|
3 | 3 | This document tracks the coverage of forensic artifacts in Osquery. |
4 | 4 |
|
5 | 5 | **Last Updated**: 2025-11-07 |
6 | | -**Total Core Artifacts**: 36 available + 4 in progress + 6 not available = 46 total variants |
7 | | -**Total Queries**: 73 (46 core forensic variants + 27 additional) |
8 | | -**Completion Rate**: 78.3% (36/46 core artifacts fully supported) |
| 6 | +**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants |
| 7 | +**Total Queries**: 30 (3 core forensic variants + 27 additional) |
| 8 | +**Completion Rate**: 2.2% (1/46 core artifacts fully supported) |
9 | 9 |
|
10 | 10 | --- |
11 | 11 |
|
12 | 12 | ## Coverage Summary |
13 | 13 |
|
14 | 14 | | Status | Count | Percentage | |
15 | 15 | |--------|-------|------------| |
16 | | -| ✅ Available (Fully Supported) | 36 | 78.3% | |
17 | | -| ⚠️ In Progress (Needs Validation) | 4 | 8.7% | |
| 16 | +| ✅ Available (Fully Supported) | 0 | 0% | |
| 17 | +| ⚠️ In Progress (Needs Validation) | 39 | 87.0% | |
18 | 18 | | ❌ Not Available (Requires Extensions) | 6 | 13.0% | |
19 | 19 |
|
20 | 20 | --- |
21 | 21 |
|
22 | 22 | ## Core Forensic Artifacts Coverage |
23 | 23 |
|
24 | | -| # | Artifact | ✓ | OS | Query | File | Implementation Completed | Implementation Notes | |
25 | | -|---|----------|---|----|----|------|--------------------------|----------------------| |
26 | | -| 1 | AppCompatCache | ✅ | Win | - | - | ⏳ | shimcache table | |
27 | | -| 2 | AmCache | ❌ | Win | - | - | ❌ | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime | |
28 | | -| 3 | BITS Jobs Database | ⚠️ | Win | - | - | ⏳ | Not a native table, but can be queried via windows_eventlog | |
29 | | -| 4 | Browser URL History | ⚠️ | Win | - | - | ⏳ | No native table. Can be supported via ATC custom tables | |
30 | | -| 4a | Browser URL History | ⚠️ | Linux | - | - | ⏳ | No native table. Can be supported via ATC custom tables | |
31 | | -| 4b | Browser URL History | ⚠️ | Mac | - | - | ⏳ | No native table. Can be supported via ATC custom tables | |
32 | | -| 5 | File Listing | ✅ | Win | - | - | ⏳ | file and hash tables | |
33 | | -| 5a | File Listing | ✅ | Linux | - | - | ⏳ | file and hash tables | |
34 | | -| 5b | File Listing | ✅ | Mac | - | - | ⏳ | file and hash tables | |
35 | | -| 6 | Installed Services | ✅ | Win | - | - | ⏳ | services table | |
36 | | -| 6a | Installed Services | ✅ | Linux | - | - | ⏳ | services table | |
37 | | -| 6b | Installed Services | ✅ | Mac | - | - | ⏳ | services table | |
38 | | -| 7 | Jumplists | ❌ | Win | - | - | ❌ | Not natively supported — PR #7260 closed due to OLE format complexity | |
39 | | -| 8 | LNK files | ✅ | Win | - | - | ⏳ | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) | |
40 | | -| 9 | ARP Cache | ✅ | Win | - | - | ⏳ | arp_cache table | |
41 | | -| 9a | ARP Cache | ✅ | Linux | - | - | ⏳ | arp_cache table | |
42 | | -| 9b | ARP Cache | ✅ | Mac | - | - | ⏳ | arp_cache table | |
43 | | -| 10 | Disks & Volumes | ✅ | Win | - | - | ⏳ | disk_info table | |
44 | | -| 10a | Disks & Volumes | ✅ | Linux | - | - | ⏳ | disk_info table | |
45 | | -| 10b | Disks & Volumes | ✅ | Mac | - | - | ⏳ | disk_info table | |
46 | | -| 11 | Network Interfaces & IP Configuration | ✅ | Win | - | - | ⏳ | interface_details, interface_addresses, interface_ipv6 | |
47 | | -| 11a | Network Interfaces & IP Configuration | ✅ | Linux | - | - | ⏳ | interface_details, interface_addresses, interface_ipv6 | |
48 | | -| 11b | Network Interfaces & IP Configuration | ✅ | Mac | - | - | ⏳ | interface_details, interface_addresses, interface_ipv6 | |
49 | | -| 12 | NTFS USN Journal | ✅ | Win | - | - | ⏳ | ntfs_journal_events table | |
50 | | -| 13 | Open Handles | ❌ | Win | - | - | ❌ | PR #7835 open; external extension available: EclecticIQ ext | |
51 | | -| 13a | Open Handles | ❌ | Linux | - | - | ❌ | PR #7835 open; external extension available: EclecticIQ ext | |
52 | | -| 13b | Open Handles | ❌ | Mac | - | - | ❌ | PR #7835 open; external extension available: EclecticIQ ext | |
53 | | -| 14 | Persistence | ✅ | Win | - | - | ⏳ | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
54 | | -| 14a | Persistence | ✅ | Linux | - | - | ⏳ | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
55 | | -| 14b | Persistence | ✅ | Mac | - | - | ⏳ | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
56 | | -| 15 | PowerShell History | ✅ | Win | - | - | ⏳ | powershell_events table | |
57 | | -| 16 | Prefetch Files | ✅ | Win | - | - | ⏳ | prefetch table | |
58 | | -| 17 | Process Listing | ✅ | Win | - | - | ⏳ | processes table | |
59 | | -| 17a | Process Listing | ✅ | Linux | - | - | ⏳ | processes table | |
60 | | -| 17b | Process Listing | ✅ | Mac | - | - | ⏳ | processes table | |
61 | | -| 18 | Registry | ✅ | Win | - | - | ⏳ | registry table | |
62 | | -| 19 | Shell History | ✅ | Linux | - | - | ⏳ | shell_history table | |
63 | | -| 19a | Shell History | ✅ | Mac | - | - | ⏳ | shell_history table | |
64 | | -| 20 | Shellbags | ✅ | Win | - | - | ⏳ | shellbags table | |
65 | | -| 21 | Tasks | ✅ | Win | - | - | ⏳ | scheduled_tasks table | |
66 | | -| 21a | Tasks | ✅ | Linux | - | - | ⏳ | scheduled_tasks table | |
67 | | -| 21b | Tasks | ✅ | Mac | - | - | ⏳ | scheduled_tasks table | |
68 | | -| 22 | User Assist | ✅ | Win | - | - | ⏳ | userassist table | |
69 | | -| 23 | WMI Config & Used Apps | ✅ | Win | - | - | ⏳ | wmi_cli_event_consumers, wmi_script_event_consumers | |
70 | | -| 24 | WMI Providers & Filters | ✅ | Win | - | - | ⏳ | wmi_event_filters, wmi_filter_consumer_binding | |
71 | | -| 25 | MFT | ❌ | Win | - | - | ❌ | Not natively supported. Available via Trail of Bits extension | |
| 24 | +| # | Artifact | ✓ | OS | Query | File | Implementation Notes | |
| 25 | +|---|----------|--|----|-------|------|----------------------------------------------------------------------------------------------------------------------------------| |
| 26 | +| 1 | AppCompatCache | ⚠️ | Win | - | - | shimcache table | |
| 27 | +| 2 | AmCache | ❌ | Win | - | - | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime | |
| 28 | +| 3 | BITS Jobs Database | ⚠️ | Win | - | - | Not a native table, but can be queried via windows_eventlog | |
| 29 | +| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables | |
| 30 | +| 4a | Browser URL History | ⚠️ | Linux | - | - | No native table. Can be supported via ATC custom tables | |
| 31 | +| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables | |
| 32 | +| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables | |
| 33 | +| 5a | File Listing | ⚠️ | Linux | - | - | file and hash tables | |
| 34 | +| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables | |
| 35 | +| 6 | Installed Services | ⚠️ | Win | - | - | services table | |
| 36 | +| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table | |
| 37 | +| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table | |
| 38 | +| 7 | Jumplists | ❌ | Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity | |
| 39 | +| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) | |
| 40 | +| 9 | ARP Cache | ⚠️ | Win | - | - | arp_cache table | |
| 41 | +| 9a | ARP Cache | ⚠️ | Linux | - | - | arp_cache table | |
| 42 | +| 9b | ARP Cache | ⚠️ | Mac | - | - | arp_cache table | |
| 43 | +| 10 | Disks & Volumes | ⚠️ | Win | - | - | disk_info table | |
| 44 | +| 10a | Disks & Volumes | ⚠️ | Linux | - | - | disk_info table | |
| 45 | +| 10b | Disks & Volumes | ⚠️ | Mac | - | - | disk_info table | |
| 46 | +| 11 | Network Interfaces & IP Configuration | ⚠️ | Win | - | - | interface_details, interface_addresses, interface_ipv6 | |
| 47 | +| 11a | Network Interfaces & IP Configuration | ⚠️ | Linux | - | - | interface_details, interface_addresses, interface_ipv6 | |
| 48 | +| 11b | Network Interfaces & IP Configuration | ⚠️ | Mac | - | - | interface_details, interface_addresses, interface_ipv6 | |
| 49 | +| 12 | NTFS USN Journal | ⚠️ | Win | - | - | ntfs_journal_events table | |
| 50 | +| 13 | Open Handles | ❌ | Win | - | - | PR #7835 open; external extension available: EclecticIQ ext | |
| 51 | +| 13a | Open Handles | ❌ | Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext | |
| 52 | +| 13b | Open Handles | ❌ | Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext | |
| 53 | +| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
| 54 | +| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
| 55 | +| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | |
| 56 | +| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table | |
| 57 | +| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table | |
| 58 | +| 17 | Process Listing | ⚠️ | Win | - | - | processes table | |
| 59 | +| 17a | Process Listing | ⚠️ | Linux | - | - | processes table | |
| 60 | +| 17b | Process Listing | ⚠️ | Mac | - | - | processes table | |
| 61 | +| 18 | Registry | ⚠️ | Win | - | - | registry table | |
| 62 | +| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table | |
| 63 | +| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table | |
| 64 | +| 20 | Shellbags | ⚠️ | Win | - | - | shellbags table | |
| 65 | +| 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table | |
| 66 | +| 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table | |
| 67 | +| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table | |
| 68 | +| 22 | User Assist | ⚠️ | Win | - | - | userassist table | |
| 69 | +| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers | |
| 70 | +| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding | |
| 71 | +| 25 | MFT | ❌ | Win | - | - | Not natively supported. Available via Trail of Bits extension | |
72 | 72 |
|
73 | 73 | --- |
74 | 74 |
|
@@ -152,40 +152,40 @@ While some artifacts are not directly available, the existing queries provide st |
152 | 152 | ## Artifacts by Category |
153 | 153 |
|
154 | 154 | ### Execution Artifacts |
155 | | -- ✅ AppCompatCache (Windows: shimcache table) |
156 | | -- ✅ PowerShell History (Windows: powershell_events table) |
157 | | -- ✅ Prefetch Files (Windows: prefetch table) |
| 155 | +- ⚠️ AppCompatCache (Windows: shimcache table) |
| 156 | +- ⚠️ PowerShell History (Windows: powershell_events table) |
| 157 | +- ⚠️ Prefetch Files (Windows: prefetch table) |
158 | 158 | - ❌ AmCache (Not Available - Use AppCompatCache + Prefetch as alternatives) |
159 | 159 |
|
160 | 160 | ### Persistence Mechanisms |
161 | | -- ✅ Installed Services (All platforms: services table) |
162 | | -- ✅ Persistence (All platforms: multiple tables) |
163 | | -- ✅ Registry (Windows: registry table) |
164 | | -- ✅ Tasks (All platforms: scheduled_tasks table) |
165 | | -- ✅ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers) |
166 | | -- ✅ WMI Providers & Filters (Windows: wmi_event_filters, wmi_filter_consumer_binding) |
| 161 | +- ⚠️ Installed Services (All platforms: services table) |
| 162 | +- ⚠️ Persistence (All platforms: multiple tables) |
| 163 | +- ⚠️ Registry (Windows: registry table) |
| 164 | +- ⚠️ Tasks (All platforms: scheduled_tasks table) |
| 165 | +- ⚠️ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers) |
| 166 | +- ⚠️ WMI Providers & Filters (Windows: wmi_event_filters, wmi_filter_consumer_binding) |
167 | 167 | - ⚠️ BITS Jobs Database (Windows: via windows_eventlog) |
168 | 168 |
|
169 | 169 | ### User Activity |
170 | | -- ✅ LNK files (Windows: shortcut_files, file, recent_files tables) |
171 | | -- ✅ Shell History (Linux/Mac: shell_history table) |
172 | | -- ✅ Shellbags (Windows: shellbags table) |
173 | | -- ✅ User Assist (Windows: userassist table) |
| 170 | +- ⚠️ LNK files (Windows: shortcut_files, file, recent_files tables) |
| 171 | +- ⚠️ Shell History (Linux/Mac: shell_history table) |
| 172 | +- ⚠️ Shellbags (Windows: shellbags table) |
| 173 | +- ⚠️ User Assist (Windows: userassist table) |
174 | 174 | - ⚠️ Browser URL History (All platforms: via ATC custom tables) |
175 | 175 | - ❌ Jumplists (Not Available - Use Shellbags + LNK Files as alternatives) |
176 | 176 |
|
177 | 177 | ### File System/Forensics |
178 | | -- ✅ File Listing (All platforms: file and hash tables) |
179 | | -- ✅ NTFS USN Journal (Windows: ntfs_journal_events table) |
| 178 | +- ⚠️ File Listing (All platforms: file and hash tables) |
| 179 | +- ⚠️ NTFS USN Journal (Windows: ntfs_journal_events table) |
180 | 180 | - ❌ MFT (Not Available - Use NTFS USN Journal as alternative or Trail of Bits extension) |
181 | 181 |
|
182 | 182 | ### Network/C2 Indicators |
183 | | -- ✅ ARP Cache (All platforms: arp_cache table) |
184 | | -- ✅ Network Interfaces & IP Configuration (All platforms: interface_details, interface_addresses, interface_ipv6) |
| 183 | +- ⚠️ ARP Cache (All platforms: arp_cache table) |
| 184 | +- ⚠️ Network Interfaces & IP Configuration (All platforms: interface_details, interface_addresses, interface_ipv6) |
185 | 185 |
|
186 | 186 | ### System Information |
187 | | -- ✅ Disks & Volumes (All platforms: disk_info table) |
188 | | -- ✅ Process Listing (All platforms: processes table) |
| 187 | +- ⚠️ Disks & Volumes (All platforms: disk_info table) |
| 188 | +- ⚠️ Process Listing (All platforms: processes table) |
189 | 189 | - ❌ Open Handles (Not Available - PR #7835 open, EclecticIQ extension available) |
190 | 190 |
|
191 | 191 | --- |
0 commit comments