elastic · tomsonpl · Nov 3, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -0,0 +1,152 @@
+## Osquery Saved Queries - Forensic Artifact Coverage
+
+This document tracks the coverage of forensic artifacts from the Velociraptor to Osquery mapping analysis.
+
+**Last Updated**: 2025-11-05
+**Total Core Artifacts**: 12 available + 5 not available = 17 total
+**Total Queries**: 45 (18 core forensic variants + 27 additional)
+**Coverage Rate**: 70.6% (12/17 core artifacts available with standard osquery)
+
+---
+
+## Coverage Summary
+
+| Status | Count | Percentage |
+|--------|-------|------------|
+| ✅ Available (Standard osquery) | 12 | 70.6% |
+| ⚠️ Not Available (Requires Extensions) | 5 | 29.4% |
+
+---
+
+## Core Forensic Artifacts Coverage
+
+| # | Artifact                | ✓ | OS | Query | File | Description |
+|:-:|-------------------------|:-:|:--:|-------|:----:|-------------|
+| 1 | Services                | ✅ | Win | suspicious_services | [003](kibana/osquery_saved_query/osquery_manager-892ee425-60e7-4eb6-ba25-6e97dc3e2ea0.json) | Detect suspicious services running from user-writable directories or with generic names commonly used by malware |
+| 1a | Services                | ✅ | Mac | suspicious_launchd_macos | [043](kibana/osquery_saved_query/osquery_manager-5823a22e-5add-416d-a142-de323400edb0.json) | Detect suspicious launch daemons and agents on macOS, excluding system paths but flagging user-writable directories |
+| 1b | Services                | ✅ | Linux | suspicious_systemd_linux | [044](kibana/osquery_saved_query/osquery_manager-f8b0894b-772d-4242-8e19-dbc5d7ae2e06.json) | Detect suspicious systemd units on Linux, excluding system paths but flagging user-writable directories and unusual locations |
+| 2 | Scheduled Tasks         | ✅ | Win | scheduled_tasks_persistence | [004](kibana/osquery_saved_query/osquery_manager-bacf9b50-0f50-4c37-98d3-d6511b591826.json) | Identify enabled scheduled tasks executing from suspicious locations or using LOLBins |
+| 2a | Scheduled Tasks         | ✅ | Mac+Linux | crontab_persistence | [045](kibana/osquery_saved_query/osquery_manager-b1c9c896-5306-4002-9699-519e8eee4ef5.json) | Detect suspicious crontab entries used for persistence (unified query for both platforms) |
+| 3 | Startup Items           | ✅ | Win | startup_items_persistence | [005](kibana/osquery_saved_query/osquery_manager-749eba03-82e9-4dcc-89ea-f15074e1fb25.json) | Track startup items from registry and startup folders, focusing on non-Microsoft entries |
+| 4 | Process Listing         | ✅ | All | suspicious_processes | [006](kibana/osquery_saved_query/osquery_manager-95c92ef6-1c38-4c27-8bbe-6fd849a0d96e.json) | Detect suspicious running processes including fileless malware and processes from temp folders |
+| 5 | File Hashes             | ✅ | All | file_hashes_threat_intel | [008](kibana/osquery_saved_query/osquery_manager-017fb2f0-11e9-404e-a298-77542152a9be.json) | Enumerate recently modified executables with file hashes from suspicious locations |
+| 6 | ARP Cache               | ✅ | All | arp_cache_lateral_movement | [009](kibana/osquery_saved_query/osquery_manager-064bd1eb-2ed0-4342-a1eb-a2c8e1bc017f.json) | Monitor ARP cache for lateral movement indicators |
+| 7 | Network Connections     | ✅ | All | network_connections_c2 | [010](kibana/osquery_saved_query/osquery_manager-4846c0ca-1962-4692-830f-29451c486ff7.json) | Identify active network connections to external IPs on common C2 and lateral movement ports |
+| 8 | Registry                | ✅ | Win | registry_persistence | [012](kibana/osquery_saved_query/osquery_manager-6fdc0fa7-e318-4955-a280-8d799eccd27c.json) | Monitor Windows registry Run keys and startup locations for persistence mechanisms |
+| 8a | Startup / Persistence   | ✅ | Mac | startup_items_persistence_macos | [046](kibana/osquery_saved_query/osquery_manager-ec67184a-3a16-4b6e-bb75-5575b7b1ec83.json) | Monitor macOS startup items for persistence mechanisms (equivalent to registry persistence) |
+| 8b | Autostart / Persistence | ✅ | Linux | autostart_persistence_linux | [047](kibana/osquery_saved_query/osquery_manager-79e842cc-f15b-4316-9e44-7c99dbddb587.json) | Monitor Linux autostart mechanisms via user systemd units (equivalent to registry persistence) |
+| 9 | LNK Files               | ✅ | Win | lnk_files_recent_activity | [017](kibana/osquery_saved_query/osquery_manager-517a3d18-53c4-4d31-98e8-4e5b799c0137.json) | Analyze LNK shortcut files showing recently accessed documents and programs |
+| 10 | BITS Jobs               | ✅ | Win | bits_jobs_database | [041](kibana/osquery_saved_query/osquery_manager-8bb7af90-9eb2-4f06-8d3e-ba863804f462.json) | Detect suspicious BITS transfers by filtering out known-good domains (Microsoft, Google, Adobe, etc.) and internal networks - **Windows-only (no macOS/Linux equivalent)** |
+| 11 | Network Interfaces      | ✅ | All | network_interfaces_baseline | [019](kibana/osquery_saved_query/osquery_manager-cafd7d30-52d9-495a-ba23-020e6fa06357.json) | Document network configuration and identify anomalies like VPN or tunnel interfaces |
+| 12 | Disk Info               | ✅ | Win | disk_drives_removable_windows | [030](kibana/osquery_saved_query/osquery_manager-09d80b84-b3a6-4ac4-a85b-bf1731c00e64.json) | Enumerate logical drives on Windows systems focusing on removable media and unusual volumes (uses logical_drives table) |
+| 12a | Disk Info               | ✅ | Mac+Linux | mounts_removable | [048](kibana/osquery_saved_query/osquery_manager-334f0f0f-3d0a-40e2-b094-c844e419a968.json) | Enumerate mounted volumes focusing on removable media and external drives (unified query for both platforms) |
+| 13 | AmCache                 | ⚠️ | Win | - | - | **Not Available** - PR #7261 closed due to SQL constraint problems. Alternative: Use Prefetch + File Hashes + Registry uninstall keys |
+| 14 | Jumplists               | ⚠️ | Win | - | - | **Not Available** - PR #7260 closed due to OLE format complexity. Alternative: File enumeration + Shellbags + Office MRU |
+| 15 | Browser History         | ⚠️ | All | - | - | **Not Available** - No native table, databases locked while browser running. Alternative: Downloads folder + cache analysis + ATC extension |
+| 16 | MFT                     | ⚠️ | Win | - | - | **Not Available** - Complex NTFS structure requires specialized parsing. Alternative: Trail of Bits extension + USN Journal + targeted queries |
+| 17 | File Handles            | ⚠️ | All | - | - | **Not Available** - PR #7835 still open, not merged. Alternative: process_open_sockets + file table + eclecticiq extension |
+
+---
+
+## Additional Queries (Original Repository)
+
+These queries existed in the original repository and provide additional coverage beyond the core forensic artifacts listed above.
+
+| # | Query | ✓ | OS | File | Description |
+|:-:|-------|:-:|:--:|:----:|-------------|
+| 1 | listening_ports | ✅ | All | [0796](kibana/osquery_saved_query/osquery_manager-0796f890-b4a9-11ec-8f39-bf9c07530bbb.json) | Network listening ports enumeration |
+| 2 | processes | ✅ | All | [363d](kibana/osquery_saved_query/osquery_manager-363d6a30-b4a9-11ec-8f39-bf9c07530bbb.json) | General process listing (all processes) |
+| 3 | logged_in_users | ✅ | All | [ccd3](kibana/osquery_saved_query/osquery_manager-ccd3f850-b4a5-11ec-8f39-bf9c07530bbb.json) | Currently logged in users |
+| 4 | users | ✅ | All | [cebd](kibana/osquery_saved_query/osquery_manager-cebd7b00-b4b4-11ec-8f39-bf9c07530bbb.json) | System user accounts enumeration |
+| 5 | file_info | ✅ | All | [128b](kibana/osquery_saved_query/osquery_manager-128b90b0-b4a6-11ec-8f39-bf9c07530bbb.json) | File metadata queries by path |
+| 6 | file_info_by_type | ✅ | All | [fc4e](kibana/osquery_saved_query/osquery_manager-fc4e34b0-b4a5-11ec-8f39-bf9c07530bbb.json) | File information by extension type |
+| 7 | system_os | ✅ | All | [23af](kibana/osquery_saved_query/osquery_manager-23af51c0-d75f-11ec-879b-83915b27217e.json) | Operating system information |
+| 8 | system_info | ✅ | All | [47d9](kibana/osquery_saved_query/osquery_manager-47d96fe0-d75f-11ec-879b-83915b27217e.json) | System hardware information |
+| 9 | system_memory_linux | ✅ |Linux | [315b](kibana/osquery_saved_query/osquery_manager-315bfda0-d75f-11ec-879b-83915b27217e.json) | Memory information (Linux specific) |
+| 10 | applications_mac | ✅ | Mac | [5c14](kibana/osquery_saved_query/osquery_manager-5c144ac0-b4a5-11ec-8f39-bf9c07530bbb.json) | Installed applications enumeration |
+| 10a | applications_windows | ✅ | Win | [a887](kibana/osquery_saved_query/osquery_manager-a8870ff0-b4a5-11ec-8f39-bf9c07530bbb.json) | Installed applications enumeration |
+| 11 | usb_devices_mac_or_linux | ✅ | Mac+Linux | [7ee7](kibana/osquery_saved_query/osquery_manager-7ee71870-b4b4-11ec-8f39-bf9c07530bbb.json) | USB device enumeration (non-Windows) |
+| 12 | registry_windows | ✅ | Win | [6fc0](kibana/osquery_saved_query/osquery_manager-6fc00190-b4b4-11ec-8f39-bf9c07530bbb.json) | General registry queries |
+| 13 | persisted_apps | ✅ | Win | [2de2](kibana/osquery_saved_query/osquery_manager-2de24900-b4a9-11ec-8f39-bf9c07530bbb.json) | Persistence applications (non-executables) |
+| 14 | persisted_apps_executables_windows | ✅ | Win | [239d](kibana/osquery_saved_query/osquery_manager-239dce60-b4a9-11ec-8f39-bf9c07530bbb.json) | Persistence applications (executables) |
+| 15 | posh_logging_windows | ✅ | Win | [5595](kibana/osquery_saved_query/osquery_manager-55955db0-0c07-11ed-a49c-6b13b058b135.json) | PowerShell logging configuration status |
+| 16 | defender_exclusions_windows | ✅ | Win | [157d](kibana/osquery_saved_query/osquery_manager-157d5550-fd27-11ec-8645-83a23bc513b5.json) | Windows Defender exclusion paths |
+| 17 | firewall_rules_windows | ✅ | Win | [e640](kibana/osquery_saved_query/osquery_manager-e640e200-b4a8-11ec-8f39-bf9c07530bbb.json) | Windows Firewall rules enumeration |
+| 18 | loaded_drivers_windows | ✅ | Win | [f864](kibana/osquery_saved_query/osquery_manager-f8649710-b4a8-11ec-8f39-bf9c07530bbb.json) | Loaded kernel drivers |
+| 19 | services_running_on_user_accounts | ✅ | Win | [ee58](kibana/osquery_saved_query/osquery_manager-ee586dc0-1801-11ed-89c6-331eb0db6d01.json) | Services running under user accounts (not SYSTEM) |
+| 20 | wdigest_uselogoncredential | ✅ | Win | [a08d](kibana/osquery_saved_query/osquery_manager-a08d7320-1823-11ed-89c6-331eb0db6d01.json) | WDigest credential caching configuration |
+| 21 | winbaseobj_mutex_search | ✅ | Win | [0f61](kibana/osquery_saved_query/osquery_manager-0f61edf0-17e1-11ed-89c6-331eb0db6d01.json) | Mutex objects for malware IOC detection |
+| 22 | unsigned_processes_vt | ✅ | Win | [3e71](kibana/osquery_saved_query/osquery_manager-3e7155d0-0db5-11ed-a49c-6b13b058b135.json) | Unsigned running processes with VirusTotal integration |
+| 23 | unsigned_services_vt | ✅ | Win | [8386](kibana/osquery_saved_query/osquery_manager-83869f40-0dab-11ed-a49c-6b13b058b135.json) | Unsigned services with VirusTotal integration |
+| 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
+| 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
+| 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
+
+**Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.
+
+---
+
+## Not Available Artifacts
+
+The following artifacts cannot be queried with standard osquery and require extensions or are not yet supported:
+
+| # | Artifact | Status | Reason | Alternative Approach |
+|:-:|----------|:------:|--------|----------------------|
+| 1 | AmCache | ⚠️ | PR #7261 closed due to SQL constraint problems | Use combination of Prefetch analysis, file system queries for recent executables, and registry uninstall keys |
+| 2 | Jumplists | ⚠️ | PR #7260 closed due to OLE format complexity | File enumeration (list .automaticDestinations-ms files), manual offline analysis, or use Recent files from Shellbags/Office MRU |
+| 3 | Browser History | ⚠️ | No native table, databases locked while browser running | Downloads folder analysis, file system queries for browser cache, or ATC custom tables (if deployed) |
+| 4 | MFT | ⚠️ | Complex NTFS structure requires specialized parsing | Trail of Bits osquery extension (if deployed), USN Journal for recent activity, or targeted file system queries |
+| 5 | File Handles | ⚠️ | PR #7835 still open, not merged | Network connections via process_open_sockets, file table for static analysis, or eclecticiq-osq-ext-bin extension |
+
+### Alternative Coverage
+
+While these artifacts are not directly available, the existing queries provide strong coverage through related artifacts:
+
+**Execution Tracking**: Use Prefetch + File Hashes + Process Listing instead of AmCache
+**User Activity**: Use Shellbags + LNK Files + Office Documents instead of Jumplists/Browser History
+**File System Monitoring**: Use USN Journal + File Hashes instead of MFT
+**Resource Access**: Use Network Connections + Process Listing instead of File Handles
+
+---
+
+## Legend
+
+### Status Definitions
+
+- ✅ Available in standard osquery with production-ready queries
+- ⚠️ Not Available - Requires osquery extensions or not yet supported
+
+---
+
+## Artifacts by Category
+
+### Persistence Mechanisms
+- ✅ Services
+- ✅ Scheduled Tasks
+- ✅ Startup Items
+- ✅ Registry
+
+### Network/C2 Indicators
+- ✅ BITS Jobs
+- ✅ ARP Cache
+- ✅ Network Interfaces
+- ✅ Network Connections
+
+### File Activity
+- ✅ File Hashes
+- ✅ LNK Files
+- ⚠️ Jumplists (Not Available)
+- ⚠️ MFT (Not Available)
+
+### System Information
+- ✅ Disk Info
+- ✅ Process Listing
+- ⚠️ File Handles (Not Available)
+
+### Execution Artifacts
+- ⚠️ AmCache (Not Available)
+
+### User Activity
+- ⚠️ Browser History (Not Available)
+
+---
@@ -0,0 +1,88 @@
+{
+  "attributes": {
+    "created_at": "2025-11-05T09:19:01.000Z",
+    "created_by": "elastic",
+    "description": "Enumerate recently modified executables with file hashes from suspicious locations for threat intelligence correlation",
+    "ecs_mapping": [
+      {
+        "key": "file.path",
+        "value": {
+          "field": "path"
+        }
+      },
+      {
+        "key": "file.name",
+        "value": {
+          "field": "filename"
+        }
+      },
+      {
+        "key": "file.size",
+        "value": {
+          "field": "size"
+        }
+      },
+      {
+        "key": "file.mtime",
+        "value": {
+          "field": "mtime"
+        }
+      },
+      {
+        "key": "file.hash.md5",
+        "value": {
+          "field": "md5"
+        }
+      },
+      {
+        "key": "file.hash.sha1",
+        "value": {
+          "field": "sha1"
+        }
+      },
+      {
+        "key": "file.hash.sha256",
+        "value": {
+          "field": "sha256"
+        }
+      },
+      {
+        "key": "event.category",
+        "value": {
+          "value": [
+            "file"
+          ]
+        }
+      },
+      {
+        "key": "event.type",
+        "value": {
+          "value": [
+            "info"
+          ]
+        }
+      },
+      {
+        "key": "tags",
+        "value": {
+          "value": [
+            "file_analysis",
+            "hashing",
+            "threat_hunting"
+          ]
+        }
+      }
+    ],
+    "id": "file_hashes_threat_intel_elastic",
+    "interval": "86400",
+    "query": "SELECT \n  f.path, \n  f.filename, \n  f.size, \n  f.mtime, \n  h.md5, \n  h.sha1, \n  h.sha256 \nFROM file f \nJOIN hash h ON f.path = h.path \nWHERE (\n    f.path LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Temp\\\\%.exe' \n    OR f.path LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\%.exe' \n    OR f.path LIKE 'C:\\\\Users\\\\%\\\\Downloads\\\\%.exe' \n    OR f.path LIKE 'C:\\\\Users\\\\Public\\\\%.exe' \n    OR f.path LIKE 'C:\\\\ProgramData\\\\%.exe' \n    OR f.path LIKE 'C:\\\\Windows\\\\Temp\\\\%.exe' \n    OR f.path LIKE '/tmp/%.sh' \n    OR f.path LIKE '/var/tmp/%'\n  ) \n  AND f.size > 0 \n  AND f.size < 10485760 \n  AND f.mtime > datetime('now', '-30 days') \nORDER BY f.mtime DESC \nLIMIT 100;",
+    "updated_at": "2025-11-05T09:19:01.000Z",
+    "updated_by": "elastic"
+  },
+  "coreMigrationVersion": "9.2.0",
+  "id": "osquery_manager-017fb2f0-11e9-404e-a298-77542152a9be",
+  "references": [],
+  "type": "osquery-saved-query",
+  "updated_at": "2025-11-05T09:19:01.000Z",
+  "version": "Wzg3LDJd"
+}
@@ -0,0 +1,64 @@
+{
+  "attributes": {
+    "created_at": "2025-11-05T09:19:01.000Z",
+    "created_by": "elastic",
+    "description": "Monitor all dynamic ARP cache entries for network activity baseline and potential lateral movement analysis",
+    "ecs_mapping": [
+      {
+        "key": "destination.ip",
+        "value": {
+          "field": "address"
+        }
+      },
+      {
+        "key": "destination.mac",
+        "value": {
+          "field": "mac"
+        }
+      },
+      {
+        "key": "network.interface",
+        "value": {
+          "field": "interface"
+        }
+      },
+      {
+        "key": "event.category",
+        "value": {
+          "value": [
+            "network"
+          ]
+        }
+      },
+      {
+        "key": "event.type",
+        "value": {
+          "value": [
+            "info"
+          ]
+        }
+      },
+      {
+        "key": "tags",
+        "value": {
+          "value": [
+            "network_activity",
+            "arp",
+            "lateral_movement"
+          ]
+        }
+      }
+    ],
+    "id": "arp_cache_lateral_movement_elastic",
+    "interval": "3600",
+    "query": "SELECT \n  address, \n  mac, \n  interface, \n  permanent \nFROM arp_cache \nWHERE permanent = '0' \nORDER BY interface, address \nLIMIT 100;",
+    "updated_at": "2025-11-05T09:19:01.000Z",
+    "updated_by": "elastic"
+  },
+  "coreMigrationVersion": "9.2.0",
+  "id": "osquery_manager-064bd1eb-2ed0-4342-a1eb-a2c8e1bc017f",
+  "references": [],
+  "type": "osquery-saved-query",
+  "updated_at": "2025-11-05T09:19:01.000Z",
+  "version": "Wzg4LDJd"
+}