by running the processes query:
select * from processes;same windows eventing behavior regardless if query was scheduled or ad-hoc/distributed
a
alessandrogario
09/25/2019, 9:25 AMThis is happening with events enabled right?
m
Mario De Tore
09/25/2019, 9:44 AMNope, events are disabled now.
I'm guessing its something unique to our environment vice an osquery/launcher issue.
Our relationship with IT isn't exactly the greatest, so they often push system changes without giving us a heads-up.
we retain configuration control for our agents though
but if IT tweaks something in GPO or audit policy we usually find out about it later
a
alessandrogario
09/25/2019, 10:07 AMInteresting, we should try to reproduce this
✔️ 1
m
Mario De Tore
09/25/2019, 11:30 AMOk, if I can RCA it I'll let you know. Our Windows deployment is a bit non-standard, so likely is going to be some odd edge case.
s
seph
09/25/2019, 1:06 PMyou've isolated the query, that's a great start. next up, we should look at the code to see what it's doing.
This is an optional part of the windows threat detection stuff. It’s an audit log on some API, to try to catch threat actors enumerating accounts. The microsoft recommendation seems to be adjust your rules to whitelist things. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
If I had to guess, I think it’s probably being triggered by
getGidFromSidgetUidFromSidp
packetzero
09/25/2019, 5:51 PMSeeing osquery cause an 4798 event is normal. The only thing you can do is to configure your event monitoring to treat it as such.
s
seph
09/25/2019, 6:10 PMSo you think there isn’t a different API we could use?
Dumped into https://github.com/osquery/osquery/issues/5840 for posterity and future searches
👍 1
p
packetzero
09/25/2019, 11:17 PMThe users table for example, I tried to enumerate the users without causing events like 4798 or 4799, and didn't have any luck. I ended up caching users for 30 seconds to cut down a bit.