Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Shan
06/17/2020, 4:13 AMDoes Windows version of OSquery support Socket_events and Process_events tables? From my understanding it does not...
From Linux :
"platform": "linux",
"schedule": { "process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events ;",
"interval": 10, "description": "Process events collected from the audit framework" },
"socket_events":{ "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE remote_address NOT IN ('127.0.0.1', "interval": 10, "description": "Socket events collected from the audit framework" },
-- I am trying to figure out windows equivalent of these queries
z
zwass
06/17/2020, 4:17 AMosquery.io/schema is your friend here
Those tables are not supported on windows.
s
Shan
06/17/2020, 1:08 PMthats what my understanding was - thanks @zwass
While at it Zach, (@zwass) I would like to contribute for these tables for Windows. I have started reading on this topic. If there is already some known work, or windows equivalent of auditD etc, please share it - will come in handy
m
Mike Myers
06/17/2020, 4:32 PMWindows equivalent of AuditD would be ETW, but the last time I looked, there was no ETW publisher you could turn on that would correlate process events and socket events. You had to attempt to do it yourself, but that approach is prone to race conditions.
We did it anyway and it became this https://github.com/DigitalOperatives/PAINT
The reliable way to do it is with a kernel-mode driver, but that violates osquery design principles
Windows also has process auditing, but osquery would have to enable that as a policy change on the host, and that's also against osquery design principles (changes to host configs)
z
zwass
06/17/2020, 4:47 PMThere are a handful of osquery tables that require users to change host configs for deployment. Could that be solution here?
o
OpenPlgx
06/17/2020, 4:48 PM@Shan, at PolyLogyx we have built these tables thru an extension (not the core) as they leverage kernel components. If it interests you, feel welcome to pick the extension from: https://github.com/polylogyx/osq-ext-bin
For more, you can check on polylogyx-extension channel
s
Shan
06/18/2020, 2:09 PMWill do. thanks for the info guys. appreciate it.