Thank you both for the info. Wonder if we're unintentionally running a super old version of osquery?
06/22/2021, 10:41 PM
That really seems a version <= 3.3.2
3.4.0 removed the use of that WMI query
06/22/2021, 11:05 PM
06/22/2021, 11:17 PM
What process name is associated with PID 2500?
06/22/2021, 11:18 PM
My suspicion is that 2500 is osquery and it's the watchdog in an older version.
06/22/2021, 11:21 PM
I feel like there's missing info...
Where does this report come from? What's the process listing? Why is this assumed to be osquery, and is there a path associated with the report?
I think your theory is solid -- I'm sure there are vendors shopping osquery from that long ago
06/22/2021, 11:24 PM
This was shared to me privately, so I can only report limited details. My understanding is that WMIMon was used to determine that the osquery process is issuing the query.
06/22/2021, 11:25 PM
FWIW I've debugged a handful of things that ended either being reporting errors, or people running multiple osquery daemons and attributing things to the wrong one.
06/22/2021, 11:29 PM
Yeah, it seems likely. Thank you everyone, this was super helpful! I'll report on what I learn.
Confirmed it was osquery 3.3.2. Seems there may also be a bug in that version that causes queries to sometimes continue running even after being removed from the schedule. I've advised updating.