Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 17:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 83

Add additional Windows tables to schema (#8817)

Browse source 
* Add dns_cache

* Add ntdomains

* Add userassist

* add shimcache

* Spacing
This commit is contained in:
Josh Brower 2022-11-28 10:00:23 -05:00 committed by GitHub
parent 1e96f4f0fb
commit 4c73ccb338
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 60 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
schema/tables/dns_cache.yml Normal file
View file

@ -0,0 +1,16 @@
name: dns_cache
examples: >-
An integral part of incident response is understanding all systems that may have been compromised. To help with this, a query like the following will return positive for a system that has resolved a domain that contains `baddomain`. It's important to note that a system will only cache the DNS mapping for a limited time - see Notes below for further information.
```
SELECT name, type FROM dns_cache WHERE name LIKE '%baddomain%';
```
notes: >-
This table pulls from the local system's DNS cache. By default, the local DNS cache entry for a domain will be removed once the TTL for the domain has expired. For instance, osquery.io has a TTL of 60 seconds. When this domain has been resolved on a local Windows system, the DNS mapping will expire in 60 seconds from the resolution time - so `SELECT * FROM dns_cache WHERE name = 'osquery.io'` will only return results during that 60 second window.
Windows has a maximum time that it allows a cache entry to exist- by default, it is 1 day. If the domain has a TTL of greater than 1 day, Windows will still remove the DNS entry from its cache after 1 day.

13
schema/tables/ntdomains.yml Normal file
View file

@ -0,0 +1,13 @@
name: ntdomains
examples: >-
If the system is joined to a domain, this query will return the domain name as well as all known domain controllers and their IP addresses.
```
SELECT domain_name, domain_controller_name, domain_controller_address, status FROM ntdomains WHERE domain_name != "";
```
notes: >-
This table returns a row even if the local system is not joined to a domain - in this case, the `status` column will be `Unknown` and the `name` column will contain `Domain: $Hostname of local system`.

21
schema/tables/shimcache.yml Normal file
View file

@ -0,0 +1,21 @@
name: shimcache
examples: >-
As a byproduct of its functionality, the Application Compatibility Cache (also known as the shimcache) logs some details around process execution. These logs can be useful, especially during incident response. The following query looks for a potential IoC (indicator of compromise) - evidence of process execution of a Windows binary named certutil. (Certutil is a legitimate Windows application, but is also known to be a lolbin - living off the land binary. See more details here: https://lolbas-project.github.io/lolbas/Binaries/Certutil/ ) This query joins the local system's uptime to its results because shimcache logs are kept in memory until the system is rebooted, at which point they are written to disk - so we would also want to know the last time this system was rebooted.
```
SELECT entry AS execution_order, path, DATETIME(modified_time, 'unixepoch') AS file_last_modified, uptime.days || ' days, ' || uptime.hours || ' hours' AS host_uptime FROM shimcache CROSS JOIN uptime WHERE path LIKE '%certutil%';
```
notes: >-
Some key caveats to know about this data source:
* Process execution logs are only written during a reboot, otherwise they are stored in memory. This means you may not be seeing the data you would expect if the system hasn't been rebooted recently.
* The entry column shows the order of execution - Starting from 1, which is the most-recent process execution, and then on from there.
* The modified_time column displays the last modified time for the file.
Source: https://bromiley.medium.com/windows-wednesday-shim-cache-1997ba8b13e7

10
schema/tables/userassist.yml Normal file
View file

@ -0,0 +1,10 @@
name: userassist
examples: >-
The User Assist featureset allows Windows to keep track of most recently used applications. Because of that, it is a useful datasource to pull from during investigations and incident response. The following example queries the userassist table and converts the last_execution_time into a human readable format (using UTC) and then sorts the results by this column, descending. It also joins the users table to change the user SID into a human readable username. The output from this query displays most recently used applications, sorted by most recent timestamp as well as the username of who ran it.
```
SELECT userassist.path, datetime(userassist.last_execution_time, 'unixepoch') AS timestamp_of_last_exec, userassist.count as execution_count, users.username FROM userassist join users ON users.uuid = userassist.sid ORDER BY timestamp_of_last_exec DESC;
```