detecting processes running without a binary on di...

bill99 · ‎02-01-2020

Hello Forum

I heard that Splunk together with OSquery can detect processes running without a binary on disk.

Can this OSquery be installed on the Splunkt-server in order to be able to query the clients to be monitored or is a local installation on every client required?
Can it be customized to alarm automatically when this case happend (processes running without a binary on disk)?

Thank you!

Bill

nickhills · ‎02-04-2020

Hi @bill99

1.) From the looks of it, you will have to install OSquery components on each endpoint, you can't "just" run it centrally from Splunk
2.) With it running on each endpoint, you can easily create a scripted input which will execute on each UF to query OSquery for binaries as you state. Your script will then produce an output which can be indexed into Splunk via the UF, and configure alerts when the results meet your criteria.

It looks like you can also install an OSquery server and run your queries from there (rather than each endpoint), but you still need osquery components on each target workstation/server

If my comment helps, please give it a thumbs up!

detecting processes running without a binary on disk with OSquery

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation