Skip to content

[Osquery_manager] Services artifacts saved queries #15892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
+399 −51
Open

[Osquery_manager] Services artifacts saved queries #15892

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5bf2276
services artifacts
tomsonpl Nov 6, 2025
d489f2c
Merge branch 'temporary-osquery-artifacts-branch' into osquery-servic…
tomsonpl Nov 7, 2025
69de256
update matrix
tomsonpl Nov 7, 2025
b1a1a74
Merge branch 'temporary-osquery-artifacts-branch' into osquery-servic…
tomsonpl Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 51 additions & 51 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,62 +13,62 @@ This document tracks the coverage of forensic artifacts in Osquery.

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 1 | 2.2% |
| ⚠️ In Progress (Needs Validation) | 39 | 84.8% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---

## Core Forensic Artifacts Coverage

| # | Artifact | ✓ | OS | Query | File | Implementation Notes |
|---|----------|--|----|-------|------|----------------------------------------------------------------------------------------------------------------------------------|
| 1 | AppCompatCache | ⚠️ | Win | - | - | shimcache table |
| 2 | AmCache | ❌ | Win | - | - | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime |
| 3 | BITS Jobs Database | ⚠️ | Win | - | - | Not a native table, but can be queried via windows_eventlog |
| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables |
| 4a | Browser URL History | ⚠️ | Linux | - | - | No native table. Can be supported via ATC custom tables |
| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables |
| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables |
| 5a | File Listing | ⚠️ | Linux | - | - | file and hash tables |
| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables |
| 6 | Installed Services | ⚠️ | Win | - | - | services table |
| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table |
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
| 7 | Jumplists | ❌ | Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
| 9 | ARP Cache | ⚠️ | Win | - | - | arp_cache table |
| 9a | ARP Cache | ⚠️ | Linux | - | - | arp_cache table |
| 9b | ARP Cache | ⚠️ | Mac | - | - | arp_cache table |
| 10 | Disks & Volumes | ⚠️ | Win | - | - | disk_info table |
| 10a | Disks & Volumes | ⚠️ | Linux | - | - | disk_info table |
| 10b | Disks & Volumes | ⚠️ | Mac | - | - | disk_info table |
| 11 | Network Interfaces & IP Configuration | ⚠️ | Win | - | - | interface_details, interface_addresses, interface_ipv6 |
| 11a | Network Interfaces & IP Configuration | ⚠️ | Linux | - | - | interface_details, interface_addresses, interface_ipv6 |
| 11b | Network Interfaces & IP Configuration | ⚠️ | Mac | - | - | interface_details, interface_addresses, interface_ipv6 |
| 12 | NTFS USN Journal | ⚠️ | Win | - | - | ntfs_journal_events table |
| 13 | Open Handles | ❌ | Win | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13a | Open Handles | ❌ | Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13b | Open Handles | ❌ | Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
| 17a | Process Listing | ⚠️ | Linux | - | - | processes table |
| 17b | Process Listing | ⚠️ | Mac | - | - | processes table |
| 18 | Registry | ⚠️ | Win | - | - | registry table |
| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table |
| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table |
| 20 | Shellbags | ⚠️ | Win | - | - | shellbags table |
| 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table |
| 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table |
| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table |
| 22 | User Assist | ⚠️ | Win | - | - | userassist table |
| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers |
| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding |
| 25 | MFT | ❌ | Win | - | - | Not natively supported. Available via Trail of Bits extension |
| # | Artifact | ✓ | OS | Query | File | Implementation Notes |
|---|----------|---|----|----|------|----------------------|
| 1 | AppCompatCache | ⚠️ | Win | - | - | shimcache table |
| 2 | AmCache | ❌ | Win | - | - | Not natively supported — PR #7261 was closed due to lack of a SQL constraint, leading to indeterminate runtime |
| 3 | BITS Jobs Database | ⚠️ | Win | - | - | Not a native table, but can be queried via windows_eventlog |
| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables |
| 4a | Browser URL History | ⚠️ | Linux | - | - | No native table. Can be supported via ATC custom tables |
| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables |
| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables |
| 5a | File Listing | ⚠️ | Linux | - | - | file and hash tables |
| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables |
| 6 | Installed Services | | Win | services_windows_elastic | [892e](kibana/osquery_saved_query/osquery_manager-892ee425-60e7-4eb6-ba25-6e97dc3e2ea0.json) | Comprehensive Windows services enumeration with risk scoring (0-100), detecting suspicious services in user-writable directories, unsigned binaries, ServiceDLL hijacking, and privilege escalation patterns |
| 6a | Installed Services | | Linux | services_systemd_linux_elastic | [f8b0](kibana/osquery_saved_query/osquery_manager-f8b0894b-772d-4242-8e19-dbc5d7ae2e06.json) | Parse systemd services on Linux, monitoring service units with load state, activation state, and enablement status |
| 6b | Installed Services | | Mac | services_launchd_darwin_elastic | [5823](kibana/osquery_saved_query/osquery_manager-5823a22e-5add-416d-a142-de323400edb0.json) | Parse launchd services on macOS, providing visibility into launch daemons and agents with configuration state and execution context |
| 7 | Jumplists | ❌ | Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
| 9 | ARP Cache | ⚠️ | Win | - | - | arp_cache table |
| 9a | ARP Cache | ⚠️ | Linux | - | - | arp_cache table |
| 9b | ARP Cache | ⚠️ | Mac | - | - | arp_cache table |
| 10 | Disks & Volumes | ⚠️ | Win | - | - | disk_info table |
| 10a | Disks & Volumes | ⚠️ | Linux | - | - | disk_info table |
| 10b | Disks & Volumes | ⚠️ | Mac | - | - | disk_info table |
| 11 | Network Interfaces & IP Configuration | ⚠️ | Win | - | - | interface_details, interface_addresses, interface_ipv6 |
| 11a | Network Interfaces & IP Configuration | ⚠️ | Linux | - | - | interface_details, interface_addresses, interface_ipv6 |
| 11b | Network Interfaces & IP Configuration | ⚠️ | Mac | - | - | interface_details, interface_addresses, interface_ipv6 |
| 12 | NTFS USN Journal | ⚠️ | Win | - | - | ntfs_journal_events table |
| 13 | Open Handles | ❌ | Win | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13a | Open Handles | ❌ | Linux | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 13b | Open Handles | ❌ | Mac | - | - | PR #7835 open; external extension available: EclecticIQ ext |
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
| 17a | Process Listing | ⚠️ | Linux | - | - | processes table |
| 17b | Process Listing | ⚠️ | Mac | - | - | processes table |
| 18 | Registry | ⚠️ | Win | - | - | registry table |
| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table |
| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table |
| 20 | Shellbags | ⚠️ | Win | - | - | shellbags table |
| 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table |
| 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table |
| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table |
| 22 | User Assist | ⚠️ | Win | - | - | userassist table |
| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers |
| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding |
| 25 | MFT | ❌ | Win | - | - | Not natively supported. Available via Trail of Bits extension |

---

Expand Down Expand Up @@ -158,7 +158,7 @@ While some artifacts are not directly available, the existing queries provide st
- ❌ AmCache (Not Available - Use AppCompatCache + Prefetch as alternatives)

### Persistence Mechanisms
- ⚠️ Installed Services (All platforms: services table)
- Installed Services (All platforms: services table)
- ⚠️ Persistence (All platforms: multiple tables)
- ⚠️ Registry (Windows: registry table)
- ⚠️ Tasks (All platforms: scheduled_tasks table)
Expand Down
89 changes: 89 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-5823a22e-5add-416d-a142-de323400edb0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
{
"attributes": {
"created_at": "2025-01-06T12:00:00.000Z",
"created_by": "elastic",
"description": "Parse launchd services on macOS systems. Provides visibility into launchd service agents and daemons including: (1) Service identification (label, name, path), (2) Service configuration state (disabled status, run_at_load, keep_alive), (3) Program executable path, (4) Plist file path (source of service configuration), (5) Service execution context (username, groupname). Detection focuses on: services in unexpected states, services with unusual configurations (e.g., disabled critical services or enabled suspicious services), unauthorized service installations in user directories, launchd-based persistence mechanisms (common macOS persistence technique). Use Cases: System service inventory, service configuration monitoring, persistence mechanism detection (launchd-based persistence is common on macOS), unauthorized service installation detection, service misconfiguration identification, compliance auditing for service configurations, privilege escalation detection via service manipulation.",
"ecs_mapping": [
{
"key": "service.name",
"value": {
"field": "label"
}
},
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "process.executable",
"value": {
"field": "program"
}
},
{
"key": "user.name",
"value": {
"field": "username"
}
},
{
"key": "group.name",
"value": {
"field": "groupname"
}
},
{
"key": "event.category",
"value": {
"value": [
"configuration",
"process"
]
}
},
{
"key": "event.type",
"value": {
"value": [
"info"
]
}
},
{
"key": "event.kind",
"value": {
"value": [
"state"
]
}
},
{
"key": "tags",
"value": {
"value": [
"darwin",
"macos",
"launchd",
"services",
"persistence",
"service_enumeration"
]
}
}
],
"id": "services_launchd_darwin_elastic",
"interval": "3600",
"platform": "darwin",
"query": "SELECT\n label,\n name,\n path,\n program,\n disabled,\n run_at_load,\n keep_alive,\n COALESCE(on_demand, 0) AS on_demand,\n COALESCE(username, 'root') AS username,\n COALESCE(groupname, 'wheel') AS groupname\nFROM launchd\nORDER BY disabled, label;",
"updated_at": "2025-01-06T12:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-5823a22e-5add-416d-a142-de323400edb0",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-06T12:00:00.000Z",
"version": "Wzk1LDJd"
}
Loading