Title
#windows
zwass

zwass

06/22/2021, 10:00 PM
Is anyone aware of something in osquery (4.5.0) that could be making this WMI call?
SELECT * FROM Win32_Process WHERE ProcessId=2500
I can't find anything that refers to
Win32_Process
except within one of the WMI tests.
puffycid

puffycid

06/22/2021, 10:20 PM
s

seph

06/22/2021, 10:25 PM
That thread references a PR that merged in 2019
zwass

zwass

06/22/2021, 10:35 PM
Thank you both for the info. Wonder if we're unintentionally running a super old version of osquery?
Stefano Bonicatti

Stefano Bonicatti

06/22/2021, 10:41 PM
That really seems a version <= 3.3.2
10:42 PM
3.4.0 removed the use of that WMI query
s

seph

06/22/2021, 11:05 PM
Any extensions?
puffycid

puffycid

06/22/2021, 11:17 PM
What process name is associated with PID 2500?
zwass

zwass

06/22/2021, 11:18 PM
My suspicion is that 2500 is osquery and it's the watchdog in an older version.
s

seph

06/22/2021, 11:21 PM
I feel like there's missing info... Where does this report come from? What's the process listing? Why is this assumed to be osquery, and is there a path associated with the report? I think your theory is solid -- I'm sure there are vendors shopping osquery from that long ago
zwass

zwass

06/22/2021, 11:24 PM
This was shared to me privately, so I can only report limited details. My understanding is that WMIMon was used to determine that the osquery process is issuing the query.
s

seph

06/22/2021, 11:25 PM
FWIW I've debugged a handful of things that ended either being reporting errors, or people running multiple osquery daemons and attributing things to the wrong one.
zwass

zwass

06/22/2021, 11:29 PM
Yeah, it seems likely. Thank you everyone, this was super helpful! I'll report on what I learn.
8:27 PM
Confirmed it was osquery 3.3.2. Seems there may also be a bug in that version that causes queries to sometimes continue running even after being removed from the schedule. I've advised updating.