so, sysmon is running on the host and osquery cons...
# windowsw
WS
03/23/2021, 5:15 PMso, sysmon is running on the host and osquery consumes the data
m
manu
03/24/2021, 7:51 AMThis behavior is already supported, one can specify
sysmonwindow_eventsmanu
03/24/2021, 8:19 AMSomething like this, but event data here is just a blob of string in
data--windows_event_channels=Microsoft-Windows-PowerShell/Operational,Microsoft-Windows-Sysmon/Operational Copy code
osquery> select * from windows_eventlog where channel = "Microsoft-Windows-Sysmon/Operational" limit(1);
channel = Microsoft-Windows-Sysmon/Operational
datetime = 2021-03-24T08:17:23.361850100Z
task = 5
level = 4
provider_name = Microsoft-Windows-Sysmon
provider_guid = {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
computer_name = DESKTOP-Q7BJ1MD
eventid = 5
keywords = 0x8000000000000000
data = {"EventData":{"RuleName":"-","UtcTime":"2021-03-24 08:17:23.359","ProcessGuid":"{39333bd0-f4d2-605a-6300-000000008c00}","ProcessId":"5028","Image":"C:\\Windows\\System32\\svchost.exe"}}
pid = 6500
tid = 6960manu
03/24/2021, 11:12 AMI was just trying out some stuff... This might not be the best explanation or query at all.
But here is one kind of query a user can write to get some juicy information with the context available in events.
Using image loads table and then fetching details about the process using process guid that is available in both the tables.
Copy code
osquery>
osquery> select * from sysmon_image_load_events where imageloaded like '%System.Management.Automation.ni.dll%';
RuleName = technique_id=T1086,technique_name=PowerShell Engine
time = 1616583966
UtcTime = 2021-03-24 11:04:48.573
ProcessGuid = {39333bd0-1ccf-605b-df02-000000008c00}
ProcessId = 8148
Image = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ImageLoaded = C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\6b621f0fd6cc913157b16d8a0cfdc3ec\System.Management.Automation.ni.dll
FileVersion = 10.0.18362.145
Description = System.Management.Automation
Product = Microsoft (R) Windows (R) Operating System
Company = Microsoft Corporation
OriginalFileName = System.Management.Automation.dll
Hashes = MD5=B18E1C187DAEB6C9B195BDD2EFDC20C7,SHA256=D36AD842C5E44483BDBBDF13D045AD5A64A9DDD5C1BAB89E81B12299D89DFC27,IMPHASH=00000000000000000000000000000000
Signed = false
Signature = -
SignatureStatus = Unavailable
osquery>
osquery>
osquery>
osquery> select * from sysmon_process_create_events where processguid in (select processguid from sysmon_image_load_events where imageloaded like '%System.Management.Automation.ni.dll%');
RuleName = -
time = 1616583947
UtcTime = 2021-03-24 11:04:47.383
ProcessGuid = {39333bd0-1ccf-605b-df02-000000008c00}
ProcessId = 8148
Image = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion = 10.0.18362.1 (WinBuild.160101.0800)
Description = Windows PowerShell
Product = Microsoft® Windows® Operating System
Company = Microsoft Corporation
OriginalFileName = PowerShell.EXE
CommandLine = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
CurrentDirectory = C:\Users\admin\
User = DESKTOP-Q7BJ1MD\admin
LogonGuid = {39333bd0-f4cf-605a-6665-020000000000}
LogonId = 0x26566
TerminalSessionId = 1
IntegrityLevel = Medium
Hashes = MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481
ParentProcessGuid = {39333bd0-f4d0-605a-5f00-000000008c00}
ParentProcessId = 4484
ParentImage = C:\Windows\explorer.exe
ParentCommandLine = C:\Windows\Explorer.EXE
osquery>manu
03/24/2021, 11:14 AMBasically listing all the processes which tried to load powershell system automation dll captured in image load events table.
w
WS
03/24/2021, 4:22 PMgotcha, didn’t know that was already supported for sysmon. 100% having tables for specific eventids is better. the data field with the current windows event logs is really not great.
6 Views