diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md index fb90f03f8b0..f99d609d6d9 100644 --- a/packages/osquery_manager/artifacts_matrix.md +++ b/packages/osquery_manager/artifacts_matrix.md @@ -2,10 +2,10 @@ This document tracks the coverage of forensic artifacts in Osquery. -**Last Updated**: 2025-11-07 -**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants -**Total Queries**: 30 (3 core forensic variants + 27 additional) -**Completion Rate**: 2.2% (1/46 core artifacts fully supported) +**Last Updated**: 2025-11-21 +**Total Core Artifacts**: 3 available + 37 in progress + 6 not available = 46 total +**Total Queries**: 30 (3 core forensic + 27 additional) +**Completion Rate**: 6.5% (3/46 core artifacts) --- @@ -13,8 +13,8 @@ This document tracks the coverage of forensic artifacts in Osquery. | Status | Count | Percentage | |--------|-------|------------| -| ✅ Available (Fully Supported) | 0 | 0% | -| ⚠️ In Progress (Needs Validation) | 39 | 87.0% | +| ✅ Available (Fully Supported) | 3 | 6.5% | +| ⚠️ In Progress (Needs Validation) | 37 | 80.4% | | ❌ Not Available (Requires Extensions) | 6 | 13.0% | --- @@ -50,9 +50,9 @@ This document tracks the coverage of forensic artifacts in Osquery. | 13 | Open Handles | ❌ | Win | - | - | PR #7835 open; external extension available: EclecticIQ ext | | 13a | Open Handles | ❌ | Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext | | 13b | Open Handles | ❌ | Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext | -| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | -| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | -| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | +| 14 | Startup Items | ✅ | Win | startup_items_windows_elastic | [d4e5](kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json) | Dual-detection approach: (1) Non-whitelisted binaries, (2) LotL indicators (PowerShell -e, certutil, wscript abuse). Filters known-good tasks while flagging suspicious patterns. MITRE ATT&CK T1547.001, T1059.001, T1105 | +| 14a | Startup Items | ✅ | Linux | startup_items_linux_elastic | [e5f6](kibana/osquery_saved_query/osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789.json) | Dual-detection approach: (1) User-created systemd/cron/XDG autostart, (2) LotL patterns (bash -c, curl pipe bash, base64 -d). Location-based filtering for cross-distro compatibility. MITRE ATT&CK T1543.002, T1053.003, T1547.013, T1059.004, T1105 | +| 14b | Startup Items | ✅ | Mac | startup_items_darwin_elastic | [f6a7](kibana/osquery_saved_query/osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890.json) | Dual-detection approach: (1) Non-Apple signed LaunchAgents/Daemons, (2) LotL patterns (bash -c, curl pipe bash, osascript -e). Signature-based filtering with comprehensive LotL coverage. MITRE ATT&CK T1543.001, T1547.015, T1059.004, T1105 | | 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table | | 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table | | 17 | Process Listing | ⚠️ | Win | - | - | processes table | @@ -158,8 +158,10 @@ While some artifacts are not directly available, the existing queries provide st - ❌ AmCache (Not Available - Use AppCompatCache + Prefetch as alternatives) ### Persistence Mechanisms +- ✅ Startup Items - Windows (Dual-detection: Non-whitelisted binaries + LotL indicators - T1547.001, T1059.001, T1105) +- ✅ Startup Items - Linux (Dual-detection: User-created systemd/cron/XDG + LotL patterns - T1543.002, T1053.003, T1547.013, T1059.004, T1105) +- ✅ Startup Items - macOS (Dual-detection: Non-Apple signed LaunchAgents/Daemons + LotL patterns - T1543.001, T1547.015, T1059.004, T1105) - ⚠️ Installed Services (All platforms: services table) -- ⚠️ Persistence (All platforms: multiple tables) - ⚠️ Registry (Windows: registry table) - ⚠️ Tasks (All platforms: scheduled_tasks table) - ⚠️ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers) diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json new file mode 100644 index 00000000000..19e7a7ad926 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json @@ -0,0 +1,159 @@ +{ + "attributes": { + "created_at": "2025-11-21T00:00:00.000Z", + "created_by": "elastic", + "description": "Detects Windows persistence via startup items using dual-detection approach: (1) Non-whitelisted legitimate binaries and (2) Living off the Land (LotL) attack indicators. Identifies both unsigned/unknown binaries AND abuse of legitimate Windows tools (powershell -e, certutil, wscript, etc.) for malicious persistence. Filters out high-volume known-good tasks while flagging suspicious patterns regardless of code signature. Maps to MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["configuration"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.action", + "value": { + "value": "osquery.startup_items" + } + }, + { + "key": "process.executable", + "value": { + "field": "path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "args" + } + }, + { + "key": "file.path", + "value": { + "field": "path" + } + }, + { + "key": "file.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "file.hash.sha1", + "value": { + "field": "sha1" + } + }, + { + "key": "file.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "file.size", + "value": { + "field": "size" + } + }, + { + "key": "file.mtime", + "value": { + "field": "modified_time" + } + }, + { + "key": "file.ctime", + "value": { + "field": "changed_time" + } + }, + { + "key": "file.accessed", + "value": { + "field": "accessed_time" + } + }, + { + "key": "file.created", + "value": { + "field": "created_time" + } + }, + { + "key": "file.directory", + "value": { + "field": "directory" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "rule.category", + "value": { + "field": "type" + } + }, + { + "key": "service.state", + "value": { + "field": "status" + } + }, + { + "key": "file.code_signature.subject_name", + "value": { + "field": "signature_signer" + } + }, + { + "key": "file.code_signature.status", + "value": { + "field": "signature_status" + } + }, + { + "key": "rule.description", + "value": { + "field": "detection_reason" + } + }, + { + "key": "rule.name", + "value": { + "field": "detection_method" + } + }, + { + "key": "tags", + "value": { + "value": ["osquery", "persistence", "startup_items", "windows"] + } + } + ], + "id": "startup_items_windows_elastic", + "interval": "3600", + "platform": "windows", + "query": "-- Dual-detection Windows startup items query:\n-- 1. NON_WHITELISTED: Filters out known-good high-volume tasks, flags everything else\n-- 2. LOTL_INDICATOR: Detects Living off the Land attack patterns (powershell -e, certutil, etc.)\n-- Uses TRIM() on paths and extracts .exe path for proper hash lookups\n-- MITRE ATT&CK: T1547.001, T1059.001, T1105\n\nWITH non_whitelisted AS (\n SELECT \n si.name,\n TRIM(si.path) AS path,\n si.type,\n si.status,\n si.source,\n si.args,\n si.username,\n 'NON_WHITELISTED' AS detection_method,\n 'Startup item not in known-good allowlist' AS detection_reason\n FROM startup_items AS si\n WHERE si.type IN ('Startup Item', 'Run Group Policy', 'RunOnce')\n AND TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n -- Filter out RunNotification numeric values (0, 1, 4, etc.)\n AND LENGTH(TRIM(si.path)) > 2\n AND (TRIM(si.path) LIKE '%\\\\%' OR TRIM(si.path) LIKE '_:%' OR TRIM(si.path) LIKE '\"%')\n -- Filter 1a: Exclude Microsoft system tasks in System32 (unless LotL indicators present)\n AND NOT (\n si.source LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\%'\n AND TRIM(si.path) LIKE 'C:\\Windows\\System32\\%'\n AND si.args NOT LIKE '%powershell% -e%'\n AND si.args NOT LIKE '% -enc %'\n AND si.args NOT LIKE '% -EncodedCommand %'\n AND si.args NOT LIKE '%Invoke-WebRequest%'\n AND si.args NOT LIKE '%IWR %'\n AND si.args NOT LIKE '%certutil% -urlcache%'\n AND si.args NOT LIKE '%bitsadmin%'\n )\n -- Filter 1b: Exclude specific known-good third-party updaters (name + path match required)\n AND NOT (\n si.name = 'GoogleUpdateTaskMachineUA'\n AND TRIM(si.path) LIKE '%GoogleUpdate.exe%'\n )\n AND NOT (\n si.name LIKE 'Adobe Acrobat Update Task%'\n AND TRIM(si.path) LIKE '%Adobe%'\n )\n AND NOT (\n si.source LIKE '%Microsoft\\Office%'\n AND TRIM(si.path) LIKE 'C:\\Program Files\\Microsoft Office\\%'\n )\n),\nlotl_indicators AS (\n SELECT \n si.name,\n TRIM(si.path) AS path,\n si.type,\n si.status,\n si.source,\n si.args,\n si.username,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN si.args LIKE '%powershell% -e%' OR si.args LIKE '% -enc %' OR si.args LIKE '% -EncodedCommand %' THEN 'PowerShell base64 encoded command'\n WHEN si.args LIKE '%Invoke-WebRequest%' OR si.args LIKE '%IWR %' OR si.args LIKE '%curl %' OR si.args LIKE '%wget %' THEN 'Download command detected'\n WHEN si.args LIKE '%certutil% -urlcache%' OR si.args LIKE '%certutil% -f%' THEN 'CertUtil download abuse'\n WHEN si.args LIKE '%bitsadmin% /transfer%' THEN 'BITSAdmin download abuse'\n WHEN TRIM(si.path) LIKE '%C:\\Users\\Public\\%' OR TRIM(si.path) LIKE '%C:\\ProgramData\\%' THEN 'Suspicious file path (writable by low-priv users)'\n WHEN TRIM(si.path) LIKE '%\\Temp\\%' OR TRIM(si.path) LIKE '%\\AppData\\Local\\Temp\\%' THEN 'Execution from Temp directory'\n WHEN si.args LIKE '%wscript.exe%' OR si.args LIKE '%cscript.exe%' THEN 'Windows Script Host abuse'\n WHEN si.args LIKE '%mshta.exe%' THEN 'MSHTA.exe abuse'\n WHEN si.args LIKE '%regsvr32%' OR si.args LIKE '%rundll32%' THEN 'Proxy execution via regsvr32/rundll32'\n WHEN si.args LIKE '%.hta%' OR si.args LIKE '%.vbs%' OR si.args LIKE '%.js%' THEN 'Script file execution'\n ELSE 'Unknown LotL pattern'\n END AS detection_reason\n FROM startup_items AS si\n WHERE si.type IN ('Startup Item', 'Run Group Policy', 'RunOnce')\n AND TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n -- Filter out RunNotification numeric values (0, 1, 4, etc.)\n AND LENGTH(TRIM(si.path)) > 2\n AND (TRIM(si.path) LIKE '%\\\\%' OR TRIM(si.path) LIKE '_:%' OR TRIM(si.path) LIKE '\"%')\n AND (\n -- PowerShell encoded commands (highest priority)\n si.args LIKE '%powershell% -e%'\n OR si.args LIKE '% -enc %'\n OR si.args LIKE '% -EncodedCommand %'\n -- Download utilities abuse\n OR si.args LIKE '%Invoke-WebRequest%'\n OR si.args LIKE '%IWR %'\n OR si.args LIKE '%curl %'\n OR si.args LIKE '%wget %'\n OR si.args LIKE '%certutil% -urlcache%'\n OR si.args LIKE '%certutil% -f%'\n OR si.args LIKE '%bitsadmin% /transfer%'\n -- Suspicious file paths\n OR TRIM(si.path) LIKE '%C:\\Users\\Public\\%'\n OR TRIM(si.path) LIKE '%C:\\ProgramData\\%'\n OR TRIM(si.path) LIKE '%\\Temp\\%'\n OR TRIM(si.path) LIKE '%\\AppData\\Local\\Temp\\%'\n -- Script execution abuse\n OR si.args LIKE '%wscript.exe%'\n OR si.args LIKE '%cscript.exe%'\n OR si.args LIKE '%mshta.exe%'\n OR si.args LIKE '%regsvr32%'\n OR si.args LIKE '%rundll32%'\n OR si.args LIKE '%.hta%'\n OR si.args LIKE '%.vbs%'\n OR si.args LIKE '%.js%'\n )\n),\ncombined AS (\n SELECT * FROM non_whitelisted\n UNION\n SELECT * FROM lotl_indicators\n)\nSELECT \n c.name,\n c.path,\n -- Extract .exe path from command line for proper hash/signature lookups\n CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\n END AS exe_path,\n c.type,\n c.status,\n c.source,\n c.args,\n c.username,\n c.detection_method,\n c.detection_reason,\n a.subject_name AS signature_signer,\n a.result AS signature_status,\n h.sha256,\n h.sha1,\n h.md5,\n f.size,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.btime, 'unixepoch') AS created_time,\n f.directory\nFROM combined AS c\nLEFT JOIN authenticode AS a ON a.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nLEFT JOIN hash AS h ON h.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nLEFT JOIN file AS f ON f.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nORDER BY \n CASE WHEN c.detection_method = 'LOTL_INDICATOR' THEN 0 ELSE 1 END,\n c.detection_reason,\n c.name", + "updated_at": "2025-11-21T00:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "9.2.0", + "id": "osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-11-21T00:00:00.000Z", + "version": "WzEwNTUzLDJd" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789.json new file mode 100644 index 00000000000..b82d36fa2a3 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789.json @@ -0,0 +1,159 @@ +{ + "attributes": { + "created_at": "2025-11-21T00:00:00.000Z", + "created_by": "elastic", + "description": "Detects Linux persistence via dual-detection approach: (1) User-created persistence mechanisms (systemd, cron, XDG autostart, startup_items) and (2) Living off the Land (LotL) attack indicators using legitimate Linux tools. Combines startup_items table with fine-grained systemd_units/crontab queries for comprehensive coverage. Identifies both custom persistence AND abuse of bash, curl/wget, base64 decoding, /dev/shm execution, etc. Maintains cross-distro compatibility with location-based filtering and expanded known-good allowlist. Maps to MITRE ATT&CK T1543.002 (Systemd Service), T1053.003 (Cron), T1547.013 (XDG Autostart), T1059.004 (Unix Shell), T1105 (Ingress Tool Transfer).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["configuration"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.action", + "value": { + "value": "osquery.startup_items" + } + }, + { + "key": "process.command_line", + "value": { + "field": "args" + } + }, + { + "key": "file.path", + "value": { + "field": "path" + } + }, + { + "key": "file.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "file.hash.sha1", + "value": { + "field": "sha1" + } + }, + { + "key": "file.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "file.size", + "value": { + "field": "size" + } + }, + { + "key": "file.mtime", + "value": { + "field": "modified_time" + } + }, + { + "key": "file.ctime", + "value": { + "field": "changed_time" + } + }, + { + "key": "file.accessed", + "value": { + "field": "accessed_time" + } + }, + { + "key": "file.created", + "value": { + "field": "created_time" + } + }, + { + "key": "file.uid", + "value": { + "field": "uid" + } + }, + { + "key": "file.gid", + "value": { + "field": "gid" + } + }, + { + "key": "file.mode", + "value": { + "field": "mode" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "service.id", + "value": { + "field": "service_id" + } + }, + { + "key": "service.state", + "value": { + "field": "status" + } + }, + { + "key": "rule.category", + "value": { + "field": "type" + } + }, + { + "key": "rule.description", + "value": { + "field": "detection_reason" + } + }, + { + "key": "rule.name", + "value": { + "field": "detection_method" + } + }, + { + "key": "tags", + "value": { + "value": ["osquery", "persistence", "startup_items", "linux"] + } + } + ], + "id": "startup_items_linux_elastic", + "interval": "3600", + "platform": "linux", + "query": "-- Dual-detection Linux persistence query:\n-- 1. NON_WHITELISTED: User-created systemd/cron/XDG autostart/startup_items (location-based filtering)\n-- 2. LOTL_INDICATOR: Living off the Land patterns (bash -c, curl | bash, base64 -d, etc.)\n-- Uses TRIM() on paths for proper matching\n-- MITRE ATT&CK: T1543.002, T1053.003, T1547.013, T1059.004, T1105\n\nWITH non_whitelisted_systemd AS (\n SELECT\n su.id AS name,\n su.id AS service_id,\n TRIM(su.fragment_path) AS path,\n TRIM(su.fragment_path) AS source,\n su.description AS args,\n su.user AS username,\n CASE\n WHEN su.unit_file_state = 'enabled' THEN 'enabled'\n WHEN su.unit_file_state = 'disabled' THEN 'disabled'\n ELSE su.unit_file_state\n END AS status,\n 'Systemd Service (Custom)' AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'User-created systemd service' AS detection_reason\n FROM systemd_units AS su\n WHERE TRIM(su.fragment_path) LIKE '/etc/systemd/system/%'\n AND su.id LIKE '%.service'\n AND su.unit_file_state IN ('enabled', 'static', 'linked')\n AND su.id NOT IN (\n 'ssh.service', 'sshd.service', 'cron.service', 'crond.service',\n 'rsyslog.service', 'syslog.service', 'systemd-timesyncd.service',\n 'chronyd.service', 'ntpd.service', 'NetworkManager.service',\n 'systemd-networkd.service', 'networking.service', 'docker.service',\n 'containerd.service', 'podman.service', 'snapd.service',\n 'flatpak-system-helper.service', 'ufw.service', 'firewalld.service',\n 'iptables.service', 'nftables.service', 'auditd.service',\n 'journald.service', 'systemd-journald.service', 'polkit.service',\n 'dbus.service', 'dbus-broker.service', 'gdm.service', 'lightdm.service',\n 'sddm.service', 'cups.service', 'cups-browsed.service',\n 'avahi-daemon.service', 'bluetooth.service', 'ModemManager.service',\n 'accounts-daemon.service', 'udisks2.service', 'upower.service',\n 'thermald.service', 'fwupd.service', 'packagekit.service',\n 'unattended-upgrades.service', 'apt-daily.service',\n 'apt-daily-upgrade.service', 'dnf-makecache.service',\n 'elastic-agent.service', 'filebeat.service', 'metricbeat.service',\n 'auditbeat.service', 'osqueryd.service'\n )\n AND su.id NOT LIKE 'getty@%'\n AND su.id NOT LIKE 'dbus-%'\n AND su.id NOT LIKE 'systemd-%'\n AND su.id NOT LIKE 'user@%'\n AND su.id NOT LIKE 'session-%'\n),\nnon_whitelisted_cron AS (\n SELECT\n SUBSTR(c.command, 1, 100) AS name,\n '' AS service_id,\n TRIM(c.path) AS path,\n TRIM(c.path) AS source,\n c.command AS args,\n CASE\n WHEN TRIM(c.path) LIKE '/var/spool/cron/crontabs/%' THEN REPLACE(TRIM(c.path), '/var/spool/cron/crontabs/', '')\n WHEN TRIM(c.path) LIKE '/var/spool/cron/%' THEN REPLACE(REPLACE(TRIM(c.path), '/var/spool/cron/', ''), 'crontabs/', '')\n ELSE 'root'\n END AS username,\n 'enabled' AS status,\n 'Cron @reboot' AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'Cron @reboot job' AS detection_reason\n FROM crontab AS c\n WHERE c.event = '@reboot'\n AND c.command NOT LIKE '%/usr/lib/apt/%'\n AND c.command NOT LIKE '%unattended-upgrade%'\n AND c.command NOT LIKE '%/usr/sbin/anacron%'\n AND c.command NOT LIKE '%run-parts%/etc/cron%'\n),\nnon_whitelisted_xdg AS (\n SELECT\n REPLACE(f.filename, '.desktop', '') AS name,\n '' AS service_id,\n f.path,\n f.directory AS source,\n '' AS args,\n SUBSTR(SUBSTR(f.path, 7), 1, INSTR(SUBSTR(f.path, 7), '/') - 1) AS username,\n 'enabled' AS status,\n 'XDG Autostart (User)' AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'User-specific XDG autostart entry' AS detection_reason\n FROM file AS f\n WHERE f.path LIKE '/home/%/.config/autostart/%.desktop'\n),\nnon_whitelisted_startup AS (\n SELECT\n si.name,\n '' AS service_id,\n TRIM(si.path) AS path,\n si.source,\n si.args,\n si.username,\n si.status,\n 'Startup Item (Generic)' AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'Startup item from startup_items table' AS detection_reason\n FROM startup_items AS si\n WHERE TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n AND TRIM(si.path) NOT LIKE '/usr/lib/systemd/%'\n AND TRIM(si.path) NOT LIKE '/lib/systemd/%'\n AND TRIM(si.path) NOT LIKE '/usr/share/dbus-1/%'\n AND TRIM(si.path) NOT LIKE '/etc/init.d/%'\n AND TRIM(si.path) NOT LIKE '/run/systemd/generator/%'\n AND TRIM(si.path) NOT LIKE '/run/systemd/generator.late/%'\n AND TRIM(si.path) NOT LIKE '/run/systemd/transient/%'\n AND TRIM(si.path) NOT LIKE '/run/systemd/system/%'\n AND TRIM(si.path) NOT LIKE '/etc/systemd/system/%'\n AND si.source NOT LIKE '/etc/xdg/autostart/%'\n AND si.source NOT LIKE '/usr/share/gnome/autostart/%'\n AND si.source NOT LIKE '/usr/share/autostart/%'\n AND si.source NOT LIKE '/usr/share/gdm/autostart/%'\n AND si.source NOT LIKE '/usr/share/applications/%'\n AND si.name NOT LIKE 'snap-%.mount'\n AND si.name NOT LIKE 'snap%.mount'\n AND si.name NOT LIKE 'session-%.scope'\n AND si.name NOT LIKE 'user-%.slice'\n AND si.name NOT LIKE 'user@%.service'\n AND si.name NOT LIKE '%.mount'\n AND si.name NOT LIKE '%.automount'\n AND si.name NOT LIKE '%.socket'\n AND si.name NOT LIKE '%.timer'\n AND si.name NOT LIKE '%.path'\n AND si.name NOT LIKE '%.target'\n AND si.name NOT LIKE '%.slice'\n AND si.name NOT LIKE '%.swap'\n AND si.name NOT LIKE '%.device'\n AND si.name NOT LIKE 'systemd-%'\n AND si.name NOT LIKE 'dbus-%'\n AND si.name NOT LIKE 'getty@%'\n AND si.name NOT LIKE 'GNOME %'\n AND si.name NOT LIKE 'gsd-%'\n AND si.name NOT IN (\n 'sshd', 'ssh.service', 'sshd.service', 'cron', 'cron.service',\n 'crond', 'crond.service', 'rsyslogd', 'rsyslog.service',\n 'chronyd', 'chronyd.service', 'ntpd', 'ntpd.service',\n 'NetworkManager', 'NetworkManager.service', 'dockerd', 'docker.service',\n 'containerd', 'containerd.service', 'snapd', 'snapd.service',\n 'polkitd', 'polkit.service', 'gdm', 'gdm.service', 'gdm3',\n 'lightdm', 'lightdm.service', 'sddm', 'sddm.service',\n 'cupsd', 'cups.service', 'cups-browsed', 'cups-browsed.service',\n 'avahi-daemon', 'avahi-daemon.service', 'bluetoothd', 'bluetooth',\n 'bluetooth.service', 'ModemManager', 'ModemManager.service',\n 'udisksd', 'udisks2.service', 'upowerd', 'upower.service',\n 'thermald', 'thermald.service', 'fwupd', 'fwupd.service',\n 'packagekitd', 'packagekit.service', 'elastic-agent', 'elastic-agent.service',\n 'filebeat', 'filebeat.service', 'metricbeat', 'metricbeat.service',\n 'auditbeat', 'auditbeat.service', 'osqueryd', 'osqueryd.service',\n 'dbus', 'dbus.service', 'accounts-daemon.service', 'apport.service',\n 'apparmor.service', 'ufw.service', 'firewalld.service'\n )\n),\nlotl_systemd AS (\n SELECT\n su.id AS name,\n su.id AS service_id,\n TRIM(su.fragment_path) AS path,\n TRIM(su.fragment_path) AS source,\n su.description AS args,\n su.user AS username,\n CASE\n WHEN su.unit_file_state = 'enabled' THEN 'enabled'\n WHEN su.unit_file_state = 'disabled' THEN 'disabled'\n ELSE su.unit_file_state\n END AS status,\n 'Systemd Service (LotL)' AS type,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN su.description LIKE '%bash -c%' OR su.description LIKE '%sh -c%' THEN 'Shell command execution via -c flag'\n WHEN su.description LIKE '%curl%|%bash%' OR su.description LIKE '%wget%|%sh%' THEN 'Download and pipe to shell'\n WHEN su.description LIKE '%curl%http%' OR su.description LIKE '%wget%http%' THEN 'Download utility abuse'\n WHEN su.description LIKE '%base64 -d%' OR su.description LIKE '%base64 --decode%' THEN 'Base64 decode for obfuscation'\n WHEN su.description LIKE '%/dev/shm/%' OR su.description LIKE '%/tmp/%' THEN 'Execution from world-writable directory'\n WHEN su.description LIKE '% nc %' OR su.description LIKE '%/nc %' OR su.description LIKE 'nc %' OR su.description LIKE '%netcat%' OR su.description LIKE '%ncat %' THEN 'Netcat reverse shell'\n WHEN su.description LIKE '%/dev/tcp/%' THEN 'Bash TCP socket redirection'\n WHEN su.description LIKE '%nohup%&%' OR su.description LIKE '%disown%' THEN 'Background process persistence'\n WHEN su.description LIKE '%.sh%' AND TRIM(su.fragment_path) LIKE '/tmp/%' THEN 'Shell script from temp directory'\n WHEN su.description LIKE '%python% -c%' OR su.description LIKE '%perl% -e%' THEN 'Scripting language one-liner'\n WHEN su.description LIKE '%chmod +x%' AND su.description LIKE '%http%' THEN 'Download and execute pattern'\n ELSE 'Unknown LotL pattern in systemd'\n END AS detection_reason\n FROM systemd_units AS su\n WHERE TRIM(su.fragment_path) IS NOT NULL\n AND su.id LIKE '%.service'\n AND su.unit_file_state IN ('enabled', 'static', 'linked')\n AND (\n su.description LIKE '%bash -c%'\n OR su.description LIKE '%sh -c%'\n OR su.description LIKE '%curl%|%bash%'\n OR su.description LIKE '%wget%|%sh%'\n OR su.description LIKE '%curl%http%'\n OR su.description LIKE '%wget%http%'\n OR su.description LIKE '%base64 -d%'\n OR su.description LIKE '%base64 --decode%'\n OR su.description LIKE '%/dev/shm/%'\n OR su.description LIKE '%/tmp/%'\n OR (su.description LIKE '% nc %' OR su.description LIKE '%/nc %' OR su.description LIKE 'nc %')\n OR su.description LIKE '%netcat%'\n OR su.description LIKE '%ncat %'\n OR su.description LIKE '%/dev/tcp/%'\n OR su.description LIKE '%nohup%&%'\n OR su.description LIKE '%disown%'\n OR (su.description LIKE '%.sh%' AND TRIM(su.fragment_path) LIKE '/tmp/%')\n OR su.description LIKE '%python% -c%'\n OR su.description LIKE '%perl% -e%'\n OR (su.description LIKE '%chmod +x%' AND su.description LIKE '%http%')\n )\n),\nlotl_cron AS (\n SELECT\n SUBSTR(c.command, 1, 100) AS name,\n '' AS service_id,\n TRIM(c.path) AS path,\n TRIM(c.path) AS source,\n c.command AS args,\n CASE\n WHEN TRIM(c.path) LIKE '/var/spool/cron/crontabs/%' THEN REPLACE(TRIM(c.path), '/var/spool/cron/crontabs/', '')\n WHEN TRIM(c.path) LIKE '/var/spool/cron/%' THEN REPLACE(REPLACE(TRIM(c.path), '/var/spool/cron/', ''), 'crontabs/', '')\n ELSE 'root'\n END AS username,\n 'enabled' AS status,\n 'Cron (LotL)' AS type,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN c.command LIKE '%bash -c%' OR c.command LIKE '%sh -c%' THEN 'Shell command execution via -c flag'\n WHEN c.command LIKE '%curl%|%bash%' OR c.command LIKE '%wget%|%sh%' THEN 'Download and pipe to shell'\n WHEN c.command LIKE '%curl%http%' OR c.command LIKE '%wget%http%' THEN 'Download utility abuse'\n WHEN c.command LIKE '%base64 -d%' OR c.command LIKE '%base64 --decode%' THEN 'Base64 decode for obfuscation'\n WHEN c.command LIKE '%/dev/shm/%' OR c.command LIKE '%/tmp/%' THEN 'Execution from world-writable directory'\n WHEN c.command LIKE '% nc %' OR c.command LIKE '%/nc %' OR c.command LIKE 'nc %' OR c.command LIKE '%netcat%' OR c.command LIKE '%ncat %' THEN 'Netcat reverse shell'\n WHEN c.command LIKE '%/dev/tcp/%' THEN 'Bash TCP socket redirection'\n WHEN c.command LIKE '%nohup%&%' OR c.command LIKE '%disown%' THEN 'Background process persistence'\n WHEN c.command LIKE '%python% -c%' OR c.command LIKE '%perl% -e%' THEN 'Scripting language one-liner'\n WHEN c.command LIKE '%chmod +x%' AND c.command LIKE '%http%' THEN 'Download and execute pattern'\n ELSE 'Unknown LotL pattern in cron'\n END AS detection_reason\n FROM crontab AS c\n WHERE c.command IS NOT NULL\n AND (\n c.command LIKE '%bash -c%'\n OR c.command LIKE '%sh -c%'\n OR c.command LIKE '%curl%|%bash%'\n OR c.command LIKE '%wget%|%sh%'\n OR c.command LIKE '%curl%http%'\n OR c.command LIKE '%wget%http%'\n OR c.command LIKE '%base64 -d%'\n OR c.command LIKE '%base64 --decode%'\n OR c.command LIKE '%/dev/shm/%'\n OR c.command LIKE '%/tmp/%'\n OR (c.command LIKE '% nc %' OR c.command LIKE '%/nc %' OR c.command LIKE 'nc %')\n OR c.command LIKE '%netcat%'\n OR c.command LIKE '%ncat %'\n OR c.command LIKE '%/dev/tcp/%'\n OR c.command LIKE '%nohup%&%'\n OR c.command LIKE '%disown%'\n OR c.command LIKE '%python% -c%'\n OR c.command LIKE '%perl% -e%'\n OR (c.command LIKE '%chmod +x%' AND c.command LIKE '%http%')\n )\n),\nlotl_startup AS (\n SELECT\n si.name,\n '' AS service_id,\n TRIM(si.path) AS path,\n si.source,\n si.args,\n si.username,\n si.status,\n 'Startup Item (LotL)' AS type,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN si.args LIKE '%bash -c%' OR si.args LIKE '%sh -c%' THEN 'Shell command execution via -c flag'\n WHEN si.args LIKE '%curl%|%bash%' OR si.args LIKE '%wget%|%sh%' THEN 'Download and pipe to shell'\n WHEN si.args LIKE '%curl%http%' OR si.args LIKE '%wget%http%' THEN 'Download utility abuse'\n WHEN si.args LIKE '%base64 -d%' OR si.args LIKE '%base64 --decode%' THEN 'Base64 decode for obfuscation'\n WHEN TRIM(si.path) LIKE '%/dev/shm/%' OR TRIM(si.path) LIKE '%/tmp/%' THEN 'Execution from world-writable directory'\n WHEN si.args LIKE '% nc %' OR si.args LIKE '%/nc %' OR si.args LIKE 'nc %' OR si.args LIKE '%netcat%' OR si.args LIKE '%ncat %' THEN 'Netcat reverse shell'\n WHEN si.args LIKE '%/dev/tcp/%' THEN 'Bash TCP socket redirection'\n WHEN si.args LIKE '%nohup%&%' OR si.args LIKE '%disown%' THEN 'Background process persistence'\n WHEN si.args LIKE '%python% -c%' OR si.args LIKE '%perl% -e%' THEN 'Scripting language one-liner'\n WHEN si.args LIKE '%chmod +x%' AND si.args LIKE '%http%' THEN 'Download and execute pattern'\n ELSE 'Unknown LotL pattern in startup_items'\n END AS detection_reason\n FROM startup_items AS si\n WHERE TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n AND (\n si.args LIKE '%bash -c%'\n OR si.args LIKE '%sh -c%'\n OR si.args LIKE '%curl%|%bash%'\n OR si.args LIKE '%wget%|%sh%'\n OR si.args LIKE '%curl%http%'\n OR si.args LIKE '%wget%http%'\n OR si.args LIKE '%base64 -d%'\n OR si.args LIKE '%base64 --decode%'\n OR TRIM(si.path) LIKE '%/dev/shm/%'\n OR TRIM(si.path) LIKE '%/tmp/%'\n OR (si.args LIKE '% nc %' OR si.args LIKE '%/nc %' OR si.args LIKE 'nc %')\n OR si.args LIKE '%netcat%'\n OR si.args LIKE '%ncat %'\n OR si.args LIKE '%/dev/tcp/%'\n OR si.args LIKE '%nohup%&%'\n OR si.args LIKE '%disown%'\n OR si.args LIKE '%python% -c%'\n OR si.args LIKE '%perl% -e%'\n OR (si.args LIKE '%chmod +x%' AND si.args LIKE '%http%')\n )\n),\ncombined AS (\n SELECT * FROM non_whitelisted_systemd\n UNION ALL\n SELECT * FROM non_whitelisted_cron\n UNION ALL\n SELECT * FROM non_whitelisted_xdg\n UNION ALL\n SELECT * FROM non_whitelisted_startup\n UNION ALL\n SELECT * FROM lotl_systemd\n UNION ALL\n SELECT * FROM lotl_cron\n UNION ALL\n SELECT * FROM lotl_startup\n)\nSELECT\n c.name,\n c.service_id,\n c.path,\n c.type,\n c.status,\n c.source,\n c.args,\n c.username,\n c.detection_method,\n c.detection_reason,\n h.sha256,\n h.sha1,\n h.md5,\n f.size,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.btime, 'unixepoch') AS created_time,\n f.uid,\n f.gid,\n f.mode\nFROM combined AS c\nLEFT JOIN hash AS h ON h.path = c.path\nLEFT JOIN file AS f ON f.path = c.path\nORDER BY\n CASE WHEN c.detection_method = 'LOTL_INDICATOR' THEN 0 ELSE 1 END,\n c.detection_reason,\n c.type,\n c.name", + "updated_at": "2025-11-21T00:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "9.2.0", + "id": "osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-11-21T00:00:00.000Z", + "version": "WzEwNTUzLDJd" +} diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890.json new file mode 100644 index 00000000000..0234ac5e08b --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890.json @@ -0,0 +1,171 @@ +{ + "attributes": { + "created_at": "2025-11-21T00:00:00.000Z", + "created_by": "elastic", + "description": "Detects macOS persistence via dual-detection approach: (1) Non-Apple signed LaunchAgents/Daemons and (2) Living off the Land (LotL) attack indicators using legitimate macOS tools. Identifies both unsigned persistence AND abuse of bash, curl/osascript, base64, etc. Filters out Apple system paths while detecting suspicious patterns regardless of code signature. Note: macOS 10.13+ login items may not be fully captured due to Apple's backgrounditems.btm format. Maps to MITRE ATT&CK T1543.001 (Launch Agent/Daemon), T1547.015 (Login Items), T1059.004 (Unix Shell), T1105 (Ingress Tool Transfer).", + "ecs_mapping": [ + { + "key": "event.category", + "value": { + "value": ["configuration"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "event.action", + "value": { + "value": "osquery.startup_items" + } + }, + { + "key": "process.executable", + "value": { + "field": "exe_path" + } + }, + { + "key": "process.command_line", + "value": { + "field": "args" + } + }, + { + "key": "file.path", + "value": { + "field": "path" + } + }, + { + "key": "file.hash.sha256", + "value": { + "field": "sha256" + } + }, + { + "key": "file.hash.sha1", + "value": { + "field": "sha1" + } + }, + { + "key": "file.hash.md5", + "value": { + "field": "md5" + } + }, + { + "key": "file.size", + "value": { + "field": "size" + } + }, + { + "key": "file.mtime", + "value": { + "field": "modified_time" + } + }, + { + "key": "file.ctime", + "value": { + "field": "changed_time" + } + }, + { + "key": "file.accessed", + "value": { + "field": "accessed_time" + } + }, + { + "key": "file.created", + "value": { + "field": "created_time" + } + }, + { + "key": "file.uid", + "value": { + "field": "uid" + } + }, + { + "key": "file.gid", + "value": { + "field": "gid" + } + }, + { + "key": "file.mode", + "value": { + "field": "mode" + } + }, + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "service.state", + "value": { + "field": "status" + } + }, + { + "key": "rule.category", + "value": { + "field": "type" + } + }, + { + "key": "file.code_signature.status", + "value": { + "field": "signature_status" + } + }, + { + "key": "file.code_signature.subject_name", + "value": { + "field": "signature_signer" + } + }, + { + "key": "rule.description", + "value": { + "field": "detection_reason" + } + }, + { + "key": "rule.name", + "value": { + "field": "detection_method" + } + }, + { + "key": "tags", + "value": { + "value": ["osquery", "persistence", "startup_items", "macos"] + } + } + ], + "id": "startup_items_darwin_elastic", + "interval": "3600", + "platform": "darwin", + "query": "-- Dual-detection macOS persistence query:\n-- 1. NON_WHITELISTED: Non-Apple signed LaunchAgents/Daemons (signature-based filtering)\n-- 2. LOTL_INDICATOR: Living off the Land patterns (bash -c, curl | bash, osascript, etc.)\n-- Uses TRIM() on paths and extracts executable path from program_arguments\n-- MITRE ATT&CK: T1543.001, T1547.015, T1059.004, T1105\n\nWITH non_whitelisted_launchd AS (\n SELECT\n l.label AS name,\n TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) AS path,\n l.path AS source,\n l.program_arguments AS args,\n l.username,\n CASE\n WHEN l.disabled = '1' OR l.disabled = 1 THEN 'disabled'\n WHEN l.run_at_load = 'true' OR l.run_at_load = '1' OR l.run_at_load = 1 THEN 'enabled'\n ELSE 'unknown'\n END AS status,\n 'Launch Agent/Daemon' AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'Non-Apple signed LaunchAgent/Daemon' AS detection_reason\n FROM launchd AS l\n WHERE (\n (l.program IS NOT NULL AND TRIM(l.program) != '')\n OR (l.program_arguments IS NOT NULL AND TRIM(l.program_arguments) != '')\n )\n AND l.path NOT LIKE '/System/Library/%'\n AND l.path NOT LIKE '/Library/Apple/%'\n AND (l.run_at_load = 'true' OR l.run_at_load = '1' OR l.run_at_load = 1)\n),\nnon_whitelisted_startup AS (\n SELECT\n si.name,\n TRIM(si.path) AS path,\n si.source,\n si.args,\n si.username,\n si.status,\n CASE\n WHEN si.type = 'Startup Item' THEN 'Legacy Startup Item'\n WHEN si.type = 'Login Item' THEN 'Login Item'\n ELSE si.type\n END AS type,\n 'NON_WHITELISTED' AS detection_method,\n 'Legacy startup/login item' AS detection_reason\n FROM startup_items AS si\n WHERE TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n AND TRIM(si.path) NOT LIKE '/System/Library/%'\n AND TRIM(si.path) NOT LIKE '/Library/Apple/%'\n),\nlotl_launchd AS (\n SELECT\n l.label AS name,\n TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) AS path,\n l.path AS source,\n l.program_arguments AS args,\n l.username,\n CASE\n WHEN l.disabled = '1' OR l.disabled = 1 THEN 'disabled'\n WHEN l.run_at_load = 'true' OR l.run_at_load = '1' OR l.run_at_load = 1 THEN 'enabled'\n ELSE 'unknown'\n END AS status,\n 'Launch Agent/Daemon (LotL)' AS type,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN l.program_arguments LIKE '%bash -c%' OR l.program_arguments LIKE '%sh -c%' THEN 'Shell command execution via -c flag'\n WHEN l.program_arguments LIKE '%curl%|%bash%' OR l.program_arguments LIKE '%curl%|%sh%' THEN 'Download and pipe to shell'\n WHEN l.program_arguments LIKE '%curl%http%' OR l.program_arguments LIKE '%wget%http%' THEN 'Download utility abuse'\n WHEN l.program_arguments LIKE '%base64 -D%' OR l.program_arguments LIKE '%base64 --decode%' THEN 'Base64 decode for obfuscation'\n WHEN l.program_arguments LIKE '%osascript%' AND l.program_arguments LIKE '%-e%' THEN 'AppleScript execution abuse'\n WHEN l.program_arguments LIKE '%python%-%c%' OR l.program_arguments LIKE '%perl%-%e%' THEN 'Scripting language one-liner'\n WHEN (l.program_arguments LIKE '%/tmp/%' AND l.program_arguments NOT LIKE '%/var/tmp/%') OR l.program_arguments LIKE '%/private/tmp/%' THEN 'Execution from temp directory'\n WHEN l.program_arguments LIKE '%/dev/tcp/%' THEN 'Bash TCP socket redirection'\n WHEN l.program_arguments LIKE '% nc %' OR l.program_arguments LIKE '%/nc %' OR l.program_arguments LIKE 'nc %' OR l.program_arguments LIKE '%netcat%' OR l.program_arguments LIKE '%ncat %' THEN 'Netcat reverse shell'\n WHEN l.program_arguments LIKE '%nohup%&%' OR l.program_arguments LIKE '%disown%' THEN 'Background process persistence'\n WHEN l.program_arguments LIKE '%.sh%' AND (TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) LIKE '/tmp/%' OR TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) LIKE '/private/tmp/%') THEN 'Shell script from temp directory'\n ELSE 'Unknown LotL pattern in LaunchAgent'\n END AS detection_reason\n FROM launchd AS l\n WHERE (\n (l.program IS NOT NULL AND TRIM(l.program) != '')\n OR (l.program_arguments IS NOT NULL AND TRIM(l.program_arguments) != '')\n )\n AND (l.run_at_load = 'true' OR l.run_at_load = '1' OR l.run_at_load = 1)\n AND (\n l.program_arguments LIKE '%bash -c%'\n OR l.program_arguments LIKE '%sh -c%'\n OR l.program_arguments LIKE '%curl%|%bash%'\n OR l.program_arguments LIKE '%curl%|%sh%'\n OR l.program_arguments LIKE '%curl%http%'\n OR l.program_arguments LIKE '%wget%http%'\n OR l.program_arguments LIKE '%base64 -D%'\n OR l.program_arguments LIKE '%base64 --decode%'\n OR (l.program_arguments LIKE '%osascript%' AND l.program_arguments LIKE '%-e%')\n OR l.program_arguments LIKE '%python%-%c%'\n OR l.program_arguments LIKE '%perl%-%e%'\n OR (l.program_arguments LIKE '%/tmp/%' AND l.program_arguments NOT LIKE '%/var/tmp/%')\n OR l.program_arguments LIKE '%/private/tmp/%'\n OR l.program_arguments LIKE '%/dev/tcp/%'\n OR (l.program_arguments LIKE '% nc %' OR l.program_arguments LIKE '%/nc %' OR l.program_arguments LIKE 'nc %')\n OR l.program_arguments LIKE '%netcat%'\n OR l.program_arguments LIKE '%ncat %'\n OR l.program_arguments LIKE '%nohup%&%'\n OR l.program_arguments LIKE '%disown%'\n OR (l.program_arguments LIKE '%.sh%' AND (TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) LIKE '/tmp/%' OR TRIM(COALESCE(NULLIF(l.program, ''), l.program_arguments)) LIKE '/private/tmp/%'))\n )\n),\ncombined AS (\n SELECT * FROM non_whitelisted_launchd\n UNION ALL\n SELECT * FROM non_whitelisted_startup\n UNION ALL\n SELECT * FROM lotl_launchd\n)\nSELECT\n c.name,\n c.path,\n -- Extract executable path (first space-separated token if path contains arguments)\n CASE\n WHEN INSTR(c.path, ' ') > 0 AND SUBSTR(c.path, 1, 1) != '-'\n THEN SUBSTR(c.path, 1, INSTR(c.path, ' ') - 1)\n ELSE c.path\n END AS exe_path,\n c.type,\n c.status,\n c.source,\n c.args,\n c.username,\n c.detection_method,\n c.detection_reason,\n CASE WHEN s.signed = 1 THEN 'signed' ELSE 'unsigned' END AS signature_status,\n s.identifier AS signature_signer,\n h.sha256,\n h.sha1,\n h.md5,\n f.size,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.btime, 'unixepoch') AS created_time,\n f.uid,\n f.gid,\n f.mode\nFROM combined AS c\nLEFT JOIN signature AS s ON s.path = CASE\n WHEN INSTR(c.path, ' ') > 0 AND SUBSTR(c.path, 1, 1) != '-'\n THEN SUBSTR(c.path, 1, INSTR(c.path, ' ') - 1)\n ELSE c.path\nEND\nLEFT JOIN hash AS h ON h.path = CASE\n WHEN INSTR(c.path, ' ') > 0 AND SUBSTR(c.path, 1, 1) != '-'\n THEN SUBSTR(c.path, 1, INSTR(c.path, ' ') - 1)\n ELSE c.path\nEND\nLEFT JOIN file AS f ON f.path = CASE\n WHEN INSTR(c.path, ' ') > 0 AND SUBSTR(c.path, 1, 1) != '-'\n THEN SUBSTR(c.path, 1, INSTR(c.path, ' ') - 1)\n ELSE c.path\nEND\nWHERE (\n c.detection_method = 'LOTL_INDICATOR'\n OR s.signed IS NULL\n OR s.signed = 0\n OR (\n s.identifier IS NOT NULL\n AND s.identifier NOT LIKE 'com.apple.%'\n AND s.identifier NOT LIKE 'Apple Inc.%'\n )\n)\nORDER BY\n CASE WHEN c.detection_method = 'LOTL_INDICATOR' THEN 0 ELSE 1 END,\n CASE WHEN s.signed = 0 OR s.signed IS NULL THEN 0 ELSE 1 END,\n c.detection_reason,\n c.name", + "updated_at": "2025-11-21T00:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "9.2.0", + "id": "osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-11-21T00:00:00.000Z", + "version": "WzEwNTUzLDJd" +}