Skip to content

[Osquery_manager] LNK artifacts saved query #16059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomsonpl wants to merge 11 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] LNK artifacts saved query #16059

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e79165c
lnk artifact
tomsonpl Nov 20, 2025
4bf83d1
fix
tomsonpl Nov 20, 2025
222f53f
feat(osquery_manager): expand LNK forensics query with cross-reference
tomsonpl Nov 28, 2025
aa103f4
feat(osquery_manager): add YARA-based LNK detection query
tomsonpl Nov 28, 2025
b39c0ed
docs(osquery_manager): update artifacts matrix with LNK queries
tomsonpl Nov 28, 2025
091229a
Update LNK forensics query with osquery #8727 workaround and enhanced…
tomsonpl Dec 9, 2025
f9d9e66
Remove YARA-based LNK detection query
tomsonpl Dec 9, 2025
7f18def
Remove file.type ECS mapping from LNK forensics query
tomsonpl Dec 9, 2025
bcb7fc5
Simplify LNK forensics query by removing MITRE ATT&CK enrichment
tomsonpl Dec 29, 2025
011eb84
Enhance LNK forensics query with VirusTotal links and remove exclusions
tomsonpl Jan 2, 2026
d72e13c
Fix command_line
tomsonpl Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 9 additions & 8 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2025-11-20
**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
**Total Queries**: 31 (4 core forensic variants + 27 additional)
**Completion Rate**: 4.3% (2/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 2 | 4.3% |
| ⚠️ In Progress (Needs Validation) | 38 | 82.6% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand All @@ -36,7 +36,7 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table |
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
| 7 | Jumplists | ❌ | Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
| 8 | LNK files | | Win | lnk_forensics_windows_elastic | [a1b2c3d4-lnk1](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json) | Uses file table's native Windows shortcut parsing with hash and shellbags enrichment. Detects suspicious patterns: risky executables (cmd, powershell, wscript, etc.), malicious arguments (encoded commands, download cradles, temp paths, UNC paths), large files (>20KB), HTTP/HTTPS strings, and persistence locations (Startup folders). Correlates LNK targets with Windows Explorer directory access patterns from shellbags registry data to identify user interaction. Includes suspicious indicator flags and intelligent result prioritization. |
| 9 | ARP Cache | ⚠️ | Win | - | - | arp_cache table |
| 9a | ARP Cache | ⚠️ | Linux | - | - | arp_cache table |
| 9b | ARP Cache | ⚠️ | Mac | - | - | arp_cache table |
Expand Down Expand Up @@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage
| 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
| 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
| 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
| 27 | lnk_forensics | ✅ | Win | [a1b2](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json) | LNK shortcut file forensics with suspicious pattern detection and shellbags enrichment (risky executables, malicious arguments, large files, persistence locations, directory access correlation) |

**Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.

Expand Down Expand Up @@ -167,7 +168,7 @@ While some artifacts are not directly available, the existing queries provide st
- ⚠️ BITS Jobs Database (Windows: via windows_eventlog)

### User Activity
- ⚠️ LNK files (Windows: shortcut_files, file, recent_files tables)
- LNK files (Windows: file table with native shortcut parsing + hash enrichment + shellbags correlation + suspicious pattern detection)
- ⚠️ Shell History (Linux/Mac: shell_history table)
- ⚠️ Shellbags (Windows: shellbags table)
- ⚠️ User Assist (Windows: userassist table)
Expand Down
170 changes: 170 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
{
"attributes": {
"created_at": "2025-11-20T00:00:00.000Z",
"created_by": "elastic",
"description": "Collect Windows LNK shortcut files from critical persistence and public locations with suspicious indicators enriched with shellbags data. Focuses on Startup folders and Public Desktop locations. Detects risky executables (cmd.exe, powershell.exe, etc.), suspicious command-line arguments (encoded commands, download cradles, UNC paths), and large LNK files. Correlates LNK targets with Windows Explorer directory access patterns from shellbags registry data. Note: Scoped to system-wide and public locations only to satisfy osquery path constraints. Best used in combination with timeline analysis and manual investigation of flagged items.",
"ecs_mapping": [
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.name",
"value": {
"field": "filename"
}
},
{
"key": "file.directory",
"value": {
"field": "directory"
}
},
{
"key": "file.size",
"value": {
"field": "size"
}
},
{
"key": "file.created",
"value": {
"field": "btime"
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be converted to a datetime string for usability/readability and because file.created is mapped as a datestring.

}
},
{
"key": "file.mtime",
"value": {
"field": "mtime"
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as btime

}
},
{
"key": "file.accessed",
"value": {
"field": "atime"
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as btime

}
},
{
"key": "file.ctime",
"value": {
"field": "ctime"
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as btime

}
},
{
"key": "file.type",
"value": {
"field": "type"
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't what file.type is defined as. I only see regular in results from my results. What else are valid values? Maybe just don't map it?

}
},
{
"key": "file.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "file.hash.sha1",
"value": {
"field": "sha1"
}
},
Comment on lines +74 to +84
Copy link
Contributor

@ferullo ferullo Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other queries sha1 is not returned. What do you think about standardizing which hashes are returned across all these queries. Perhaps just sha256?

Copy link
Contributor Author

@tomsonpl tomsonpl Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After refactoring, all 3 hash fields should be available when possible. Do you think it's too much?

{
"key": "file.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "file.extension",
"value": {
"field": "extension"
}
},
{
"key": "process.executable",
"value": {
"field": "shortcut_target_path"
}
},
{
"key": "process.command_line",
"value": {
"field": "combined_command"
Copy link
Contributor

@ferullo ferullo Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw some values like Displays the files and folders on your computer. for this field. Are you ok putting it in process.command_line? FWIW, I can't find a better field.

Copy link
Contributor Author

@tomsonpl tomsonpl Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, if there was no path, then comment was used (alone). I haven't faced it, thanks for finding it!

Copy link
Contributor

@ferullo ferullo Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 the times I saw this behavior it seemed like the link was a special behavior rather than a link to a path so I get why it would "overlap" with the command line. Again, I don't see an SQL or ECS issue with this, I just wanted to make sure you didn't either.

}
},
{
"key": "user.id",
"value": {
"field": "shellbags_sid"
}
},
{
"key": "registry.path",
"value": {
"field": "shellbags_source"
}
}
],
"id": "lnk_forensics_windows_elastic",
"interval": "3600",
"platform": "windows",
"query": "-- Windows LNK Shortcut File Forensics with Suspicious Pattern Detection + Shellbags Enrichment\n-- Source: file table with native Windows shortcut parsing + shellbags registry data\n-- Focus: Risky executables, malicious arguments, large files, persistence mechanisms\n-- Scope: System-wide Startup folder and Public Desktop only (osquery constraint requirement)\n\nWITH lnk_files AS (\n SELECT \n f.path,\n f.filename,\n f.directory,\n f.size,\n f.btime,\n f.mtime,\n f.atime,\n f.ctime,\n f.type,\n f.shortcut_target_path,\n f.shortcut_target_type,\n f.shortcut_target_location,\n f.shortcut_start_in,\n f.shortcut_run,\n f.shortcut_comment,\n 'lnk' AS extension,\n CASE \n WHEN f.shortcut_target_path IS NOT NULL AND f.shortcut_comment IS NOT NULL \n THEN f.shortcut_target_path || ' ' || f.shortcut_comment\n WHEN f.shortcut_target_path IS NOT NULL \n THEN f.shortcut_target_path\n ELSE f.shortcut_comment\n END AS combined_command\n FROM file f\n WHERE (\n f.directory = 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n OR f.directory = 'C:\\Users\\Public\\Desktop'\n )\n AND f.filename LIKE '%.lnk'\n)\nSELECT \n lnk.path,\n lnk.filename,\n lnk.directory,\n lnk.size,\n lnk.btime,\n lnk.mtime,\n lnk.atime,\n lnk.ctime,\n lnk.type,\n lnk.shortcut_target_path,\n lnk.shortcut_target_type,\n lnk.shortcut_target_location,\n lnk.shortcut_start_in,\n lnk.shortcut_run,\n lnk.shortcut_comment,\n lnk.combined_command,\n lnk.extension,\n h.md5,\n h.sha1,\n h.sha256,\n sb.sid AS shellbags_sid,\n sb.source AS shellbags_source,\n sb.modified_time AS shellbags_modified_time,\n sb.created_time AS shellbags_created_time,\n sb.accessed_time AS shellbags_accessed_time,\n sb.mft_entry AS shellbags_mft_entry,\n CASE WHEN lnk.size > 20000 THEN 1 ELSE 0 END AS large_size_flag,\n CASE WHEN lnk.directory LIKE '%\\Startup%' THEN 1 ELSE 0 END AS startup_persistence_flag,\n CASE \n WHEN lnk.shortcut_target_path LIKE '%\\cmd.exe' \n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n THEN 1 ELSE 0 \n END AS risky_executable_flag,\n CASE \n WHEN lnk.combined_command LIKE '%\\AppData\\%'\n OR lnk.combined_command LIKE '%\\Users\\Public\\%'\n OR lnk.combined_command LIKE '%\\Temp\\%'\n OR lnk.combined_command LIKE '%comspec%'\n OR lnk.combined_command LIKE '%&cd&echo%'\n OR lnk.combined_command LIKE '% -NoP %'\n OR lnk.combined_command LIKE '% -W Hidden %'\n OR lnk.combined_command LIKE '% -decode %'\n OR lnk.combined_command LIKE '% /decode %'\n OR lnk.combined_command LIKE '% -e %JAB%'\n OR lnk.combined_command LIKE '% -e %SUVYI%'\n OR lnk.combined_command LIKE '% -e %SQBFAFgA%'\n OR lnk.combined_command LIKE '% -e %aWV4I%'\n OR lnk.combined_command LIKE '% -e %aQBlAHgA%'\n OR lnk.combined_command LIKE '%start /b%'\n OR lnk.combined_command LIKE '%start \\b%'\n OR lnk.combined_command LIKE '%.downloadstring(%'\n OR lnk.combined_command LIKE '%.downloadfile(%'\n OR lnk.combined_command LIKE '%iex %'\n THEN 1 ELSE 0\n END AS suspicious_arguments_flag,\n CASE \n WHEN lnk.combined_command LIKE '%http://%'\n OR lnk.combined_command LIKE '%https://%'\n OR lnk.combined_command LIKE '%ftp://%'\n OR lnk.combined_command LIKE '%ftps://%'\n THEN 1 ELSE 0\n END AS http_download_flag,\n CASE \n WHEN lnk.combined_command LIKE '% \\\\\\\\%'\n OR lnk.shortcut_start_in LIKE '\\\\\\\\%'\n THEN 1 ELSE 0\n END AS unc_path_flag,\n CASE \n WHEN LENGTH(lnk.shortcut_comment) > 250 \n THEN 1 ELSE 0\n END AS large_arguments_flag\nFROM lnk_files lnk\nLEFT JOIN hash h ON lnk.path = h.path\nLEFT JOIN shellbags sb ON sb.path = lnk.shortcut_start_in\nWHERE (\n lnk.size > 20000\n OR lnk.directory LIKE '%\\Startup%'\n OR lnk.shortcut_target_path LIKE '%\\cmd.exe'\n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n OR lnk.combined_command LIKE '%\\AppData\\%'\n OR lnk.combined_command LIKE '%\\Users\\Public\\%'\n OR lnk.combined_command LIKE '%\\Temp\\%'\n OR lnk.combined_command LIKE '%comspec%'\n OR lnk.combined_command LIKE '%&cd&echo%'\n OR lnk.combined_command LIKE '% -NoP %'\n OR lnk.combined_command LIKE '% -W Hidden %'\n OR lnk.combined_command LIKE '% -decode %'\n OR lnk.combined_command LIKE '% /decode %'\n OR lnk.combined_command LIKE '% -e %JAB%'\n OR lnk.combined_command LIKE '% -e %SUVYI%'\n OR lnk.combined_command LIKE '% -e %SQBFAFgA%'\n OR lnk.combined_command LIKE '% -e %aWV4I%'\n OR lnk.combined_command LIKE '% -e %aQBlAHgA%'\n OR lnk.combined_command LIKE '%start /b%'\n OR lnk.combined_command LIKE '%start \\b%'\n OR lnk.combined_command LIKE '%.downloadstring(%'\n OR lnk.combined_command LIKE '%.downloadfile(%'\n OR lnk.combined_command LIKE '%iex %'\n OR lnk.combined_command LIKE '%http://%'\n OR lnk.combined_command LIKE '%https://%'\n OR lnk.combined_command LIKE '%ftp://%'\n OR lnk.combined_command LIKE '%ftps://%'\n OR lnk.combined_command LIKE '% \\\\\\\\%'\n OR lnk.shortcut_start_in LIKE '\\\\\\\\%'\n OR LENGTH(lnk.shortcut_comment) > 250\n)\nAND (\n lnk.directory LIKE '%\\Startup%'\n OR (\n lnk.filename NOT LIKE 'Excel.lnk'\n AND lnk.filename NOT LIKE 'Word.lnk'\n AND lnk.filename NOT LIKE 'PowerPoint.lnk'\n AND lnk.filename NOT LIKE 'Outlook.lnk'\n AND lnk.filename NOT LIKE 'OneNote.lnk'\n AND lnk.filename NOT LIKE 'Windows Media Player.lnk'\n AND lnk.filename NOT LIKE 'Windows Explorer.lnk'\n AND lnk.filename NOT LIKE 'Internet Explorer.lnk'\n )\n)\nORDER BY \n CASE WHEN lnk.directory LIKE '%\\Startup%' THEN 1 ELSE 2 END,\n CASE \n WHEN lnk.shortcut_target_path LIKE '%\\cmd.exe' \n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n THEN 1 ELSE 2 \n END,\n lnk.mtime DESC;",
"updated_at": "2025-11-20T00:00:00.000Z",
"updated_by": "elastic",
"tags": [
"forensics",
"persistence",
"lateral-movement",
"user-activity",
"file-analysis",
"malware-detection",
"command-and-control"
],
"mitre_attack": [
{
"id": "T1547.001",
"tactic": "Persistence",
"technique": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
"reference": "https://attack.mitre.org/techniques/T1547/001/"
},
{
"id": "T1204.002",
"tactic": "Execution",
"technique": "User Execution: Malicious File",
"reference": "https://attack.mitre.org/techniques/T1204/002/"
},
{
"id": "T1021",
"tactic": "Lateral Movement",
"technique": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
},
{
"id": "T1059.001",
"tactic": "Execution",
"technique": "Command and Scripting Interpreter: PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
},
{
"id": "T1059.003",
"tactic": "Execution",
"technique": "Command and Scripting Interpreter: Windows Command Shell",
"reference": "https://attack.mitre.org/techniques/T1059/003/"
},
{
"id": "T1105",
"tactic": "Command and Control",
"technique": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-11-20T00:00:00.000Z",
"version": "WzEsMV0="
}