CheckMk Agent execution

nvnbs · August 12, 2021, 2:20pm

Hi,

Can you let us know if checkmk windows agent will execute this.

Command Line Arguments: wmic qfe get HotfixID,Description,InstalledOn /format:csv

Tactics: Execution

Techniques: Windows Management Instrumentation

andreas-doehler · August 13, 2021, 5:22am

Write a small wrapper script that calls your wanted wmic query and then formats the output in a way that it can be processed by CMK.

bmst · August 13, 2021, 5:23am

Maybe yeah, although the script for check updates does some curious COM object stuff that may or may not do WMI behind the scenes. Hard to tell.

Can’t put exceptions for the checkmk agent into what I presume is your hair-trigger security monitoring tool?

@andreas-doehler I think they’re wanting it to NOT do it. The Tactics/Techniques thing sounds like security event classifications to me (that is, some security company thinks this WMI query is suspicious).

andreas-doehler · August 13, 2021, 5:33am

@bmst then it would be better to ask the question this way
I wrote a small plugin what shows the hotfix status and it works nearly the same way as the wmic query there only in Powershell. If such things are a problem for your security then would be good to ask how you can restrict the agent by itself.

We can say, i think, the agent can execute all what you can do as local system on this machine.

bmst · August 13, 2021, 5:57am

Aye, I’m reading the intent between the lines a bit. We could use more context about how big a deal it is. Like, if they’re trying to establish the legitimacy of a flagged incident, maybe we do need a very concrete answer. If they’re just scoping out Checkmk as a potential product, well maybe it doesn’t matter so much.

nvnbs · August 13, 2021, 8:27am

they are seeing that this is utilizing more CPU so want to understand if it is caused by check_mk agent ot anything else

bmst · August 16, 2021, 12:45am

They can attribute CPU usage to a particular process but not trace its parent processes? Can they put a timestamp on it and correlate it with the running of the agent?

nvnbs · August 16, 2021, 3:44pm

this is the command it is executing wmic qfe get so does checkMk agent use this

openmindz · August 16, 2021, 9:53pm

Dear @nvnbs

I believe that the Checkmk agent does not do that per default, but the developers of the agent may prove me wrong…

I think what @bmst was trying to tell you above is that the Checkmk agent may be using
something similar if - whoever configured this machine - has installed the Windows Updates check plugin. You could check whether this plugin exists, and how it is executed (because one is supposed to execute this “cached”): If it’s executed too frequently, it may indeed result in higher than normal CPU utilization.

HTH,
Thomas

nvnbs · August 17, 2021, 11:58am

Thanks alot we figured it was not checkMK agent which is executing it there are other Agents responsible for this thanks all for the Help

@bmst : thank you so much for the inputs

system · August 17, 2022, 11:59am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.