Implement yara_events table for Windows by zwass · Pull Request #8580

Implement yara_events table for Windows by zwass · Pull Request #8580 · osquery/osquery

I used the following for manual testing of this:

osquery command

 .\osquery\RelWithDebInfo\osqueryd.exe --disable_events=false --pidfile osquery.pid --allow_unsafe --database_path .\osquery.db --logger_path .\logs --enable_ntfs_event_publisher=true --config_path=config.json -S --verbose

config.json

{
    "schedule": {
      "file_events": {
        "query": "SELECT * FROM ntfs_file_events;",
        "removed": false,
        "interval": 10
      }
    },
    "file_paths": {
      "osquery": [
        "C:\\osquery\\"
      ],
      "test":[
        "C:\\osquery\\test\\"
      ]
    },
    "yara": {
      "signatures": {
        "test": ["C:\\osquery\\.github\\true.yara", "C:\\osquery\\.github\\false.yara", "C:\\osquery\\.github\\foo.yara"]
      },
      "file_paths": {
        "osquery": ["test"],
        "test": ["test"]
      }
    }
}

true.yara

rule match_any_file {
    condition:
        true
}

false.yara

rule match_no_file {
    condition:
        false
}

foo.yara

rule TextExample : Foo Bar Baz
{
    strings:
        $text_string = "foobar"

    condition:
        $text_string
}