<@UJ41YH5JP> for process_file_events on Windows, t...
# corea
alessandrogario
03/16/2020, 9:49 PM
@sundsta for process_file_events on Windows, take a look at this article: https://twitter.com/trailofbits/status/1239509917196865537
🦜 2
❤️ 1
s
sundsta
03/16/2020, 9:50 PMJust posted today! Thanks a bunch
sundsta
03/16/2020, 9:51 PMThis looks similar to file_events though, which does not include the context of the process
a
alessandrogario
03/16/2020, 9:51 PM
That is true, it is not possible to retrieve it from the NTFS journal
alessandrogario
03/16/2020, 9:52 PM
The only ways (that I know of) to get it is to either use a kernel driver (which is a little frowned upon in osquery) or attempt to use the Audit ACL (but that would mean changing system state)
s
sundsta
03/16/2020, 9:54 PMI’m not super familiar with Windows internals. Is the Audit ACL similar to the audit system on Linux?
a
alessandrogario
03/16/2020, 9:56 PM
(random article) https://www.varonis.com/blog/windows-file-system-auditing/
alessandrogario
03/16/2020, 9:57 PM
Audit is a system call tracing facility, and that is why it was possible to implement those tables (on Linux)
s
sundsta
03/16/2020, 10:40 PMThanks. It seems like I can get most of what I want through that and then having osquery send back the data from windows_events
4 Views