[Osquery_manager] Shell history artifact saved query

packages/osquery_manager/artifacts_matrix.md

@@ -2,19 +2,19 @@
 
 This document tracks the coverage of forensic artifacts in Osquery.
 
-**Last Updated**: 2025-11-07
-**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
-**Total Queries**: 30 (3 core forensic variants + 27 additional)
-**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
+**Last Updated**: 2024-12-02
+**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
+**Total Queries**: 31 (4 core forensic variants + 27 additional)
+**Completion Rate**: 4.3% (2/46 core artifacts fully supported)
 
 ---
 
 ## Coverage Summary
 
 | Status | Count | Percentage |
 |--------|-------|------------|
-| ✅ Available (Fully Supported) | 0     | 0%         |
-| ⚠️ In Progress (Needs Validation) | 39    | 87.0%      |
+| ✅ Available (Fully Supported) | 2     | 4.3%       |
+| ⚠️ In Progress (Needs Validation) | 38    | 82.6%      |
 | ❌ Not Available (Requires Extensions) | 6     | 13.0%      |
 
 ---
@@ -59,8 +59,8 @@ This document tracks the coverage of forensic artifacts in Osquery.
 | 17a | Process Listing         | ⚠️ | Linux | -     | -    | processes table                                                                                                                  |
 | 17b | Process Listing         | ⚠️ | Mac | -     | -    | processes table                                                                                                                  |
 | 18 | Registry                | ⚠️ | Win | -     | -    | registry table                                                                                                                   |
-| 19 | Shell History           | ⚠️ | Linux | -     | -    | shell_history table                                                                                                              |
-| 19a | Shell History           | ⚠️ | Mac | -     | -    | shell_history table                                                                                                              |
+| 19 | Shell History           | ✅ | Linux | shell_history_linux_macos_elastic | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | shell_history table with LEFT JOIN for anti-forensics detection (users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 |
+| 19a | Shell History           | ✅ | Mac | shell_history_linux_macos_elastic | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | shell_history table with LEFT JOIN for anti-forensics detection (users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 |
 | 20 | Shellbags               | ⚠️ | Win | -     | -    | shellbags table                                                                                                                  |
 | 21 | Tasks                   | ⚠️ | Win | -     | -    | scheduled_tasks table                                                                                                            |
 | 21a | Tasks                   | ⚠️ | Linux | -     | -    | scheduled_tasks table                                                                                                            |
@@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage
 | 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
 | 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
 | 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
+| 27 | shell_history | ✅ | Linux+Mac | [8476](kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json) | Shell command history with anti-forensics detection (LEFT JOIN to identify users with no history). MITRE: T1059.004, T1552.003, T1070.003, T1105, T1562.001 |
 
 **Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.
 
@@ -168,7 +169,7 @@ While some artifacts are not directly available, the existing queries provide st
 
 ### User Activity
 - ⚠️ LNK files (Windows: shortcut_files, file, recent_files tables)
-- ⚠️ Shell History (Linux/Mac: shell_history table)
+- ✅ Shell History (Linux/Mac: shell_history table with anti-forensics detection)
 - ⚠️ Shellbags (Windows: shellbags table)
 - ⚠️ User Assist (Windows: userassist table)
 - ⚠️ Browser URL History (All platforms: via ATC custom tables)

packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d.json

@@ -0,0 +1,75 @@
+{
+    "attributes": {
+        "created_at": "2024-12-02T15:00:00.000Z",
+        "created_by": "elastic",
+        "description": "Retrieves shell command history for all users with anti-forensics detection. Uses LEFT JOIN to identify users with no shell history (potential evidence of history clearing). Covers MITRE ATT&CK techniques T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear Command History), T1105 (Ingress Tool Transfer), and T1562.001 (Disable or Modify Tools). Review results for: (1) suspicious command patterns including reverse shells, encoded commands, credential access, (2) users with no_history_suspicious='yes' indicating missing history files.",
+        "ecs_mapping": [
+            {
+                "key": "user.name",
+                "value": {
+                    "field": "username"
+                }
+            },
+            {
+                "key": "user.id",
+                "value": {
+                    "field": "uid"
+                }
+            },
+            {
+                "key": "user.group.id",
+                "value": {
+                    "field": "gid"
+                }
+            },
+            {
+                "key": "user.home",
+                "value": {
+                    "field": "user_home"
+                }
+            },
+            {
+                "key": "process.command_line",
+                "value": {
+                    "field": "command"
+                }
+            },
+            {
+                "key": "file.path",
+                "value": {
+                    "field": "history_file"
+                }
+            },
+            {
+                "key": "event.category",
+                "value": {
+                    "value": ["process"]
+                }
+            },
+            {
+                "key": "event.type",
+                "value": {
+                    "value": ["info"]
+                }
+            },
+            {
+                "key": "tags",
+                "value": {
+                    "value": ["shell_history", "forensics", "anti_forensics_detection", "mitre_t1059_004", "mitre_t1552_003", "mitre_t1070_003", "mitre_t1105", "mitre_t1562_001"]
+                }
+            }
+        ],
+        "id": "shell_history_linux_macos_elastic",
+        "interval": "3600",
+        "platform": "linux,darwin",
+        "query": "-- Shell History - Command Execution Forensics with Anti-Forensics Detection\n-- MITRE ATT&CK: T1059.004 (Unix Shell), T1552.003 (Bash History), T1070.003 (Clear History), T1105 (Ingress Tool Transfer), T1562.001 (Disable Tools)\n-- Platforms: Linux, macOS\n-- Uses LEFT JOIN to detect users with no shell history (anti-forensics indicator)\n-- Note: Look for suspicious patterns and users with no_history_suspicious='yes'\nSELECT\n  u.username,\n  u.uid,\n  u.gid,\n  u.directory AS user_home,\n  sh.command,\n  sh.history_file,\n  CASE\n    WHEN sh.history_file LIKE '%bash_history%' THEN 'bash'\n    WHEN sh.history_file LIKE '%zsh_history%' THEN 'zsh'\n    WHEN sh.history_file LIKE '%fish_history%' THEN 'fish'\n    WHEN sh.history_file LIKE '%ash_history%' THEN 'ash'\n    ELSE 'unknown'\n  END AS shell_type,\n  CASE\n    WHEN sh.time > 0 THEN datetime(sh.time, 'unixepoch')\n    ELSE 'unknown'\n  END AS command_time,\n  sh.time AS command_timestamp,\n  CASE\n    WHEN sh.command IS NULL THEN 'yes'\n    ELSE 'no'\n  END AS no_history_suspicious\nFROM users u\nLEFT JOIN shell_history sh ON sh.uid = u.uid\nWHERE (u.uid >= 500 OR sh.command IS NOT NULL)\n  AND (sh.command IS NULL OR sh.command != '')\nORDER BY u.username, sh.time DESC",
+        "updated_at": "2024-12-02T17:00:00.000Z",
+        "updated_by": "elastic"
+    },
+    "coreMigrationVersion": "9.2.0",
+    "id": "osquery_manager-8476c6fe-9c0b-447b-a334-c5ecc0779d9d",
+    "references": [],
+    "type": "osquery-saved-query",
+    "updated_at": "2024-12-02T17:00:00.000Z",
+    "version": "WzEsMV0="
+}