Skip to content

[Osquery_manager] Processes artifact saved queries #16197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Draft

[Osquery_manager] Processes artifact saved queries #16197

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84b55f3
Add process listing queries for Windows, Linux, and macOS
tomsonpl Dec 2, 2025
0a60667
Add suspicious process detection queries for Windows, Linux, and macOS
tomsonpl Dec 2, 2025
0e7a05d
Update artifacts matrix with process listing coverage
tomsonpl Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2025-12-02
**Total Core Artifacts**: 4 available + 36 in progress + 6 not available = 46 total variants
**Total Queries**: 32 (26 original + 6 new process queries)
**Completion Rate**: 8.7% (4/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 4 | 8.7% |
| ⚠️ In Progress (Needs Validation) | 36 | 78.3% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand Down Expand Up @@ -55,9 +55,9 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
| 17a | Process Listing | ⚠️ | Linux | - | - | processes table |
| 17b | Process Listing | ⚠️ | Mac | - | - | processes table |
| 17 | Process Listing | | Win | process_listing_windows_elastic | [8be8](kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json) | Full forensic listing + suspicious detection query |
| 17a | Process Listing | | Linux | process_listing_linux_elastic | [a0c7](kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json) | Full forensic listing + suspicious detection query |
| 17b | Process Listing | | Mac | process_listing_macos_elastic | [888a](kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json) | Full forensic listing + suspicious detection query |
| 18 | Registry | ⚠️ | Win | - | - | registry table |
| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table |
| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table |
Expand Down Expand Up @@ -105,6 +105,12 @@ These queries existed in the original repository and provide additional coverage
| 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
| 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
| 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
| 27 | process_listing_windows | ✅ | Win | [8be8](kibana/osquery_saved_query/osquery_manager-8be8f7d8-270c-4bf3-bba4-4b99e4c56485.json) | Full forensic process listing with parent chain, hashes, code signatures |
| 27a | process_listing_linux | ✅ | Linux | [a0c7](kibana/osquery_saved_query/osquery_manager-a0c7b358-f7eb-4bb8-9e08-52bd1afe8987.json) | Full forensic process listing with parent chain, hashes, username |
| 27b | process_listing_macos | ✅ | Mac | [888a](kibana/osquery_saved_query/osquery_manager-888ac365-4095-4de8-9990-41d96a792356.json) | Full forensic process listing with parent chain, hashes, code signatures |
| 27c | suspicious_processes_windows | ✅ | Win | [4537](kibana/osquery_saved_query/osquery_manager-45375d5b-c4a6-4cea-8f1b-eb1cbd3c6e9d.json) | Suspicious process detection: LOLBins, unsigned, unusual paths (MITRE T1059, T1218) |
| 27d | suspicious_processes_linux | ✅ | Linux | [4da8](kibana/osquery_saved_query/osquery_manager-4da83919-be77-48df-ad50-4f5b464c2bab.json) | Suspicious process detection: reverse shells, crypto-miners, container escapes (MITRE T1059, T1496, T1611) |
| 27e | suspicious_processes_macos | ✅ | Mac | [2b1b](kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json) | Suspicious process detection: unsigned, osascript abuse, quarantine bypass (MITRE T1059, T1553.001) |

**Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.

Expand Down Expand Up @@ -185,7 +191,7 @@ While some artifacts are not directly available, the existing queries provide st

### System Information
- ⚠️ Disks & Volumes (All platforms: disk_info table)
- ⚠️ Process Listing (All platforms: processes table)
- Process Listing (All platforms: processes table) - Full forensic listing + suspicious detection queries available
- ❌ Open Handles (Not Available - PR #7835 open, EclecticIQ extension available)

---
148 changes: 148 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
{
"attributes": {
"created_at": "2025-01-06T10:00:00.000Z",
"created_by": "elastic",
"description": "Identifies macOS processes with suspicious characteristics: unsigned executables, execution from /tmp or hidden directories, osascript abuse, quarantine bypass, crypto-miners, and suspicious interpreters. Enriched with code signatures and file hashes for threat intelligence correlation. MITRE ATT&CK: T1059 (Command and Scripting Interpreter), T1553.001 (Gatekeeper Bypass), T1059.002 (AppleScript), T1496 (Resource Hijacking).",
"ecs_mapping": [
{
"key": "event.category",
"value": {
"value": ["process"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.kind",
"value": {
"value": "signal"
}
},
{
"key": "process.pid",
"value": {
"field": "pid"
}
},
{
"key": "process.name",
"value": {
"field": "name"
}
},
{
"key": "process.executable",
"value": {
"field": "path"
}
},
{
"key": "process.command_line",
"value": {
"field": "cmdline"
}
},
{
"key": "process.working_directory",
"value": {
"field": "cwd"
}
},
{
"key": "process.parent.pid",
"value": {
"field": "ppid"
}
},
{
"key": "process.parent.name",
"value": {
"field": "parent_name"
}
},
{
"key": "process.parent.executable",
"value": {
"field": "parent_path"
}
},
{
"key": "process.parent.command_line",
"value": {
"field": "parent_cmdline"
}
},
{
"key": "process.start",
"value": {
"field": "start_time"
}
},
{
"key": "user.id",
"value": {
"field": "uid"
}
},
{
"key": "user.group.id",
"value": {
"field": "gid"
}
},
{
"key": "process.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "process.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "process.code_signature.status",
"value": {
"field": "signing_status"
}
},
{
"key": "process.code_signature.subject_name",
"value": {
"field": "authority"
}
},
{
"key": "process.code_signature.team_id",
"value": {
"field": "team_identifier"
}
},
{
"key": "tags",
"value": {
"value": ["suspicious_process", "threat_hunting", "mitre_t1059", "mitre_t1553_001", "mitre_t1059_002", "mitre_t1496"]
}
}
],
"id": "suspicious_processes_macos_elastic",
"interval": "3600",
"platform": "darwin",
"query": "-- macOS Suspicious Process Detection\n-- Identifies processes with potentially malicious characteristics\n-- MITRE ATT&CK: T1059, T1553.001, T1059.002, T1496\nSELECT\n p.pid,\n p.name,\n p.path,\n p.cmdline,\n p.cwd,\n p.parent AS ppid,\n pp.name AS parent_name,\n pp.path AS parent_path,\n pp.cmdline AS parent_cmdline,\n p.uid,\n p.gid,\n p.euid,\n p.egid,\n p.state,\n datetime(p.start_time, 'unixepoch') AS start_time,\n p.on_disk,\n h.md5,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n s.signed AS signing_status,\n s.authority,\n s.identifier AS bundle_identifier,\n s.team_identifier,\n CASE\n WHEN s.signed = 0 OR s.signed IS NULL THEN 'unsigned_binary'\n WHEN p.path LIKE '/tmp/%' OR p.path LIKE '/var/tmp/%' THEN 'suspicious_path_tmp'\n WHEN p.path LIKE '/private/tmp/%' THEN 'suspicious_path_private_tmp'\n WHEN p.path LIKE '/Users/Shared/%' THEN 'suspicious_path_shared'\n WHEN p.path LIKE '%/.%' THEN 'hidden_path'\n WHEN p.path LIKE '/Users/%/Library/%' AND s.signed = 0 THEN 'unsigned_in_library'\n WHEN p.name = 'osascript' AND (p.cmdline LIKE '%JavaScript%' OR p.cmdline LIKE '%do shell script%') THEN 'osascript_abuse'\n WHEN p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%') THEN 'curl_pipe_shell'\n WHEN p.cmdline LIKE '%xattr -d com.apple.quarantine%' OR p.cmdline LIKE '%xattr -c%' THEN 'quarantine_removal'\n WHEN p.name IN ('python', 'python3', 'perl', 'ruby') AND p.cmdline LIKE '%socket%' THEN 'script_socket'\n WHEN p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%' THEN 'base64_decode'\n WHEN p.name LIKE '.%' THEN 'hidden_process_name'\n WHEN p.cmdline LIKE '%stratum%' OR p.cmdline LIKE '%xmr%' OR p.cmdline LIKE '%monero%' OR p.cmdline LIKE '%nicehash%' OR p.cmdline LIKE '%pool.%' THEN 'crypto_miner'\n WHEN p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' THEN 'root_unusual_path'\n WHEN p.on_disk = 0 THEN 'process_not_on_disk'\n ELSE 'other_suspicious'\n END AS detection_reason\nFROM processes p\nLEFT JOIN processes pp ON p.parent = pp.pid\nLEFT JOIN hash h ON p.path = h.path\nLEFT JOIN signature s ON p.path = s.path\nWHERE p.path != ''\nAND (\n -- Unsigned or ad-hoc signed binaries\n s.signed = 0 OR s.signed IS NULL\n -- Suspicious execution paths\n OR p.path LIKE '/tmp/%'\n OR p.path LIKE '/var/tmp/%'\n OR p.path LIKE '/private/tmp/%'\n OR p.path LIKE '/Users/Shared/%'\n OR p.path LIKE '%/.%'\n -- osascript abuse (AppleScript for command execution)\n OR (p.name = 'osascript' AND (\n p.cmdline LIKE '%JavaScript%'\n OR p.cmdline LIKE '%do shell script%'\n OR p.cmdline LIKE '%NSAppleScript%'\n ))\n -- Download and execute patterns\n OR (p.name = 'curl' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))\n OR (p.name = 'wget' AND (p.cmdline LIKE '%|%sh%' OR p.cmdline LIKE '%|%bash%'))\n -- Quarantine attribute removal (Gatekeeper bypass)\n OR p.cmdline LIKE '%xattr -d com.apple.quarantine%'\n OR p.cmdline LIKE '%xattr -c%'\n OR p.cmdline LIKE '%xattr -r -d%'\n -- Script interpreters with network activity\n OR (p.name IN ('python', 'python3', 'python2', 'perl', 'ruby', 'php') AND p.cmdline LIKE '%socket%')\n -- Base64 decode (obfuscation)\n OR (p.cmdline LIKE '%base64%' AND p.cmdline LIKE '%-D%')\n -- Hidden process names\n OR p.name LIKE '.%'\n -- Running from memory\n OR p.on_disk = 0\n -- Crypto-miner indicators (T1496 Resource Hijacking)\n OR p.cmdline LIKE '%stratum%'\n OR p.cmdline LIKE '%xmr%'\n OR p.cmdline LIKE '%monero%'\n OR p.cmdline LIKE '%nicehash%'\n OR p.cmdline LIKE '%pool.%mining%'\n OR p.cmdline LIKE '%cryptonight%'\n OR p.cmdline LIKE '%randomx%'\n -- Root processes from unusual locations\n OR (p.uid = 0 AND p.path NOT LIKE '/usr/%' AND p.path NOT LIKE '/sbin/%' AND p.path NOT LIKE '/bin/%' AND p.path NOT LIKE '/System/%' AND p.path NOT LIKE '/Applications/%' AND p.path NOT LIKE '/Library/%')\n);",
"timeout": 180,
"updated_at": "2025-01-06T10:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "8.8.0",
"id": "osquery_manager-2b1b604c-e355-4e23-b8b4-d014a0aa3197",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-01-06T10:00:00.000Z",
"version": "WzEsMV0="
}
Loading