Using regular expressions (REGEX) in queries OSQUERY EXAMPLE SELECT FREE The actual file paths look like: C:\WINDOWS\System32\Kefcbfwztlxk\ppfiimnvbwkgw.nvgĬ:\windows\syswow64\txrsryjkrhlvwvve\sgnzjys.dyw The artifacts in question looked like: C:\WINDOWS\System32\Random Folder Name\Random File Name.Random File TypeĬ:\windows\syswow64\Random Folder Name\Random File Name.Random File Type I was recently asked about a use case regarding finding Emotet malware artifacts using Live Query. I initially thought of using a query to look at the file creation times in order to identify outliers, but the person asking wanted to try to use regular expressions (REGEX) to try to find the files, so for the purpose of this blog post, we will explore that route. This post is not a discussion of how to write a REGEX, but how to use them in osquery. osquery uses the Java variant of REGEX, so please see this site for information on creating your own REGEX. rRegex_match() as defined in the osquery documentation is: In osquery we have a function called regex_match() that we can use, but there are some caveats. ![]() Regex_match(COLUMN, PATTERN, INDEX): Runs regex match across the column, and returns matched subgroups. (The 0 index is the full match subsequent numbers are the groups). WHERE path like regex_match(path,"C\:\\Windows\\SysWOW64\\",0) is not null So, let's look at the query they were trying to use (we chose to focus on the SysWOW64 directory because there are fewer files and directories than System32): select * FROM file Where regex_match(name,"carbon\S?black",0) is not null When you use it in a WHERE clause then it will return a non-NULL value on a hit, so you have to tell the WHERE clause that is what you are looking for: osquery> select name from processes Here is an example with grouping (Note that I changed the index as well): osquery> select regex_match('foo bar',"(\w )\ \w ",1) Here is an example without grouping: osquery> select regex_match('foo bar',"\w \ \w ",0) If you use regex_match() in a SELECT clause, then it will return what is matched. To understand these concepts better, run your first query. | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,įileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | where ProcessCommandLine has_any("WebClient", | where FileName in~ ("powershell.exe", "powershell_ise.exe") Union DeviceProcessEvents, DeviceNetworkEvents Use the following example: // Finds PowerShell execution events that could involve a download In the Microsoft 365 Defender portal, go to Hunting to run your first query. Run this query in advanced hunting Describe the query and specify the tables to searchĪ short comment has been added to the beginning of the query to describe what it is for. OSQUERY EXAMPLE SELECT DOWNLOADįinds PowerShell execution events that could involve a download This comment helps if you later decide to save the query and share it with others in your organization. The query itself will typically start with a table name followed by several elements that start with a pipe ( |). ![]() In this example, we start by creating a union of two tables, DeviceProcessEvents and DeviceNetworkEvents, and add piped elements as needed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |