Channels
#general
Title
d
Dschm2055
03/01/2019, 9:18 PMIs there anyone that can shed some light on why when I execute SELECT * FROM processes WHERE LOWER(name)='conhost.exe' AND LOWER(path)!='c:\\windows\\system32\\conhost.exe' AND path!=''; on a host using osqueryi or through Kolide, I only get results for processes named conhost.exe and are located in C:\Windows\System32\conhost.exe even though I would be expecting it to be doing the opposite? This query came right from the osquery packs directory on a Windows install of 3.3.2. It seems to be doing the exact opposite of what I want it to do, but I can't seem to figure out why.
z
zwass
03/01/2019, 9:19 PM
LOWER(name)='conhost.exe'conhost.exeBut it does seem like the second clause should filter out the ones you don't want
d
Dschm2055
03/01/2019, 9:21 PMThat was what I was thinking.. this came from the osquery packs that are installed via the msi and are supposed to be for finding incorrect paths of conhost.exe processes
z
zwass
03/01/2019, 9:22 PM
I suspect your double backslashes are causing problems
d
Dschm2055
03/01/2019, 9:22 PMisnt that how you need to escape windows paths?
z
zwass
03/01/2019, 9:22 PM
double
try single backslashes
unless it's in JSON when (iirc) you need a \\ to get a \ after escaping
d
Dschm2055
03/01/2019, 9:25 PMit looks like that was the issue. im a little confused as to why though. were you saying you only need the \\ in JSON and not when executing directly in osquery?
interesting
i guess that would be the difference from where I was pulling from in the packs.
Thanks for the work through!
z
zwass
03/01/2019, 9:27 PM
Yes, exactly. The packs are parsed from JSON.
It's an unfortunate side effect of the packs being in JSON that the queries don't directly translate.
d
Dschm2055
03/01/2019, 9:28 PMim seeing that now. makes a lot more sense.
BTW. Kolide is awesome. Nice work with it!
z
zwass
03/01/2019, 9:31 PM
Glad you are enjoying. Thanks 🙂
3 Views