powershell history artifact

tomsonpl · tomsonpl · commit 6e195c3682cc · 2025-11-21T14:56:13.000+01:00
diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md
@@ -2,19 +2,19 @@
 
 This document tracks the coverage of forensic artifacts in Osquery.
 
-**Last Updated**: 2025-11-07
-**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
+**Last Updated**: 2025-11-21
+**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
 **Total Queries**: 30 (3 core forensic variants + 27 additional)
-**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
+**Completion Rate**: 4.3% (2/46 core artifacts fully supported)
 
 ---
 
 ## Coverage Summary
 
 | Status | Count | Percentage |
 |--------|-------|------------|
-| ✅ Available (Fully Supported) | 0     | 0%         |
-| ⚠️ In Progress (Needs Validation) | 39    | 87.0%      |
+| ✅ Available (Fully Supported) | 2     | 4.3%       |
+| ⚠️ In Progress (Needs Validation) | 38    | 82.6%      |
 | ❌ Not Available (Requires Extensions) | 6     | 13.0%      |
 
 ---
@@ -53,7 +53,7 @@ This document tracks the coverage of forensic artifacts in Osquery.
 | 14 | Persistence             | ⚠️ | Win | -     | -    | Supported across multiple tables (services, startup_items, scheduled_tasks)                                                      |
 | 14a | Persistence             | ⚠️ | Linux | -     | -    | Supported across multiple tables (services, startup_items, scheduled_tasks)                                                      |
 | 14b | Persistence             | ⚠️ | Mac | -     | -    | Supported across multiple tables (services, startup_items, scheduled_tasks)                                                      |
-| 15 | PowerShell History      | ⚠️ | Win | -     | -    | powershell_events table                                                                                                          |
+| 15 | PowerShell History      | ✅ | Win | [a1b2](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json) | powershell_events | Comprehensive PowerShell forensic monitoring (Event IDs 4103, 4104, 4688) for fileless malware detection |
 | 16 | Prefetch Files          | ⚠️ | Win | -     | -    | prefetch table                                                                                                                   |
 | 17 | Process Listing         | ⚠️ | Win | -     | -    | processes table                                                                                                                  |
 | 17a | Process Listing         | ⚠️ | Linux | -     | -    | processes table                                                                                                                  |
diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json
@@ -0,0 +1,133 @@
+{
+    "attributes": {
+        "created_at": "2025-11-21T00:00:00.000Z",
+        "created_by": "elastic",
+        "description": "Comprehensive PowerShell forensic monitoring query capturing module logging (Event ID 4103), script block logging (Event ID 4104), and process creation with command line auditing (Event ID 4688). This query detects obfuscated commands, full script execution, and parent/child process relationships for fileless malware detection.",
+        "ecs_mapping": [
+            {
+                "key": "event.created",
+                "value": {
+                    "field": "datetime"
+                }
+            },
+            {
+                "key": "event.code",
+                "value": {
+                    "field": "eventid"
+                }
+            },
+            {
+                "key": "event.provider",
+                "value": {
+                    "field": "provider_name"
+                }
+            },
+            {
+                "key": "log.level",
+                "value": {
+                    "field": "level"
+                }
+            },
+            {
+                "key": "host.name",
+                "value": {
+                    "field": "computer_name"
+                }
+            },
+            {
+                "key": "process.pid",
+                "value": {
+                    "field": "pid"
+                }
+            },
+            {
+                "key": "process.thread.id",
+                "value": {
+                    "field": "tid"
+                }
+            },
+            {
+                "key": "event.action",
+                "value": {
+                    "field": "task"
+                }
+            },
+            {
+                "key": "powershell.provider.name",
+                "value": {
+                    "field": "ProviderName"
+                }
+            },
+            {
+                "key": "powershell.context_info",
+                "value": {
+                    "field": "ContextInfo"
+                }
+            },
+            {
+                "key": "powershell.payload",
+                "value": {
+                    "field": "Payload"
+                }
+            },
+            {
+                "key": "powershell.file.script_block_id",
+                "value": {
+                    "field": "ScriptBlockId"
+                }
+            },
+            {
+                "key": "powershell.file.script_block_text",
+                "value": {
+                    "field": "ScriptBlockText"
+                }
+            },
+            {
+                "key": "file.path",
+                "value": {
+                    "field": "ScriptPath"
+                }
+            },
+            {
+                "key": "process.command_line",
+                "value": {
+                    "field": "CommandLine"
+                }
+            },
+            {
+                "key": "process.name",
+                "value": {
+                    "field": "ProcessName"
+                }
+            },
+            {
+                "key": "process.parent.name",
+                "value": {
+                    "field": "ParentProcessName"
+                }
+            }
+        ],
+        "id": "powershell_events_windows_elastic",
+        "interval": "300",
+        "platform": "windows",
+        "query": "-- Comprehensive PowerShell Forensic Monitoring Query\n-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)\n-- Source: windows_eventlog table - Windows Event Logs (Historical)\n-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing\n-- MITRE ATT&CK: T1059.001 (PowerShell)\n-- Last updated: 2025-11-21\n\n-- Query PowerShell Operational logs for Event IDs 4103 and 4104\nSELECT\n    datetime,\n    eventid,\n    provider_name,\n    level,\n    task,\n    computer_name,\n    channel,\n    pid,\n    tid,\n    data,\n    -- Event ID 4103: Module Logging - Extract obfuscated command context\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')\n        ELSE NULL\n    END AS ProviderName,\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')\n        ELSE NULL\n    END AS ContextInfo,\n    CASE \n        WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')\n        ELSE NULL\n    END AS Payload,\n    -- Event ID 4104: Script Block Logging - Extract full script content\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')\n        ELSE NULL\n    END AS ScriptBlockId,\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')\n        ELSE NULL\n    END AS ScriptBlockText,\n    CASE \n        WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')\n        ELSE NULL\n    END AS ScriptPath,\n    NULL AS CommandLine,\n    NULL AS ProcessName,\n    NULL AS ParentProcessName\nFROM windows_eventlog\nWHERE \n    channel = 'Microsoft-Windows-PowerShell/Operational'\n    AND eventid IN (4103, 4104)\nUNION ALL\n-- Query Security logs for Event ID 4688 (Process Creation)\nSELECT\n    datetime,\n    eventid,\n    provider_name,\n    level,\n    task,\n    computer_name,\n    channel,\n    pid,\n    tid,\n    data,\n    NULL AS ProviderName,\n    NULL AS ContextInfo,\n    NULL AS Payload,\n    NULL AS ScriptBlockId,\n    NULL AS ScriptBlockText,\n    NULL AS ScriptPath,\n    -- Event ID 4688: Process Creation - Extract command line and process hierarchy\n    json_extract(data, '$.EventData.CommandLine') AS CommandLine,\n    json_extract(data, '$.EventData.NewProcessName') AS ProcessName,\n    json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName\nFROM windows_eventlog\nWHERE \n    channel = 'Security'\n    AND eventid = 4688\n    AND data LIKE '%powershell%'\nORDER BY datetime DESC;",
+        "tags": [
+            "T1059.001",
+            "PowerShell",
+            "Execution",
+            "Fileless Malware",
+            "Script Block Logging",
+            "Module Logging",
+            "Process Auditing"
+        ],
+        "updated_at": "2025-11-21T00:00:00.000Z",
+        "updated_by": "elastic",
+        "version": "1.0.0"
+    },
+    "coreMigrationVersion": "8.3.3",
+    "id": "osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb",
+    "references": [],
+    "type": "osquery-saved-query",
+    "updated_at": "2025-11-21T00:00:00.000Z",
+    "version": "WzEwNTUzLDJd"
+}
