1

I am trying to build a PoC of osquery on Windows boxes and I just cannot get osqueryd.exe (or osqueryi.exe) get to use the flagfile. I think there must be something I have missed in documentation or whatever. Steps I tried:

  1. Validate the actual flags. When I pass them as command line arguments, it works.
  2. Tried both formats I´ve found on net: osqueryd.exe --flagfile=C:\ProgramData\osquery\osquery.flags and osqueryd.exe --flagfile C:\ProgramData\osquery\osquery.flags.
  3. Relax the permissions to the point that all files had Everyone with full permissions (I had to add --allow_unsafe).
  4. Create the flagfile under SYSTEM account.
  5. Running osquery as user, admin and SYSTEM.
  6. Install the osquery service with the manage-osqueryd.ps1 script. When I pass all parameters with -startupArgs, the service does work. When I pass only the flagfile, it does not.

Is there anything obvious I am missing?

Thank you

Tom

Tom Frost
  • 31
  • 7

1 Answers1

2

Can you shoot us the output of sc.exe qc osqueryd? I'm curious to see what the service details look like. The short of it is that the system service should contain the full path to the osqueryd binary, as well as the --flagfile=C:\ProgramData\osquery\osquery.flags, or whatever you'd like, as the invokations you have are also fine :)

For example, here's the output of my systems service:

PS C:\WINDOWS\system32> sc.exe qc osqueryd
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: osqueryd
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=\ProgramData\osquery\osquery.flags
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : osqueryd
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

As an additional note, there is a section on installing manually under windows here It's not super great, but it does give more context to the permissions and service behavior I think. Hope that helps! Also feel free to ping me in Slack, I'm Thor.

Muffins
  • 66
  • 4
  • Of course, here it is: PS C:\ProgramData\osquery\osqueryd> sc.exe qc osqueryd [SC] QueryServiceConfig SUCCESS SERVICE_NAME: osqueryd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile=C:\ProgramData\osquery\osquery.flags LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : osqueryd DEPENDENCIES : SERVICE_START_NAME : LocalSystem – Tom Frost Jun 13 '18 at 07:48
  • For posterity - This issue ended up being that we were writing a UTF-16 file to disk as the default flagfile, which osquery wont parse as it doesn't currently support UTF-16 strings (we have an issue to sort this out, but it's complicated and difficult for reasons :)). Relevant issue: https://github.com/facebook/osquery/issues/4548 – Muffins Jun 15 '18 at 14:55