Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
alessandrogario
03/16/2020, 9:49 PM@sundsta for process_file_events on Windows, take a look at this article: https://twitter.com/trailofbits/status/1239509917196865537
😛artyparrot: 2
❤️ 1
s
sundsta
03/16/2020, 9:50 PMJust posted today! Thanks a bunch
This looks similar to file_events though, which does not include the context of the process
a
alessandrogario
03/16/2020, 9:51 PMThat is true, it is not possible to retrieve it from the NTFS journal
The only ways (that I know of) to get it is to either use a kernel driver (which is a little frowned upon in osquery) or attempt to use the Audit ACL (but that would mean changing system state)
s
sundsta
03/16/2020, 9:54 PMI’m not super familiar with Windows internals. Is the Audit ACL similar to the audit system on Linux?
a
alessandrogario
03/16/2020, 9:56 PM(random article) https://www.varonis.com/blog/windows-file-system-auditing/
Audit is a system call tracing facility, and that is why it was possible to implement those tables (on Linux)
s
sundsta
03/16/2020, 10:40 PMThanks. It seems like I can get most of what I want through that and then having osquery send back the data from windows_events