1/18/2023 0 Comments Osquery regexpSo, let's look at the query they were trying to use (we chose to focus on the SysWOW64 directory because there are fewer files and directories than System32): select * FROM file Where regex_match(name,"carbon\S?black",0) is not null When you use it in a WHERE clause then it will return a non-NULL value on a hit, so you have to tell the WHERE clause that is what you are looking for: osquery> select name from processes Here is an example with grouping (Note that I changed the index as well): osquery> select regex_match('foo bar',"(\w )\ \w ",1) Here is an example without grouping: osquery> select regex_match('foo bar',"\w \ \w ",0) If you use regex_match() in a SELECT clause, then it will return what is matched. (The 0 index is the full match subsequent numbers are the groups). Regex_match(COLUMN, PATTERN, INDEX): Runs regex match across the column, and returns matched subgroups. rRegex_match() as defined in the osquery documentation is: In osquery we have a function called regex_match() that we can use, but there are some caveats. osquery uses the Java variant of REGEX, so please see this site for information on creating your own REGEX. This post is not a discussion of how to write a REGEX, but how to use them in osquery. I initially thought of using a query to look at the file creation times in order to identify outliers, but the person asking wanted to try to use regular expressions (REGEX) to try to find the files, so for the purpose of this blog post, we will explore that route. The actual file paths look like: C:\WINDOWS\System32\Kefcbfwztlxk\ppfiimnvbwkgw.nvgĬ:\windows\syswow64\txrsryjkrhlvwvve\sgnzjys.dyw The artifacts in question looked like: C:\WINDOWS\System32\Random Folder Name\Random File Name.Random File TypeĬ:\windows\syswow64\Random Folder Name\Random File Name.Random File Type I was recently asked about a use case regarding finding Emotet malware artifacts using Live Query. Using regular expressions (REGEX) in queries VMware Carbon Black Query Exchange (*Requires you sign up for a free account in the VMware Carbon Black User Community unless you are a customer) (Refer to the Best Practices guide to determine the version currently installed) ResourcesĪudit and Remediation Best Practices Guide If neither of these things is true for you, please take a moment to read the Audit and Remediation Best Practices Guide before reading the rest of the blog. This blog series is intended for readers that have a basic understanding of SQLite and have an osquery test environment. All queries are available in the VMware Carbon Black Cloud console, or in the VMware Carbon Black User Exchange. In this blog series, we’ll be laying out relevant queries for VMware Carbon Black Cloud Workload customers to use to achieve a variety of use cases. VMware Carbon Black Cloud Workload customers have access to the full Audit and Remediation capabilities. osquery can help teams with gathering information at scale across environments for IT and help desk operations, compliance and M
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |