Skip to content

[Osquery_manager] Startup Items artifact saved query #16078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomsonpl wants to merge 7 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Startup Items artifact saved query #16078

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
197cc82
startup items artifact
tomsonpl Nov 21, 2025
dc1aef3
Add dual-detection Windows startup items query
tomsonpl Dec 5, 2025
a46b34c
Add dual-detection Linux startup items query
tomsonpl Dec 5, 2025
53667ae
Add dual-detection macOS startup items query
tomsonpl Dec 5, 2025
98144ec
Add file.accessed and file.created ECS mappings to startup queries
tomsonpl Dec 5, 2025
220c41d
Simplify startup items ECS mappings and remove MITRE enrichment
tomsonpl Dec 29, 2025
f7b7126
Address PR #16078 review feedback for startup_items queries
tomsonpl Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2025-11-21
**Total Core Artifacts**: 3 available + 37 in progress + 6 not available = 46 total
**Total Queries**: 30 (3 core forensic + 27 additional)
**Completion Rate**: 6.5% (3/46 core artifacts)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 3 | 6.5% |
| ⚠️ In Progress (Needs Validation) | 37 | 80.4% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand Down Expand Up @@ -50,9 +50,9 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 13 | Open Handles | ❌ | Win | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13a | Open Handles | ❌ | Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13b | Open Handles | ❌ | Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14 | Startup Items | ✅ | Win | startup_items_windows_elastic | [d4e5](kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json) | Dual-detection approach: (1) Non-whitelisted binaries, (2) LotL indicators (PowerShell -e, certutil, wscript abuse). Filters known-good tasks while flagging suspicious patterns. MITRE ATT&CK T1547.001, T1059.001, T1105 |
| 14a | Startup Items | ✅ | Linux | startup_items_linux_elastic | [e5f6](kibana/osquery_saved_query/osquery_manager-e5f6a7b8-c9d0-23ef-4567-890123456789.json) | Dual-detection approach: (1) User-created systemd/cron/XDG autostart, (2) LotL patterns (bash -c, curl pipe bash, base64 -d). Location-based filtering for cross-distro compatibility. MITRE ATT&CK T1543.002, T1053.003, T1547.013, T1059.004, T1105 |
| 14b | Startup Items | ✅ | Mac | startup_items_darwin_elastic | [f6a7](kibana/osquery_saved_query/osquery_manager-f6a7b8c9-d0e1-34f0-5678-901234567890.json) | Dual-detection approach: (1) Non-Apple signed LaunchAgents/Daemons, (2) LotL patterns (bash -c, curl pipe bash, osascript -e). Signature-based filtering with comprehensive LotL coverage. MITRE ATT&CK T1543.001, T1547.015, T1059.004, T1105 |
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
Expand Down Expand Up @@ -158,8 +158,10 @@ While some artifacts are not directly available, the existing queries provide st
- ❌ AmCache (Not Available - Use AppCompatCache + Prefetch as alternatives)

### Persistence Mechanisms
- ✅ Startup Items - Windows (Dual-detection: Non-whitelisted binaries + LotL indicators - T1547.001, T1059.001, T1105)
- ✅ Startup Items - Linux (Dual-detection: User-created systemd/cron/XDG + LotL patterns - T1543.002, T1053.003, T1547.013, T1059.004, T1105)
- ✅ Startup Items - macOS (Dual-detection: Non-Apple signed LaunchAgents/Daemons + LotL patterns - T1543.001, T1547.015, T1059.004, T1105)
- ⚠️ Installed Services (All platforms: services table)
- ⚠️ Persistence (All platforms: multiple tables)
- ⚠️ Registry (Windows: registry table)
- ⚠️ Tasks (All platforms: scheduled_tasks table)
- ⚠️ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers)
Expand Down
219 changes: 219 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
{
"attributes": {
"created_at": "2025-11-21T00:00:00.000Z",
"created_by": "elastic",
"description": "Detects Windows persistence via startup items using dual-detection approach: (1) Non-whitelisted legitimate binaries and (2) Living off the Land (LotL) attack indicators. Identifies both unsigned/unknown binaries AND abuse of legitimate Windows tools (powershell -e, certutil, wscript, etc.) for malicious persistence. Filters out high-volume known-good tasks while flagging suspicious patterns regardless of code signature. Maps to MITRE ATT&CK T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer).",
"ecs_mapping": [
{
"key": "event.category",
"value": {
"value": ["configuration"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.kind",
"value": {
"value": "state"
}
},
{
"key": "event.module",
"value": {
"value": "osquery"
}
},
{
"key": "event.dataset",
"value": {
"value": "osquery.startup_items"
}
},
{
"key": "host.os.type",
"value": {
"value": "windows"
}
},
{
"key": "process.name",
"value": {
"field": "name"
}
},
{
"key": "process.executable",
"value": {
"field": "path"
}
},
{
"key": "process.command_line",
"value": {
"field": "args"
}
},
Copy link
Contributor

@ferullo ferullo Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw "process" details for desktop.ini which included the fact that it was signed. I wonder what's going on. Is there a bug in the query or is this accurate?

Copy link

@calladoum-elastic calladoum-elastic Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There also some strange exe_path , like 0, 1 showing while enumerating HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunNotification.

Copy link
Contributor Author

@tomsonpl tomsonpl Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, what do you suggest? Should we add a filter to exclude non-executable files from here?

{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "file.hash.sha1",
"value": {
"field": "sha1"
}
},
{
"key": "file.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "file.size",
"value": {
"field": "size"
}
},
{
"key": "file.mtime",
"value": {
"field": "modified_time"
}
},
{
"key": "file.ctime",
"value": {
"field": "changed_time"
}
},
{
"key": "file.accessed",
"value": {
"field": "accessed_time"
}
},
{
"key": "file.created",
"value": {
"field": "created_time"
}
},
{
"key": "file.directory",
"value": {
"field": "directory"
}
},
{
"key": "user.name",
"value": {
"field": "username"
}
},
{
"key": "rule.category",
"value": {
"field": "type"
}
},
{
"key": "service.state",
"value": {
"field": "status"
}
},
{
"key": "registry.path",
"value": {
"field": "source"
Copy link
Contributor

@ferullo ferullo Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

source can contain non-registry paths. Drop this?

}
},
{
"key": "file.code_signature.subject_name",
"value": {
"field": "signature_signer"
}
},
{
"key": "file.code_signature.status",
"value": {
"field": "signature_status"
}
},
{
"key": "rule.description",
"value": {
"field": "detection_reason"
}
},
{
"key": "rule.name",
"value": {
"field": "detection_method"
}
},
{
"key": "tags",
"value": {
"value": ["osquery", "persistence", "startup_items", "windows", "mitre_t1547_001", "mitre_t1059_001", "mitre_t1105"]
}
},
{
"key": "threat.framework",
"value": {
"value": "MITRE ATT&CK"
}
},
{
"key": "threat.tactic.id",
"value": {
"value": ["TA0003", "TA0002"]
}
},
{
"key": "threat.tactic.name",
"value": {
"value": ["Persistence", "Execution"]
}
},
{
"key": "threat.technique.id",
"value": {
"value": ["T1547.001", "T1059.001", "T1105"]
}
},
{
"key": "threat.technique.name",
"value": {
"value": ["Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "Command and Scripting Interpreter: PowerShell", "Ingress Tool Transfer"]
}
}
],
"id": "startup_items_windows_elastic",
"interval": "3600",
"platform": "windows",
"query": "-- Dual-detection Windows startup items query:\n-- 1. NON_WHITELISTED: Filters out known-good high-volume tasks, flags everything else\n-- 2. LOTL_INDICATOR: Detects Living off the Land attack patterns (powershell -e, certutil, etc.)\n-- Uses TRIM() on paths and extracts .exe path for proper hash lookups\n-- MITRE ATT&CK: T1547.001, T1059.001, T1105\n\nWITH non_whitelisted AS (\n SELECT \n si.name,\n TRIM(si.path) AS path,\n si.type,\n si.status,\n si.source,\n si.args,\n si.username,\n 'NON_WHITELISTED' AS detection_method,\n 'Startup item not in known-good allowlist' AS detection_reason\n FROM startup_items AS si\n WHERE si.type IN ('Startup Item', 'Run Group Policy', 'RunOnce')\n AND TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n -- Filter 1a: Exclude Microsoft system tasks in System32 (unless LotL indicators present)\n AND NOT (\n si.source LIKE 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\%'\n AND TRIM(si.path) LIKE 'C:\\Windows\\System32\\%'\n AND si.args NOT LIKE '%powershell% -e%'\n AND si.args NOT LIKE '% -enc %'\n AND si.args NOT LIKE '% -EncodedCommand %'\n AND si.args NOT LIKE '%Invoke-WebRequest%'\n AND si.args NOT LIKE '%IWR %'\n AND si.args NOT LIKE '%certutil% -urlcache%'\n AND si.args NOT LIKE '%bitsadmin%'\n )\n -- Filter 1b: Exclude specific known-good third-party updaters (name + path match required)\n AND NOT (\n si.name = 'GoogleUpdateTaskMachineUA'\n AND TRIM(si.path) LIKE '%GoogleUpdate.exe%'\n )\n AND NOT (\n si.name LIKE 'Adobe Acrobat Update Task%'\n AND TRIM(si.path) LIKE '%Adobe%'\n )\n AND NOT (\n si.source LIKE '%Microsoft\\Office%'\n AND TRIM(si.path) LIKE 'C:\\Program Files\\Microsoft Office\\%'\n )\n),\nlotl_indicators AS (\n SELECT \n si.name,\n TRIM(si.path) AS path,\n si.type,\n si.status,\n si.source,\n si.args,\n si.username,\n 'LOTL_INDICATOR' AS detection_method,\n CASE\n WHEN si.args LIKE '%powershell% -e%' OR si.args LIKE '% -enc %' OR si.args LIKE '% -EncodedCommand %' THEN 'PowerShell base64 encoded command'\n WHEN si.args LIKE '%Invoke-WebRequest%' OR si.args LIKE '%IWR %' OR si.args LIKE '%curl %' OR si.args LIKE '%wget %' THEN 'Download command detected'\n WHEN si.args LIKE '%certutil% -urlcache%' OR si.args LIKE '%certutil% -f%' THEN 'CertUtil download abuse'\n WHEN si.args LIKE '%bitsadmin% /transfer%' THEN 'BITSAdmin download abuse'\n WHEN TRIM(si.path) LIKE '%C:\\Users\\Public\\%' OR TRIM(si.path) LIKE '%C:\\ProgramData\\%' THEN 'Suspicious file path (writable by low-priv users)'\n WHEN TRIM(si.path) LIKE '%\\Temp\\%' OR TRIM(si.path) LIKE '%\\AppData\\Local\\Temp\\%' THEN 'Execution from Temp directory'\n WHEN si.args LIKE '%wscript.exe%' OR si.args LIKE '%cscript.exe%' THEN 'Windows Script Host abuse'\n WHEN si.args LIKE '%mshta.exe%' THEN 'MSHTA.exe abuse'\n WHEN si.args LIKE '%regsvr32%' OR si.args LIKE '%rundll32%' THEN 'Proxy execution via regsvr32/rundll32'\n WHEN si.args LIKE '%.hta%' OR si.args LIKE '%.vbs%' OR si.args LIKE '%.js%' THEN 'Script file execution'\n ELSE 'Unknown LotL pattern'\n END AS detection_reason\n FROM startup_items AS si\n WHERE si.type IN ('Startup Item', 'Run Group Policy', 'RunOnce')\n AND TRIM(si.path) IS NOT NULL\n AND TRIM(si.path) != ''\n AND (\n -- PowerShell encoded commands (highest priority)\n si.args LIKE '%powershell% -e%'\n OR si.args LIKE '% -enc %'\n OR si.args LIKE '% -EncodedCommand %'\n -- Download utilities abuse\n OR si.args LIKE '%Invoke-WebRequest%'\n OR si.args LIKE '%IWR %'\n OR si.args LIKE '%curl %'\n OR si.args LIKE '%wget %'\n OR si.args LIKE '%certutil% -urlcache%'\n OR si.args LIKE '%certutil% -f%'\n OR si.args LIKE '%bitsadmin% /transfer%'\n -- Suspicious file paths\n OR TRIM(si.path) LIKE '%C:\\Users\\Public\\%'\n OR TRIM(si.path) LIKE '%C:\\ProgramData\\%'\n OR TRIM(si.path) LIKE '%\\Temp\\%'\n OR TRIM(si.path) LIKE '%\\AppData\\Local\\Temp\\%'\n -- Script execution abuse\n OR si.args LIKE '%wscript.exe%'\n OR si.args LIKE '%cscript.exe%'\n OR si.args LIKE '%mshta.exe%'\n OR si.args LIKE '%regsvr32%'\n OR si.args LIKE '%rundll32%'\n OR si.args LIKE '%.hta%'\n OR si.args LIKE '%.vbs%'\n OR si.args LIKE '%.js%'\n )\n),\ncombined AS (\n SELECT * FROM non_whitelisted\n UNION\n SELECT * FROM lotl_indicators\n)\nSELECT \n c.name,\n c.path,\n -- Extract .exe path from command line for proper hash/signature lookups\n CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\n END AS exe_path,\n c.type,\n c.status,\n c.source,\n c.args,\n c.username,\n c.detection_method,\n c.detection_reason,\n a.subject_name AS signature_signer,\n a.result AS signature_status,\n h.sha256,\n h.sha1,\n h.md5,\n f.size,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.btime, 'unixepoch') AS created_time,\n f.directory\nFROM combined AS c\nLEFT JOIN authenticode AS a ON a.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nLEFT JOIN hash AS h ON h.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nLEFT JOIN file AS f ON f.path = CASE\n WHEN INSTR(LOWER(c.path), '.exe ') > 0\n THEN SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe ') + 3)\n WHEN INSTR(LOWER(c.path), '.exe\"') > 0\n THEN REPLACE(SUBSTR(c.path, 1, INSTR(LOWER(c.path), '.exe\"') + 3), '\"', '')\n ELSE c.path\nEND\nORDER BY \n CASE WHEN c.detection_method = 'LOTL_INDICATOR' THEN 0 ELSE 1 END,\n c.detection_reason,\n c.name",
"updated_at": "2025-11-21T00:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-d4e5f6a7-b8c9-12de-f345-678901234567",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-11-21T00:00:00.000Z",
"version": "WzEwNTUzLDJd"
}
Loading