diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md index fb90f03f8b0..923eafec9d1 100644 --- a/packages/osquery_manager/artifacts_matrix.md +++ b/packages/osquery_manager/artifacts_matrix.md @@ -2,10 +2,10 @@ This document tracks the coverage of forensic artifacts in Osquery. -**Last Updated**: 2025-11-07 -**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants -**Total Queries**: 30 (3 core forensic variants + 27 additional) -**Completion Rate**: 2.2% (1/46 core artifacts fully supported) +**Last Updated**: 2024-12-02 +**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants +**Total Queries**: 31 (4 core forensic variants + 27 additional) +**Completion Rate**: 4.3% (2/46 core artifacts fully supported) --- @@ -13,8 +13,8 @@ This document tracks the coverage of forensic artifacts in Osquery. | Status | Count | Percentage | |--------|-------|------------| -| ✅ Available (Fully Supported) | 0 | 0% | -| ⚠️ In Progress (Needs Validation) | 39 | 87.0% | +| ✅ Available (Fully Supported) | 2 | 4.3% | +| ⚠️ In Progress (Needs Validation) | 38 | 82.6% | | ❌ Not Available (Requires Extensions) | 6 | 13.0% | --- @@ -59,8 +59,8 @@ This document tracks the coverage of forensic artifacts in Osquery. | 17a | Process Listing | ⚠️ | Linux | - | - | processes table | | 17b | Process Listing | ⚠️ | Mac | - | - | processes table | | 18 | Registry | ⚠️ | Win | - | - | registry table | -| 19 | Shell History | ⚠️ | Linux | - | - | shell_history table | -| 19a | Shell History | ⚠️ | Mac | - | - | shell_history table | +| 19 | Shell History | ✅ | Linux | shell_history_linux_macos_elastic | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | shell_history table with LEFT JOIN for anti-forensics detection (users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 | +| 19a | Shell History | ✅ | Mac | shell_history_linux_macos_elastic | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | shell_history table with LEFT JOIN for anti-forensics detection (users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 | | 20 | Shellbags | ⚠️ | Win | - | - | shellbags table | | 21 | Tasks | ⚠️ | Win | - | - | scheduled_tasks table | | 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table | @@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage | 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration | | 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration | | 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration | +| 27 | shell_history | ✅ | Linux+Mac | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | Shell command history with anti-forensics detection (LEFT JOIN to identify users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 | **Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery. @@ -168,7 +169,7 @@ While some artifacts are not directly available, the existing queries provide st ### User Activity - ⚠️ LNK files (Windows: shortcut_files, file, recent_files tables) -- ⚠️ Shell History (Linux/Mac: shell_history table) +- ✅ Shell History (Linux/Mac: shell_history table with anti-forensics detection) - ⚠️ Shellbags (Windows: shellbags table) - ⚠️ User Assist (Windows: userassist table) - ⚠️ Browser URL History (All platforms: via ATC custom tables) diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json new file mode 100644 index 00000000000..22db0cbe8c5 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "created_at": "2024-12-02T15:00:00.000Z", + "created_by": "elastic", + "description": "Retrieves shell command history for all users with anti-forensics detection. Uses LEFT JOIN to identify users with no shell history (potential evidence of history clearing). Covers MITRE ATT&CK techniques T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear Command History), T1105 (Ingress Tool Transfer), and T1562.001 (Disable or Modify Tools). Review results for: (1) suspicious command patterns including reverse shells, encoded commands, credential access, (2) users with no_history_suspicious='yes' indicating missing history files.", + "ecs_mapping": [ + { + "key": "user.name", + "value": { + "field": "username" + } + }, + { + "key": "user.id", + "value": { + "field": "uid" + } + }, + { + "key": "user.group.id", + "value": { + "field": "gid" + } + }, + { + "key": "user.home", + "value": { + "field": "user_home" + } + }, + { + "key": "process.command_line", + "value": { + "field": "command" + } + }, + { + "key": "file.path", + "value": { + "field": "history_file" + } + }, + { + "key": "event.category", + "value": { + "value": ["process"] + } + }, + { + "key": "event.type", + "value": { + "value": ["info"] + } + }, + { + "key": "tags", + "value": { + "value": ["shell_history", "forensics", "anti_forensics_detection", "mitre_t1059_004", "mitre_t1552_003", "mitre_t1070_003", "mitre_t1105", "mitre_t1562_001"] + } + } + ], + "id": "shell_history_linux_macos_elastic", + "interval": "3600", + "platform": "linux,darwin", + "query": "-- Shell History - Command Execution Forensics with Anti-Forensics Detection\n-- MITRE ATT&CK: T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear History), T1105 (Ingress Tool Transfer), T1562.001 (Disable Tools)\n-- Platforms: Linux, macOS\n-- Uses LEFT JOIN to detect users with no shell history (anti-forensics indicator)\n-- Note: Look for suspicious patterns and users with no_history_suspicious='yes'\nSELECT\n u.username,\n u.uid,\n u.gid,\n u.directory AS user_home,\n sh.command,\n sh.history_file,\n CASE\n WHEN sh.history_file LIKE '%bash_history%' THEN 'bash'\n WHEN sh.history_file LIKE '%zsh_history%' THEN 'zsh'\n WHEN sh.history_file LIKE '%fish_history%' THEN 'fish'\n WHEN sh.history_file LIKE '%ash_history%' THEN 'ash'\n ELSE 'unknown'\n END AS shell_type,\n CASE\n WHEN sh.time > 0 THEN datetime(sh.time, 'unixepoch')\n ELSE 'unknown'\n END AS command_time,\n sh.time AS command_timestamp,\n CASE\n WHEN sh.command IS NULL THEN 'yes'\n ELSE 'no'\n END AS no_history_suspicious\nFROM users u\nLEFT JOIN shell_history sh ON sh.uid = u.uid\nWHERE (u.uid >= 500 OR sh.command IS NOT NULL)\n AND (sh.command IS NULL OR sh.command != '')\nORDER BY u.username, sh.time DESC", + "updated_at": "2024-12-02T17:00:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "9.2.0", + "id": "osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2024-12-02T17:00:00.000Z", + "version": "WzEsMV0=" +}