detecting processes running without a binary on di...

bill99 · ‎02-01-2020

Hello Forum

I heard that Splunk together with OSquery can detect processes running without a binary on disk.

Can this OSquery be installed on the Splunkt-server in order to be able to query the clients to be monitored or is a local installation on every client required?
Can it be customized to alarm automatically when this case happend (processes running without a binary on disk)?

Thank you!

Bill

nickhills · ‎02-04-2020

Hi @bill99

1.) From the looks of it, you will have to install OSquery components on each endpoint, you can't "just" run it centrally from Splunk
2.) With it running on each endpoint, you can easily create a scripted input which will execute on each UF to query OSquery for binaries as you state. Your script will then produce an output which can be indexed into Splunk via the UF, and configure alerts when the results meet your criteria.

It looks like you can also install an OSquery server and run your queries from there (rather than each endpoint), but you still need osquery components on each target workstation/server

If my comment helps, please give it a thumbs up!

detecting processes running without a binary on disk with OSquery

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

detecting processes running without a binary on disk with OSquery

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem