Skip to content

[Osquery_manager] Registry artifact saved query #16202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Registry artifact saved query #16202

wants to merge 2 commits into from
+149 −7

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Dec 2, 2025

Registry Persistence Detection

The Windows Registry Persistence query provides comprehensive visibility into autostart registry locations commonly abused by malware for persistence. This query detects entries across Run, RunOnce, Policy Run, Winlogon, and Active Setup keys with file hash and code signature enrichment for threat intelligence pivoting and trust assessment.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 Registry Persistence Windows registry_persistence_windows_elastic 5dd4e2a9 Registry autostart persistence detection with hash/signature enrichment

Queries by Platform

🪟 Windows - Registry Autostart Persistence Detection

Description

Detects Windows persistence via registry autostart locations. Enumerates Run, RunOnce, Policy Run, Winlogon, and Active Setup keys with file hash and code signature enrichment. Covers both HKLM and per-user (HKEY_USERS) locations including WOW64. Maps to MITRE ATT&CK T1547.001 (Registry Run Keys), T1547.014 (Active Setup).

Detection Focus:

  • Run/RunOnce keys in HKLM and per-user hives (HKEY_USERS)
  • Policy-based Run keys (often missed by EDR tools)
  • Winlogon persistence (Shell, Userinit, Taskman, AppSetup)
  • Active Setup StubPath commands (per-user persistence on login)
  • WOW64 registry locations (32-bit apps on 64-bit systems)
  • Unsigned or suspiciously signed executables via authenticode validation
  • File hash enrichment for threat intelligence lookups

Registry Locations Covered:

Location Type MITRE
HKLM\...\CurrentVersion\Run System Run Key T1547.001
HKLM\...\CurrentVersion\RunOnce System RunOnce Key T1547.001
HKEY_USERS\*\...\Run Per-User Run Key T1547.001
HKEY_USERS\*\...\RunOnce Per-User RunOnce Key T1547.001
HKLM\...\WOW6432Node\...\Run 32-bit Run Key T1547.001
HKLM\...\Policies\Explorer\Run Policy Run Key T1547.001
HKLM\...\Winlogon (Shell, Userinit) Winlogon Persistence T1547.001
HKLM\...\Active Setup\Installed Components\* Active Setup T1547.014

Result

Screenshot 2025-12-02 at 15 06 30

Query returns persistence entries with:

  • Registry key/path and value name
  • Extracted executable path from registry data
  • Full command line (registry data)
  • Persistence type classification
  • File hashes (SHA256, SHA1, MD5)
  • Code signature validation (subject name, status)
  • File metadata (size, mtime, ctime, directory)
  • Human-readable UTC timestamps

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

registry_persistence_windows_elastic

ECS Field Mappings

Process Fields:

  • process.namename
  • process.executableexecutable_path
  • process.command_linedata

File Fields:

  • file.pathexecutable_path
  • file.hash.sha256sha256
  • file.hash.sha1sha1
  • file.hash.md5md5
  • file.sizesize
  • file.mtimefile_mtime_utc
  • file.ctimefile_ctime_utc
  • file.directorydirectory

Registry Fields:

  • registry.keykey
  • registry.pathpath
  • registry.data.stringsdata
  • registry.valuename

Code Signature Fields:

  • code_signature.subject_namesubject_name
  • code_signature.statussignature_status

Classification Fields:

  • rule.categorypersistence_type
  • event.category["configuration"] (static)
  • tags["persistence", "mitre_t1547"] (static)

SQL Query

-- Windows Registry Persistence Detection
-- Enumerates autostart registry locations with hash/signature enrichment
-- MITRE ATT&CK: T1547.001, T1547.014, T1112

SELECT
    r.name,
    CASE
        WHEN r.data LIKE '"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '"') - 1)
        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)
        ELSE r.data
    END AS executable_path,
    r.data,
    r.key,
    r.path,
    r.type,
    datetime(r.mtime, 'unixepoch', 'UTC') AS registry_mtime_utc,
    CASE
        WHEN r.key LIKE '%\Run' THEN 'Registry Run Key'
        WHEN r.key LIKE '%\RunOnce' THEN 'Registry RunOnce Key'
        WHEN r.key LIKE '%\Winlogon' THEN 'Winlogon Persistence'
        WHEN r.key LIKE '%\Active Setup\Installed Components' THEN 'Active Setup'
        WHEN r.key LIKE '%\Policies\Explorer\Run' THEN 'Policy Run Key'
        ELSE 'Other Persistence'
    END AS persistence_type,
    a.subject_name,
    a.result AS signature_status,
    h.sha256,
    h.sha1,
    h.md5,
    f.size,
    datetime(f.mtime, 'unixepoch', 'UTC') AS file_mtime_utc,
    datetime(f.ctime, 'unixepoch', 'UTC') AS file_ctime_utc,
    f.directory
FROM registry r
LEFT JOIN hash h ON h.path = (
    CASE
        WHEN r.data LIKE '"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '"') - 1)
        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)
        ELSE r.data
    END
)
LEFT JOIN authenticode a ON a.path = (
    CASE
        WHEN r.data LIKE '"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '"') - 1)
        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)
        ELSE r.data
    END
)
LEFT JOIN file f ON f.path = (
    CASE
        WHEN r.data LIKE '"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '"') - 1)
        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)
        ELSE r.data
    END
)
WHERE (
    -- Run/RunOnce (HKLM)
    r.key = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
    OR r.key = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
    -- Run/RunOnce (Per-User)
    OR r.key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Run'
    OR r.key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\RunOnce'
    -- WOW64 (32-bit on 64-bit)
    OR r.key = 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
    OR r.key = 'HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce'
    -- Policy Run Keys (often missed by EDR)
    OR r.key = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    OR r.key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
    -- Winlogon (specific persistence values only)
    OR (r.key = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'
        AND r.name IN ('Shell', 'Userinit', 'Taskman', 'AppSetup'))
    -- Active Setup (per-user persistence on login) - only StubPath contains the command
    OR (r.key LIKE 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\%'
        AND r.name = 'StubPath')
)
AND r.type != 'subkey'
AND r.data IS NOT NULL
AND r.data != ''

MITRE ATT&CK Coverage

Technique ID Technique Name Coverage
T1547.001 Registry Run Keys / Startup Folder ✅ Full
T1547.014 Active Setup ✅ Full
T1112 Modify Registry ✅ Partial

Technical Notes

Query Design Decisions

  1. No CTE (Common Table Expression): osquery's registry virtual table requires direct constraint pushing. Using a CTE breaks constraint optimization, resulting in incomplete results.

  2. LEFT JOIN for Enrichment: Uses LEFT JOIN instead of CROSS JOIN to ensure all registry persistence entries are returned, even if the referenced file is missing, deleted, or inaccessible.

  3. Filtered Winlogon Values: Only returns persistence-relevant Winlogon values (Shell, Userinit, Taskman, AppSetup) to reduce noise from configuration values.

  4. Active Setup StubPath Only: Only returns the StubPath value from Active Setup keys, as this contains the actual persistence command. Other values (Version, ComponentID, Locale) are metadata.

  5. Executable Path Extraction: Handles both quoted paths ("C:\path\file.exe" args) and unquoted paths with arguments (C:\path\file.exe args).

Forensic Value

  • Orphaned Persistence: LEFT JOIN reveals registry entries pointing to deleted files (potential cleanup indicators)
  • Timeline Analysis: UTC timestamps enable correlation with other forensic artifacts
  • Trust Assessment: Code signature validation identifies unsigned or suspiciously signed executables
  • Threat Intel Pivoting: SHA256 hashes enable lookups against threat intelligence platforms

This PR was AI assisted with Claude Code

@tomsonpl
Add improved registry persistence detection query
016e04c 
- Covers Run, RunOnce, Policy Run, Winlogon, Active Setup keys
- Includes hash (SHA256/SHA1/MD5) and code signature enrichment
- Filters Winlogon to persistence-relevant values (Shell, Userinit)
- Filters Active Setup to StubPath only (actual persistence mechanism)
- Fixes CTE constraint issue for osquery virtual tables
- Human-readable UTC timestamps for timeline analysis
- MITRE ATT&CK: T1547.001, T1547.014
@tomsonpl
Update artifacts_matrix for registry persistence query
8c8ebf8 
- Mark Registry artifact as fully available
- Update file reference to correct UUID (5dd4e2a9)
- Update coverage summary stats (1/45 core artifacts)
- Update persistence mechanisms section
@tomsonpl tomsonpl changed the base branch from main to temporary-osquery-artifacts-branch December 2, 2025 14:08
@tomsonpl tomsonpl marked this pull request as ready for review December 2, 2025 14:11
@tomsonpl tomsonpl requested a review from a team as a code owner December 2, 2025 14:11
@tomsonpl tomsonpl requested review from ashokaditya and parkiino and removed request for a team December 2, 2025 14:11
@elasticmachine
Copy link

elasticmachine commented Dec 2, 2025

💚 Build Succeeded

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashokaditya ashokaditya Awaiting requested review from ashokaditya ashokaditya is a code owner automatically assigned from elastic/security-defend-workflows

@parkiino parkiino Awaiting requested review from parkiino parkiino is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomsonpl @elasticmachine @andrewkroh