Skip to content

[WIP] Osquery new saved queries #15820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
+3,154 −0
Draft

[WIP] Osquery new saved queries #15820

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f73c358
initial new queries
tomsonpl Oct 30, 2025
307757f
more queries
tomsonpl Oct 30, 2025
b8f9a55
more queries
tomsonpl Oct 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
244 changes: 244 additions & 0 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions packages/osquery_manager/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.19.2"
changes:
- description: Add new saved queries
type: bugfix
link: TBA
- version: "1.19.1"
changes:
- description: Add root requirement for the integration
Expand Down
57 changes: 57 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789001.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Track executed binaries via AppCompatCache (ShimCache) focusing on suspicious paths including user-writable directories",
"ecs_mapping": [
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.mtime",
"value": {
"field": "modified_time"
}
},
{
"key": "event.category",
"value": {
"value": ["file"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.action",
"value": {
"value": "shimcache-entry"
}
},
{
"key": "tags",
"value": {
"value": ["execution_artifact", "appcompatcache", "forensics"]
}
}
],
"id": "shimcache_execution_elastic",
"interval": "3600",
"platform": "windows",
"query": "SELECT\n modified_time,\n path,\n CASE\n WHEN execution_flag = 1 THEN 'Executed'\n ELSE 'Not Executed/Unknown'\n END AS execution_status,\n entry\nFROM shimcache\nWHERE\n (path LIKE '%\\\\Users\\\\%\\\\AppData\\\\%'\n OR path LIKE '%\\\\Temp\\\\%'\n OR path LIKE '%\\\\Users\\\\Public\\\\%'\n OR path LIKE '%\\\\ProgramData\\\\%')\n AND path NOT LIKE '%\\\\Windows\\\\System32\\\\%'\n AND path NOT LIKE '%\\\\Windows\\\\SysWOW64\\\\%'\n AND path NOT LIKE '%\\\\Program Files\\\\Windows%'\nORDER BY modified_time DESC\nLIMIT 500;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789001",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
63 changes: 63 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789002.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Track application execution via Prefetch files focusing on LOLBins and recently executed programs with low run counts",
"ecs_mapping": [
{
"key": "process.name",
"value": {
"field": "executable_name"
}
},
{
"key": "event.start",
"value": {
"field": "last_run_time"
}
},
{
"key": "file.name",
"value": {
"field": "filename"
}
},
{
"key": "event.category",
"value": {
"value": ["process"]
}
},
{
"key": "event.type",
"value": {
"value": ["start", "info"]
}
},
{
"key": "event.action",
"value": {
"value": "process-execution"
}
},
{
"key": "tags",
"value": {
"value": ["execution_artifact", "prefetch", "forensics"]
}
}
],
"id": "prefetch_execution_elastic",
"interval": "3600",
"platform": "windows",
"query": "SELECT\n filename AS executable_name,\n hash AS prefetch_hash,\n run_count,\n last_run_time,\n size,\n volume_serial,\n volume_creation,\n accessed_files_count,\n accessed_directories_count\nFROM prefetch\nWHERE\n (filename LIKE '%POWERSHELL%'\n OR filename LIKE '%CMD.EXE%'\n OR filename LIKE '%WSCRIPT%'\n OR filename LIKE '%CSCRIPT%'\n OR filename LIKE '%RUNDLL32%'\n OR filename LIKE '%REGSVR32%'\n OR filename LIKE '%MSHTA%'\n OR filename LIKE '%CERTUTIL%'\n OR filename LIKE '%BITSADMIN%'\n OR (run_count < 5 AND last_run_time > datetime('now', '-7 days')))\n AND (filename NOT LIKE 'SVCHOST%' OR run_count < 10)\nORDER BY last_run_time DESC\nLIMIT 200;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789002",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
63 changes: 63 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789003.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Detect suspicious services running from user-writable directories or with generic names commonly used by malware",
"ecs_mapping": [
{
"key": "service.name",
"value": {
"field": "name"
}
},
{
"key": "service.state",
"value": {
"field": "status"
}
},
{
"key": "process.executable",
"value": {
"field": "path"
}
},
{
"key": "user.name",
"value": {
"field": "user_account"
}
},
{
"key": "event.category",
"value": {
"value": ["configuration"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "tags",
"value": {
"value": ["persistence", "services"]
}
}
],
"id": "suspicious_services_elastic",
"interval": "3600",
"platform": "windows",
"query": "SELECT name, display_name, status, start_type, path, user_account FROM services WHERE ((path NOT LIKE 'C:\\Windows\\System32\\%' AND path NOT LIKE 'C:\\Windows\\SysWOW64\\%' AND path NOT LIKE 'C:\\Program Files\\Windows%') OR path LIKE '%\\Users\\%\\AppData\\%' OR path LIKE '%\\Temp\\%' OR path LIKE '%\\Users\\Public\\%' OR path LIKE '%\\ProgramData\\%') AND name NOT IN ('wuauserv', 'BITS', 'TrustedInstaller', 'WinDefend') ORDER BY name LIMIT 100;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789003",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
57 changes: 57 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789004.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Identify enabled scheduled tasks executing from suspicious locations or using LOLBins like PowerShell, rundll32, or regsvr32",
"ecs_mapping": [
{
"key": "process.name",
"value": {
"field": "name"
}
},
{
"key": "process.command_line",
"value": {
"field": "action"
}
},
{
"key": "event.start",
"value": {
"field": "last_run_time"
}
},
{
"key": "event.category",
"value": {
"value": ["process"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "tags",
"value": {
"value": ["persistence", "scheduled_task"]
}
}
],
"id": "scheduled_tasks_persistence_elastic",
"interval": "3600",
"platform": "windows",
"query": "SELECT name, action, path, enabled, state, hidden, last_run_time, next_run_time FROM scheduled_tasks WHERE enabled = 1 AND (action LIKE '%\\Users\\%\\AppData\\%' OR action LIKE '%\\Temp\\%' OR action LIKE '%\\Users\\Public\\%' OR action LIKE '%\\ProgramData\\%' OR action LIKE '%powershell%' OR action LIKE '%cmd.exe%' OR action LIKE '%wscript%' OR action LIKE '%cscript%' OR action LIKE '%rundll32%' OR action LIKE '%regsvr32%' OR action LIKE '%mshta%') ORDER BY last_run_time DESC LIMIT 100;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789004",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
63 changes: 63 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789005.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Track startup items from registry and startup folders, focusing on non-Microsoft entries and suspicious paths",
"ecs_mapping": [
{
"key": "process.name",
"value": {
"field": "name"
}
},
{
"key": "process.executable",
"value": {
"field": "path"
}
},
{
"key": "process.args",
"value": {
"field": "args"
}
},
{
"key": "user.name",
"value": {
"field": "username"
}
},
{
"key": "event.category",
"value": {
"value": ["process"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "tags",
"value": {
"value": ["persistence", "startup", "autorun"]
}
}
],
"id": "startup_items_persistence_elastic",
"interval": "3600",
"platform": "windows",
"query": "SELECT name, path, args, type, source, status, username FROM startup_items WHERE ((path NOT LIKE 'C:\\Windows\\System32\\%' AND path NOT LIKE 'C:\\Windows\\SysWOW64\\%' AND path NOT LIKE 'C:\\Program Files\\Windows%' AND path NOT LIKE 'C:\\Program Files\\Microsoft%') OR path LIKE '%\\Users\\%\\AppData\\%' OR path LIKE '%\\Temp\\%' OR path LIKE '%\\Users\\Public\\%' OR path LIKE '%\\ProgramData\\%' OR path LIKE '%powershell%' OR path LIKE '%cmd.exe%' OR path LIKE '%wscript%' OR path LIKE '%cscript%') ORDER BY source, name LIMIT 100;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789005",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
74 changes: 74 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-5678-4abc-def0-123456789006.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
{
"attributes": {
"created_at": "2025-01-29T12:00:00.000Z",
"created_by": "elastic",
"description": "Detect suspicious running processes including fileless malware (not on disk), processes from temp folders, and encoded PowerShell commands",
"ecs_mapping": [
{
"key": "process.pid",
"value": {
"field": "pid"
}
},
{
"key": "process.name",
"value": {
"field": "name"
}
},
{
"key": "process.executable",
"value": {
"field": "path"
}
},
{
"key": "process.command_line",
"value": {
"field": "cmdline"
}
},
{
"key": "process.start",
"value": {
"field": "start_time"
}
},
{
"key": "process.parent.pid",
"value": {
"field": "parent"
}
},
{
"key": "event.category",
"value": {
"value": ["process"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "tags",
"value": {
"value": ["process_activity", "suspicious_process"]
}
}
],
"id": "suspicious_processes_elastic",
"interval": "3600",
"query": "SELECT pid, name, path, cmdline, start_time, parent, uid, on_disk FROM processes WHERE ((path NOT LIKE 'C:\\Windows\\System32\\%' OR cmdline LIKE '%powershell%' OR cmdline LIKE '%-enc%' OR cmdline LIKE '%http%' OR on_disk = 0) OR path LIKE '%\\Temp\\%' OR path LIKE '%\\Users\\%\\AppData\\%' OR path LIKE '%\\Users\\Public\\%') ORDER BY start_time DESC LIMIT 200;",
"updated_at": "2025-01-29T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-5678-4abc-def0-123456789006",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-29T12:00:00.000Z",
"version": "WzEsMV0="
}
Loading