<@UJWKZ8YGG> you might try askin in the <#C0FHNQ2N...
# generalt
thor
09/25/2019, 4:15 AM
@Mario De Tore you might try askin in the #windows channel. I'd be curious what scheduled queries, and more importantly decorators, you have configured. Osquery has a table for enumerating the users on the system, as well as domain user profiles that have logged on to the box, so it could be that that you're seeing if you decorate your logs with the logged in user
m
Mario De Tore
09/25/2019, 4:19 AMnothing fancy with decorators:
Copy code
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
- SELECT version AS osquery_version FROM osquery_info;Mario De Tore
09/25/2019, 4:20 AMable to recreate the windows event generation with my VM (based on our golden image) by running the processes query:
select * from processes;Mario De Tore
09/25/2019, 4:21 AMsame windows eventing behavior regardless if query was scheduled or ad-hoc/distributed
a
alessandrogario
09/25/2019, 9:25 AM
This is happening with events enabled right?
m
Mario De Tore
09/25/2019, 9:44 AMNope, events are disabled now.
Mario De Tore
09/25/2019, 9:45 AMI'm guessing its something unique to our environment vice an osquery/launcher issue.
Mario De Tore
09/25/2019, 9:46 AMOur relationship with IT isn't exactly the greatest, so they often push system changes without giving us a heads-up.
Mario De Tore
09/25/2019, 9:46 AMwe retain configuration control for our agents though
Mario De Tore
09/25/2019, 9:46 AMbut if IT tweaks something in GPO or audit policy we usually find out about it later
a
alessandrogario
09/25/2019, 10:07 AM
Interesting, we should try to reproduce this
✔️ 1
m
Mario De Tore
09/25/2019, 11:30 AMOk, if I can RCA it I'll let you know. Our Windows deployment is a bit non-standard, so likely is going to be some odd edge case.
s
seph
09/25/2019, 1:06 PM
you've isolated the query, that's a great start. next up, we should look at the code to see what it's doing.
seph
09/25/2019, 1:10 PM
seph
09/25/2019, 1:18 PM
This is an optional part of the windows threat detection stuff. It’s an audit log on some API, to try to catch threat actors enumerating accounts. The microsoft recommendation seems to be adjust your rules to whitelist things. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798
If I had to guess, I think it’s probably being triggered by
getGidFromSidgetUidFromSidp
packetzero
09/25/2019, 5:51 PMSeeing osquery cause an 4798 event is normal. The only thing you can do is to configure your event monitoring to treat it as such.
s
seph
09/25/2019, 6:10 PM
So you think there isn’t a different API we could use?
seph
09/25/2019, 7:57 PM
Dumped into https://github.com/osquery/osquery/issues/5840 for posterity and future searches
👍 1
p
packetzero
09/25/2019, 11:17 PMThe users table for example, I tried to enumerate the users without causing events like 4798 or 4799, and didn't have any luck. I ended up caching users for 30 seconds to cut down a bit.