bashoneliner
05/28/2020, 1:02 PMprocess_events
table. Like i.e. I cannot see Microsoft Word/Excel or Pages being launched, I do however see some “helper” processes events from things like Slack, Chrome, everything ran from command line etc. I don’t use any filters and just used select * from process_events;
.
However, if I’m crosschecking execve events via Crescendo (https://github.com/SuprHackerSteve/Crescendo), which uses Endpoint Security Framework, I see GUI apps launches in the logs, i.e.
`Event Type: process::exec`
`Process: /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word`
`Pid: 7897 (Parent) -> 1`
`User: xxxxxxxxx`
`Timestamp: 1590670734433`
`Platform Binary: false`
`Signing ID: com.microsoft.Word`
`Props:`
`{`
`action = "ES_AUTH_RESULT_ALLOW";`
`argc = 1;`
`argv = "/Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word ";`
`isplatformbin = false;`
`ppid = 1;`
`signingid = "com.microsoft.Word";`
`size = 39892064;`
`teamid = UBF8T346G9;`
`}`
I’m on osquery 4.3.0 and MacOS 10.15.4 if that helps.sharvil
05/29/2020, 6:27 AMosquery> select pid, path, cmdline from process_events where path LIKE '/Applications/%';
pid = 56813
path = /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word
cmdline = /Applications/Microsoft <http://Word.app/Contents/MacOS/Microsoft|Word.app/Contents/MacOS/Microsoft> Word
pid = 56814
path = /Applications/Microsoft <http://Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2|Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2>
cmdline = /Applications/Microsoft <http://Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2|Word.app/Contents/SharedSupport/Office365ServiceV2.app/Contents/MacOS/Office365ServiceV2>
pid = 56821
path = /Applications/Pages.app/Contents/MacOS/Pages
cmdline = /Applications/Pages.app/Contents/MacOS/Pages
osquery>
The only difference is that I am on 10.5.3bashoneliner
05/29/2020, 7:42 AMsudo osqueryi --disable_audit=false --events_expiry=1 --events_max=50000 --disable_events=false
Using a virtual database. Need help, type '.help'
osquery> select pid, path, cmdline from process_events where path LIKE '/Applications/%';
osquery>
audit_control
are the same documented here https://github.com/osquery/osquery/blob/a8469d63f102d9cd4e50ce3377fbb7ffc216ea64/docs/wiki/deployment/process-auditing.md#macos-process--socket-auditing