[Osquery_manager] Services artifacts saved queries

[tomsonpl]

Services Artifact

Comprehensive service enumeration queries providing visibility across Windows, macOS, and Linux platforms. These queries enable security teams to detect persistence mechanisms, unauthorized service installations, and suspicious service configurations.

Read: https://p.elstc.co/paste/0gPw5JHV#cM0QG6ZyOjx9O1b3Fs8ZR-U2pcAKUkPaJn9drdjE6PP

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	Services	✅	Windows	services_windows_elastic	892ee425	Comprehensive Windows services enumeration with risk scoring (0-100), detecting suspicious services in user-writable directories, unsigned binaries, ServiceDLL hijacking, and privilege escalation patterns
1a	Services	✅	macOS	services_launchd_darwin_elastic	5823a22e	Parse launchd services on macOS, providing visibility into launch daemons and agents with configuration state and execution context
1b	Services	✅	Linux	services_systemd_linux_elastic	f8b0894b	Parse systemd services on Linux, monitoring service units with load state, activation state, and enablement status

Queries by Platform

---

🪟 Windows - Comprehensive Services Enumeration with Risk Scoring

Description

Detects suspicious Windows services with comprehensive risk scoring (0-100). Identifies services in user-writable directories, unsigned/untrusted binaries, ServiceDLL hijacking, failure command persistence, and privilege escalation patterns.

Risk Scoring Methodology:

• CRITICAL (70-100): Services in temp/user directories with unsigned binaries running as SYSTEM - immediate investigation required
• HIGH (50-69): Services in unusual locations or with untrusted signatures - review within 24 hours
• MEDIUM (30-49): Non-standard service configurations - weekly review recommended
• LOW (0-29): Standard services with expected configurations - baseline monitoring

Detection Focus:

• Unsigned or untrusted executables
• Services running from user-writable directories (Temp, AppData, Downloads, Public)
• Privilege escalation vectors (SYSTEM account with suspicious paths)
• ServiceDLL hijacking (missing DLLs, unsigned DLLs in unusual locations)
• Persistence via failure commands
• Suspicious service naming patterns (generic names like 'service', 'svc', 'update')

Result

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

services_windows_elastic

ECS Field Mappings

• service.name → name
• service.state → status
• service.type → start_type
• process.executable → path
• user.name → user_account
• file.hash.md5 → md5
• file.hash.sha256 → sha256
• file.code_signature.subject_name → cert_subject
• file.code_signature.status → signature_status
• file.code_signature.trusted → cert_trusted
• event.risk_score → risk_score
• event.severity → risk_level

SQL Query

SELECT
  s.name,
  s.display_name,
  s.path,
  s.status,
  s.start_type,
  s.user_account,

  -- Risk scoring fields (critical for prioritization)
  (
    (CASE
      WHEN s.path LIKE '%\\Temp\\%' THEN 40
      WHEN s.path LIKE '%\\Users\\%\\AppData\\Local\\Temp\\%' THEN 40
      WHEN s.path LIKE '%\\Users\\%\\Downloads\\%' THEN 35
      WHEN s.path LIKE '%\\AppData\\Local\\%' THEN 35
      WHEN s.path LIKE '%\\AppData\\Roaming\\%' THEN 30
      WHEN s.path LIKE '%\\Users\\%\\Documents\\%' THEN 30
      WHEN s.path LIKE '%\\Users\\Public\\%' THEN 25
      WHEN s.path LIKE '%\\ProgramData\\%' AND s.path NOT LIKE '%\\ProgramData\\Microsoft\\%' THEN 20
      WHEN s.path LIKE '%\\Windows\\Temp\\%' THEN 25
      ELSE 5
    END) +
    (CASE
      WHEN a.result IS NULL OR a.result = '' THEN 25
      WHEN a.result != 'trusted' THEN 25
      WHEN a.subject_name NOT LIKE '%Microsoft%' AND a.subject_name NOT LIKE '%Windows%' THEN 15
      ELSE 0
    END) +
    (CASE
      WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') AND
           (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\%') THEN 20
      WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') THEN 10
      WHEN s.user_account LIKE '%Administrator%' THEN 5
      ELSE 0
    END) +
    (CASE
      WHEN LOWER(s.name) IN ('service', 'svc', 'system', 'update', 'windows', 'microsoft', 'security', 'monitor', 'agent', 'helper') THEN 10
      WHEN LENGTH(s.name) <= 5 THEN 8
      WHEN s.display_name = s.name OR s.display_name IS NULL OR s.display_name = '' THEN 5
      ELSE 0
    END) +
    (CASE
      WHEN r1.data IS NOT NULL AND r1.data != '' AND h_dll.sha256 IS NULL THEN 15
      WHEN r1.data LIKE '%\\Temp\\%' OR r1.data LIKE '%\\AppData\\%' THEN 10
      WHEN a_dll.result IS NOT NULL AND a_dll.result != 'trusted' THEN 10
      WHEN r1.data IS NOT NULL AND r1.data NOT LIKE '%\\System32\\%' AND r1.data NOT LIKE '%\\SysWOW64\\%' THEN 5
      ELSE 0
    END) +
    (CASE
      WHEN r2.data IS NOT NULL AND r2.data != '' THEN 10
      ELSE 0
    END) +
    (CASE
      WHEN s.start_type IN ('AUTO_START', 'BOOT_START', 'SYSTEM_START') AND
           s.status = 'STOPPED' AND
           (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\Users\\%') THEN 5
      ELSE 0
    END)
  ) AS risk_score,
  (CASE
    WHEN (
      (CASE
        WHEN s.path LIKE '%\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\Downloads\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Local\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Roaming\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\%\\Documents\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\Public\\%' THEN 25
        WHEN s.path LIKE '%\\ProgramData\\%' AND s.path NOT LIKE '%\\ProgramData\\Microsoft\\%' THEN 20
        WHEN s.path LIKE '%\\Windows\\Temp\\%' THEN 25
        ELSE 5
      END) +
      (CASE
        WHEN a.result IS NULL OR a.result = '' THEN 25
        WHEN a.result != 'trusted' THEN 25
        WHEN a.subject_name NOT LIKE '%Microsoft%' AND a.subject_name NOT LIKE '%Windows%' THEN 15
        ELSE 0
      END) +
      (CASE
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\%') THEN 20
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') THEN 10
        WHEN s.user_account LIKE '%Administrator%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN LOWER(s.name) IN ('service', 'svc', 'system', 'update', 'windows', 'microsoft', 'security', 'monitor', 'agent', 'helper') THEN 10
        WHEN LENGTH(s.name) <= 5 THEN 8
        WHEN s.display_name = s.name OR s.display_name IS NULL OR s.display_name = '' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r1.data IS NOT NULL AND r1.data != '' AND h_dll.sha256 IS NULL THEN 15
        WHEN r1.data LIKE '%\\Temp\\%' OR r1.data LIKE '%\\AppData\\%' THEN 10
        WHEN a_dll.result IS NOT NULL AND a_dll.result != 'trusted' THEN 10
        WHEN r1.data IS NOT NULL AND r1.data NOT LIKE '%\\System32\\%' AND r1.data NOT LIKE '%\\SysWOW64\\%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r2.data IS NOT NULL AND r2.data != '' THEN 10
        ELSE 0
      END) +
      (CASE
        WHEN s.start_type IN ('AUTO_START', 'BOOT_START', 'SYSTEM_START') AND
             s.status = 'STOPPED' AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\Users\\%') THEN 5
        ELSE 0
      END)
    ) >= 70 THEN 'CRITICAL'
    WHEN (
      (CASE
        WHEN s.path LIKE '%\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\Downloads\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Local\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Roaming\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\%\\Documents\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\Public\\%' THEN 25
        WHEN s.path LIKE '%\\ProgramData\\%' AND s.path NOT LIKE '%\\ProgramData\\Microsoft\\%' THEN 20
        WHEN s.path LIKE '%\\Windows\\Temp\\%' THEN 25
        ELSE 5
      END) +
      (CASE
        WHEN a.result IS NULL OR a.result = '' THEN 25
        WHEN a.result != 'trusted' THEN 25
        WHEN a.subject_name NOT LIKE '%Microsoft%' AND a.subject_name NOT LIKE '%Windows%' THEN 15
        ELSE 0
      END) +
      (CASE
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\%') THEN 20
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') THEN 10
        WHEN s.user_account LIKE '%Administrator%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN LOWER(s.name) IN ('service', 'svc', 'system', 'update', 'windows', 'microsoft', 'security', 'monitor', 'agent', 'helper') THEN 10
        WHEN LENGTH(s.name) <= 5 THEN 8
        WHEN s.display_name = s.name OR s.display_name IS NULL OR s.display_name = '' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r1.data IS NOT NULL AND r1.data != '' AND h_dll.sha256 IS NULL THEN 15
        WHEN r1.data LIKE '%\\Temp\\%' OR r1.data LIKE '%\\AppData\\%' THEN 10
        WHEN a_dll.result IS NOT NULL AND a_dll.result != 'trusted' THEN 10
        WHEN r1.data IS NOT NULL AND r1.data NOT LIKE '%\\System32\\%' AND r1.data NOT LIKE '%\\SysWOW64\\%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r2.data IS NOT NULL AND r2.data != '' THEN 10
        ELSE 0
      END) +
      (CASE
        WHEN s.start_type IN ('AUTO_START', 'BOOT_START', 'SYSTEM_START') AND
             s.status = 'STOPPED' AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\Users\\%') THEN 5
        ELSE 0
      END)
    ) >= 50 THEN 'HIGH'
    WHEN (
      (CASE
        WHEN s.path LIKE '%\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\Users\\%\\Downloads\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Local\\%' THEN 35
        WHEN s.path LIKE '%\\AppData\\Roaming\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\%\\Documents\\%' THEN 30
        WHEN s.path LIKE '%\\Users\\Public\\%' THEN 25
        WHEN s.path LIKE '%\\ProgramData\\%' AND s.path NOT LIKE '%\\ProgramData\\Microsoft\\%' THEN 20
        WHEN s.path LIKE '%\\Windows\\Temp\\%' THEN 25
        ELSE 5
      END) +
      (CASE
        WHEN a.result IS NULL OR a.result = '' THEN 25
        WHEN a.result != 'trusted' THEN 25
        WHEN a.subject_name NOT LIKE '%Microsoft%' AND a.subject_name NOT LIKE '%Windows%' THEN 15
        ELSE 0
      END) +
      (CASE
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\%') THEN 20
        WHEN s.user_account IN ('LocalSystem', 'NT AUTHORITY\\SYSTEM', 'SYSTEM') THEN 10
        WHEN s.user_account LIKE '%Administrator%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN LOWER(s.name) IN ('service', 'svc', 'system', 'update', 'windows', 'microsoft', 'security', 'monitor', 'agent', 'helper') THEN 10
        WHEN LENGTH(s.name) <= 5 THEN 8
        WHEN s.display_name = s.name OR s.display_name IS NULL OR s.display_name = '' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r1.data IS NOT NULL AND r1.data != '' AND h_dll.sha256 IS NULL THEN 15
        WHEN r1.data LIKE '%\\Temp\\%' OR r1.data LIKE '%\\AppData\\%' THEN 10
        WHEN a_dll.result IS NOT NULL AND a_dll.result != 'trusted' THEN 10
        WHEN r1.data IS NOT NULL AND r1.data NOT LIKE '%\\System32\\%' AND r1.data NOT LIKE '%\\SysWOW64\\%' THEN 5
        ELSE 0
      END) +
      (CASE
        WHEN r2.data IS NOT NULL AND r2.data != '' THEN 10
        ELSE 0
      END) +
      (CASE
        WHEN s.start_type IN ('AUTO_START', 'BOOT_START', 'SYSTEM_START') AND
             s.status = 'STOPPED' AND
             (s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\Users\\%') THEN 5
        ELSE 0
      END)
    ) >= 30 THEN 'MEDIUM'
    ELSE 'LOW'
  END) AS risk_level,

  -- Service metadata
  s.service_type,
  s.module_path,
  s.win32_exit_code,
  'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\' || s.name AS registry_path,

  -- Timeline fields
  r_service_key.mtime AS service_registry_mtime,
  CAST((strftime('%s', 'now') - r_service_key.mtime) / 86400 AS INTEGER) AS days_since_creation,

  -- Primary binary security (hashes and code signing)
  h.sha256,
  h.md5,
  a.subject_name AS cert_subject,
  a.issuer_name AS cert_issuer,
  a.result AS signature_status,
  CASE
    WHEN a.result = 'trusted' THEN 1
    ELSE 0
  END AS cert_trusted,

  -- ServiceDLL fields (DLL hijacking detection)
  r1.data AS service_dll,
  h_dll.sha256 AS servicedll_sha256,
  h_dll.md5 AS servicedll_md5,
  a_dll.subject_name AS servicedll_cert_subject,
  a_dll.issuer_name AS servicedll_cert_issuer,
  a_dll.result AS servicedll_signature_status,

  -- Persistence mechanism detection
  r2.data AS failure_command
FROM services s
LEFT JOIN registry r1 ON r1.path = 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\' || s.name || '\\Parameters' AND r1.name = 'ServiceDll'
LEFT JOIN registry r2 ON r2.path = 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\' || s.name AND r2.name = 'FailureCommand'
LEFT JOIN hash h ON h.path = s.path
LEFT JOIN authenticode a ON a.path = s.path
LEFT JOIN hash h_dll ON h_dll.path = r1.data
LEFT JOIN authenticode a_dll ON a_dll.path = r1.data
LEFT JOIN registry r_service_key ON r_service_key.path = 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\' || s.name
WHERE s.name IS NOT NULL
ORDER BY risk_score DESC, s.start_type, s.status
LIMIT 500;

---

🍎 macOS - Launchd Services Enumeration

Description

Parse launchd services on macOS systems. Provides visibility into launchd service agents and daemons including service identification, configuration state, program executable paths, and execution context.

Detection Focus:

• Services in unexpected states
• Services with unusual configurations (e.g., disabled critical services or enabled suspicious services)
• Unauthorized service installations in user directories
• Launchd-based persistence mechanisms (common macOS persistence technique)

Results

Platform

darwin (macOS)

Interval

3600 seconds (1 hour)

Query ID

services_launchd_darwin_elastic

ECS Field Mappings

• service.name → label
• file.path → path
• process.executable → program
• user.name → username
• group.name → groupname

SQL Query

SELECT
  label,
  name,
  path,
  program,
  disabled,
  run_at_load,
  keep_alive,
  COALESCE(on_demand, 0) AS on_demand,
  COALESCE(username, 'root') AS username,
  COALESCE(groupname, 'wheel') AS groupname
FROM launchd
ORDER BY disabled, label;

---

🐧 Linux - Systemd Services Enumeration

Description

Parse systemd services on Linux systems. Provides visibility into systemd service units including load state, activation state, sub-state details, and enablement status.

Detection Focus:

• Services in unexpected states (loaded but inactive)
• Services with unusual configurations
• Masked or disabled critical services
• Systemd-based persistence mechanisms
• Unauthorized service installations

Result

Platform

linux

Interval

3600 seconds (1 hour)

Query ID

services_systemd_linux_elastic

ECS Field Mappings

• service.name → id
• service.state → active_state
• file.path → fragment_path

SQL Query

SELECT
  id,
  load_state,
  active_state,
  sub_state,
  description,
  unit_file_state,
  fragment_path
FROM systemd_units
WHERE id LIKE '%.service'
ORDER BY active_state, id;

Use Cases

• System service inventory on Linux
• Service state monitoring
• Persistence mechanism detection (systemd service-based persistence)
• Unauthorized service installation detection
• Service misconfiguration identification
• Compliance auditing for service configurations
• Detection of masked or disabled critical services

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 69de256

Failed CI Steps

• Get reference from target branch
• :junit: Sources Junit annotate

History

• 💚 Build #33792 succeeded 5bf2276

cc @tomsonpl