[Osquery_Manager] Add new prebuilt queries

[tomsonpl]

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	Services	✅	Win	suspicious_services	003	Detect suspicious services running from user-writable directories or with generic names commonly used by malware
1a	Services	✅	Mac	suspicious_launchd_macos	043	Detect suspicious launch daemons and agents on macOS, excluding system paths but flagging user-writable directories
1b	Services	✅	Linux	suspicious_systemd_linux	044	Detect suspicious systemd units on Linux, excluding system paths but flagging user-writable directories and unusual locations
2	Scheduled Tasks	✅	Win	scheduled_tasks_persistence	004	Identify enabled scheduled tasks executing from suspicious locations or using LOLBins
2a	Scheduled Tasks	✅	Mac+Linux	crontab_persistence	045	Detect suspicious crontab entries used for persistence (unified query for both platforms)
3	Startup Items	✅	Win	startup_items_persistence	005	Track startup items from registry and startup folders, focusing on non-Microsoft entries
4	Process Listing	✅	All	suspicious_processes	006	Detect suspicious running processes including fileless malware and processes from temp folders
5	File Hashes	✅	All	file_hashes_threat_intel	008	Enumerate recently modified executables with file hashes from suspicious locations
6	ARP Cache	✅	All	arp_cache_lateral_movement	009	Monitor ARP cache for lateral movement indicators
7	Network Connections	✅	All	network_connections_c2	010	Identify active network connections to external IPs on common C2 and lateral movement ports
8	Registry	✅	Win	registry_persistence	012	Monitor Windows registry Run keys and startup locations for persistence mechanisms
8a	Startup / Persistence	✅	Mac	startup_items_persistence_macos	046	Monitor macOS startup items for persistence mechanisms (equivalent to registry persistence)
8b	Autostart / Persistence	✅	Linux	autostart_persistence_linux	047	Monitor Linux autostart mechanisms via user systemd units (equivalent to registry persistence)
9	LNK Files	✅	Win	lnk_files_recent_activity	017	Analyze LNK shortcut files showing recently accessed documents and programs
10	BITS Jobs	✅	Win	bits_jobs_database	041	Detect suspicious BITS transfers by filtering out known-good domains (Microsoft, Google, Adobe, etc.) and internal networks - Windows-only (no macOS/Linux equivalent)
11	Network Interfaces	✅	All	network_interfaces_baseline	019	Document network configuration and identify anomalies like VPN or tunnel interfaces
12	Disk Info	✅	Win	disk_drives_removable_windows	030	Enumerate logical drives on Windows systems focusing on removable media and unusual volumes (uses logical_drives table)
12a	Disk Info	✅	Mac+Linux	mounts_removable	048	Enumerate mounted volumes focusing on removable media and external drives (unified query for both platforms)
13	AmCache	⚠️	Win	-	-	Not Available - Alternative: Use Prefetch + File Hashes + Registry uninstall keys
14	Jumplists	⚠️	Win	-	-	Not Available - Alternative: File enumeration + Shellbags + Office MRU
15	Browser History	⚠️	All	-	-	Not Available - Alternative: Downloads folder + cache analysis + ATC extension
16	MFT	⚠️	Win	-	-	Not Available - Alternative: Trail of Bits extension + USN Journal + targeted queries
17	File Handles	⚠️	All	-	-	Not Available - Alternative: process_open_sockets + file table + eclecticiq extension

Results:

(there is one windows machine, one ubuntu machine, and 'test-edr' is a macos machine)

[tomsonpl]

@raqueltabuyo FYI, could you take a look at these from your forensics expert perspective? :)

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b38d554

History

• 💚 Build #33713 succeeded edeaf95
• 💔 Build #33710 failed a6a5f68
• 💔 Build #33701 failed ec20890
• 💚 Build #33695 succeeded 5e7d267
• 💚 Build #33691 succeeded b44cc5a

cc @tomsonpl

[tomsonpl]

Do not review, I'll move these to smaller chunks PR