elastic · tomsonpl · Dec 2, 2025 · Dec 2, 2025
@@ -2,9 +2,9 @@
 
 This document tracks the coverage of forensic artifacts in Osquery.
 
-**Last Updated**: 2025-11-07
+**Last Updated**: 2025-12-02
 **Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
-**Total Queries**: 30 (3 core forensic variants + 27 additional)
+**Total Queries**: 31 (3 core forensic variants + 28 additional)
 **Completion Rate**: 2.2% (1/46 core artifacts fully supported)
 
 ---
@@ -13,9 +13,9 @@ This document tracks the coverage of forensic artifacts in Osquery.
 
 | Status | Count | Percentage |
 |--------|-------|------------|
-| ✅ Available (Fully Supported) | 0     | 0%         |
-| ⚠️ In Progress (Needs Validation) | 39    | 87.0%      |
-| ❌ Not Available (Requires Extensions) | 6     | 13.0%      |
+| ✅ Available (Fully Supported) | 1     | 2.2%       |
+| ⚠️ In Progress (Needs Validation) | 38    | 84.4%      |
+| ❌ Not Available (Requires Extensions) | 6     | 13.3%      |
 
 ---
 
@@ -58,7 +58,7 @@ This document tracks the coverage of forensic artifacts in Osquery.
 | 17 | Process Listing         | ⚠️ | Win | -     | -    | processes table                                                                                                                  |
 | 17a | Process Listing         | ⚠️ | Linux | -     | -    | processes table                                                                                                                  |
 | 17b | Process Listing         | ⚠️ | Mac | -     | -    | processes table                                                                                                                  |
-| 18 | Registry                | ⚠️ | Win | -     | -    | registry table                                                                                                                   |
+| 18 | Registry                | ✅ | Win | registry_persistence_windows_elastic | [5dd4](kibana/osquery_saved_query/osquery_manager-5dd4e2a9-eea7-4740-a1ec-1b1b7d120d77.json) | registry table - Persistence detection covering Run, RunOnce, Policy Run, Winlogon (Shell/Userinit), Active Setup with hash/signature enrichment. MITRE T1547.001, T1547.014 |
 | 19 | Shell History           | ⚠️ | Linux | -     | -    | shell_history table                                                                                                              |
 | 19a | Shell History           | ⚠️ | Mac | -     | -    | shell_history table                                                                                                              |
 | 20 | Shellbags               | ⚠️ | Win | -     | -    | shellbags table                                                                                                                  |
@@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage
 | 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
 | 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
 | 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
+| 27 | registry_persistence_windows_elastic | ✅ | Win | [5dd4](kibana/osquery_saved_query/osquery_manager-5dd4e2a9-eea7-4740-a1ec-1b1b7d120d77.json) | Registry persistence detection covering Run, RunOnce, Policy Run, Winlogon (Shell/Userinit), Active Setup with hash/signature enrichment. MITRE T1547.001, T1547.014 |
 
 **Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.
 
@@ -160,7 +161,7 @@ While some artifacts are not directly available, the existing queries provide st
 ### Persistence Mechanisms
 - ⚠️ Installed Services (All platforms: services table)
 - ⚠️ Persistence (All platforms: multiple tables)
-- ⚠️ Registry (Windows: registry table)
+- ✅ Registry (Windows: registry table) - **Production-ready persistence query with hash/signature enrichment**
 - ⚠️ Tasks (All platforms: scheduled_tasks table)
 - ⚠️ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers)
 - ⚠️ WMI Providers & Filters (Windows: wmi_event_filters, wmi_filter_consumer_binding)

@@ -0,0 +1,141 @@
+{
+    "attributes": {
+        "created_at": "2025-12-02T00:00:00.000Z",
+        "created_by": "elastic",
+        "description": "Detects Windows persistence via registry autostart locations. Enumerates Run, RunOnce, Policy Run, Winlogon, and Active Setup keys with file hash and code signature enrichment. Covers both HKLM and per-user (HKEY_USERS) locations including WOW64. Maps to MITRE ATT&CK T1547.001 (Registry Run Keys), T1547.014 (Active Setup).",
+        "ecs_mapping": [
+            {
+                "key": "process.name",
+                "value": {
+                    "field": "name"
+                }
+            },
+            {
+                "key": "process.executable",
+                "value": {
+                    "field": "executable_path"
+                }
+            },
+            {
+                "key": "process.command_line",
+                "value": {
+                    "field": "data"
+                }
+            },
+            {
+                "key": "file.path",
+                "value": {
+                    "field": "executable_path"
+                }
+            },
+            {
+                "key": "file.hash.sha256",
+                "value": {
+                    "field": "sha256"
+                }
+            },
+            {
+                "key": "file.hash.sha1",
+                "value": {
+                    "field": "sha1"
+                }
+            },
+            {
+                "key": "file.hash.md5",
+                "value": {
+                    "field": "md5"
+                }
+            },
+            {
+                "key": "file.size",
+                "value": {
+                    "field": "size"
+                }
+            },
+            {
+                "key": "file.mtime",
+                "value": {
+                    "field": "file_mtime_utc"
+                }
+            },
+            {
+                "key": "file.ctime",
+                "value": {
+                    "field": "file_ctime_utc"
+                }
+            },
+            {
+                "key": "file.directory",
+                "value": {
+                    "field": "directory"
+                }
+            },
+            {
+                "key": "registry.key",
+                "value": {
+                    "field": "key"
+                }
+            },
+            {
+                "key": "registry.path",
+                "value": {
+                    "field": "path"
+                }
+            },
+            {
+                "key": "registry.data.strings",
+                "value": {
+                    "field": "data"
+                }
+            },
+            {
+                "key": "registry.value",
+                "value": {
+                    "field": "name"
+                }
+            },
+            {
+                "key": "code_signature.subject_name",
+                "value": {
+                    "field": "subject_name"
+                }
+            },
+            {
+                "key": "code_signature.status",
+                "value": {
+                    "field": "signature_status"
+                }
+            },
+            {
+                "key": "rule.category",
+                "value": {
+                    "field": "persistence_type"
+                }
+            },
+            {
+                "key": "event.category",
+                "value": {
+                    "value": ["configuration"]
+                }
+            },
+            {
+                "key": "tags",
+                "value": {
+                    "value": ["persistence", "mitre_t1547"]
+                }
+            }
+        ],
+        "id": "registry_persistence_windows_elastic",
+        "interval": "3600",
+        "platform": "windows",
+        "query": "-- Windows Registry Persistence Detection\n-- Enumerates autostart registry locations with hash/signature enrichment\n-- MITRE ATT&CK: T1547.001, T1547.014, T1112\n\nSELECT\n    r.name,\n    CASE\n        WHEN r.data LIKE '\"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '\"') - 1)\n        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)\n        ELSE r.data\n    END AS executable_path,\n    r.data,\n    r.key,\n    r.path,\n    r.type,\n    datetime(r.mtime, 'unixepoch', 'UTC') AS registry_mtime_utc,\n    CASE\n        WHEN r.key LIKE '%\\Run' THEN 'Registry Run Key'\n        WHEN r.key LIKE '%\\RunOnce' THEN 'Registry RunOnce Key'\n        WHEN r.key LIKE '%\\Winlogon' THEN 'Winlogon Persistence'\n        WHEN r.key LIKE '%\\Active Setup\\Installed Components' THEN 'Active Setup'\n        WHEN r.key LIKE '%\\Policies\\Explorer\\Run' THEN 'Policy Run Key'\n        ELSE 'Other Persistence'\n    END AS persistence_type,\n    a.subject_name,\n    a.result AS signature_status,\n    h.sha256,\n    h.sha1,\n    h.md5,\n    f.size,\n    datetime(f.mtime, 'unixepoch', 'UTC') AS file_mtime_utc,\n    datetime(f.ctime, 'unixepoch', 'UTC') AS file_ctime_utc,\n    f.directory\nFROM registry r\nLEFT JOIN hash h ON h.path = (\n    CASE\n        WHEN r.data LIKE '\"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '\"') - 1)\n        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)\n        ELSE r.data\n    END\n)\nLEFT JOIN authenticode a ON a.path = (\n    CASE\n        WHEN r.data LIKE '\"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '\"') - 1)\n        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)\n        ELSE r.data\n    END\n)\nLEFT JOIN file f ON f.path = (\n    CASE\n        WHEN r.data LIKE '\"%' THEN substr(r.data, 2, instr(substr(r.data, 2), '\"') - 1)\n        WHEN instr(r.data, ' ') > 0 THEN substr(r.data, 1, instr(r.data, ' ') - 1)\n        ELSE r.data\n    END\n)\nWHERE (\n    -- Run/RunOnce (HKLM)\n    r.key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n    OR r.key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\n    -- Run/RunOnce (Per-User)\n    OR r.key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n    OR r.key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\n    -- WOW64 (32-bit on 64-bit)\n    OR r.key = 'HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n    OR r.key = 'HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce'\n    -- Policy Run Keys (often missed by EDR)\n    OR r.key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    OR r.key LIKE 'HKEY_USERS\\%\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    -- Winlogon (specific persistence values only)\n    OR (r.key = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n        AND r.name IN ('Shell', 'Userinit', 'Taskman', 'AppSetup'))\n    -- Active Setup (per-user persistence on login) - only StubPath contains the command\n    OR (r.key LIKE 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Active Setup\\Installed Components\\%'\n        AND r.name = 'StubPath')\n)\nAND r.type != 'subkey'\nAND r.data IS NOT NULL\nAND r.data != ''",
+        "updated_at": "2025-12-02T00:00:00.000Z",
+        "updated_by": "elastic"
+    },
+    "coreMigrationVersion": "9.2.0",
+    "id": "osquery_manager-5dd4e2a9-eea7-4740-a1ec-1b1b7d120d77",
+    "references": [],
+    "type": "osquery-saved-query",
+    "updated_at": "2025-12-02T00:00:00.000Z",
+    "version": "WzEwNTUzLDJd"
+}