10000 Don't check logged in users in session 0 or non-active sessions by Breakwell · Pull Request #6375 · osquery/osquery · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't check logged in users in session 0 or non-active sessions #6375

Merged
merged 2 commits into from
Apr 17, 2020
Merged

Don't check logged in users in session 0 or non-active sessions #6375

merged 2 commits into from
Apr 17, 2020

Conversation

Breakwell
Copy link
Contributor
@Breakwell Breakwell commented Apr 7, 2020
edited
Loading

Description

On Windows the logged_in_users table accesses non-interactive sessions and returns them as logged on users. We can see from the Windows documentation: https://docs.microsoft.com/en-gb/windows/win32/api/wtsapi32/ne-wtsapi32-wts_connectstate_class that a user is only logged on if the state is WTSActive.

Fix

If the session is non-interactive or is session 0 it can't be a logged on user and should be ignored.

Testing

On Windows run:

select *from logged_in_users;

Without change:

C:\osquery_test\original>osquery.exe --verbose
I0408 11:40:21.701100 27116 init.cpp:340] osquery initialized [version=4.2.0]
I0408 11:40:21.701100 27116 extensions.cpp:349] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load
I0408 11:40:21.701100 19312 interface.cpp:268] Extension manager service starting: \\.\pipe\shell.em
I0408 11:40:21.717139 27116 auto_constructed_tables.cpp:93] Removing stale ATC entries
Using a �[1mvirtual database�[0m. Need help, type '.help'
osquery> select * from logged_in_users;
I0408 11:40:27.788151 27116 process_ops.cpp:99] No account name provided
I0408 11:40:27.788151 27116 logged_in_users.cpp:129] Error converting username to SID
I0408 11:40:27.788151 27116 process_ops.cpp:99] No account name provided
I0408 11:40:27.788151 27116 logged_in_users.cpp:129] Error converting username to SID
+--------------+---------------+-------------------------+----------------+------------+-----+----------------------------------------------+---------------------------------------------------------+
| type         | user          | tty                     | host           | time       | pid | sid                                          | registry_hive                                           |
+--------------+---------------+-------------------------+----------------+------------+-----+----------------------------------------------+---------------------------------------------------------+
| disconnected |               | Services                |                | 0          | -1  |                                              |                                                         |
| active       | Administrator | 31C5CE94259D4006A9E4#19 | 10.100.110.185 | 1586342396 | -1  | S-1-5-21-1860232918-163864199-3232310675-500 | HKEY_USERS\S-1-5-21-1860232918-163864199-3232310675-500 |
| connected    |               | Console                 |                | 1584972478 | -1  |                                              |                                                         |
+--------------+---------------+-------------------------+----------------+------------+-----+----------------------------------------------+---------------------------------------------------------+

You can see rows that are clearly not logged in users such as services.

With change:

C:\osquery_test\modified>osquery.exe --verbose
I0408 11:42:45.499208 23996 init.cpp:345] osquery initialized [version=4.2.0]
I0408 11:42:45.499208 23996 extensions.cpp:376] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load
I0408 11:42:45.514966 23996 dispatcher.cpp:78] Adding new service: ExtensionWatcher (00000275453E6D60) to thread: 32688 (00000275453C6C90) in process 19060
I0408 11:42:45.514966 23996 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (00000275453EF910) to thread: 21324 (00000275453C6770) in process 19060
I0408 11:42:45.514966 21324 interface.cpp:268] Extension manager service starting: \\.\pipe\shell.em
I0408 11:42:45.514966 23996 auto_constructed_tables.cpp:93] Removing stale ATC entries
Using a �[1mvirtual database�[0m. Need help, type '.help'
osquery> select * from logged_in_users;
+--------+---------------+-------------------------+------+------------+-----+----------------------------------------------+---------------------------------------------------------+
| type   | user          | tty                     | host | time       | pid | sid                                          | registry_hive                                           |
+--------+---------------+-------------------------+------+------------+-----+----------------------------------------------+---------------------------------------------------------+
| active | Administrator | 31C5CE94259D4006A9E4#19 |      | 1586342396 | -1  | S-1-5-21-1860232918-163864199-3232310675-500 | HKEY_USERS\S-1-5-21-1860232918-163864199-3232310675-500 |
+--------+---------------+-------------------------+------+------------+-----+----------------------------------------------+---------------------------------------------------------+

@Breakwell Breakwell force-pushed the only-check-active-sessions-in-logged-in-users branch from a9295f1 to cbfc369 Compare April 8, 2020 15:15
@Breakwell Breakwell force-pushed the only-check-active-sessions-in-logged-in-users branch from cbfc369 to a79f48b Compare April 14, 2020 08:08
@theopolis theopolis merged commit bae089e into osquery:master Apr 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis approved these changes

Assignees
No one assigned
Labels
bug virtual tables Windows
Projects
None yet
Milestone
No milestone
< 383D div data-issue-and-pr-hovercards-enabled >
Development

Successfully merging this pull request may close these issues.
2 participants
@Breakwell @theopolis
0