Skip to content

[Osquery_manager] UserAssist artifact saved query #16220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] UserAssist artifact saved query #16220

wants to merge 3 commits into from
+84 −9

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Dec 3, 2025
edited
Loading

UserAssist Artifact

The UserAssist registry artifact tracks applications executed via Windows Explorer, providing forensic investigators with execution timestamps, run counts, and user attribution. This artifact is essential for reconstructing user activity timelines and identifying potentially malicious programs launched through the Windows shell.

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 UserAssist Windows userassist_windows_elastic e9e51a33 Track Explorer-launched applications with user resolution and hash enrichment

Queries by Platform

🪟 Windows - User Execution Tracking via Explorer

Description

UserAssist Registry: Track applications executed via Windows Explorer. Shows execution count and last execution time per user. Useful for forensic investigation of user-initiated program execution. MITRE ATT&CK: T1204 (User Execution).

Detection Focus:

  • Applications launched by users via Windows Explorer shell
  • Execution frequency and patterns per user account
  • Timeline reconstruction of user-initiated program execution
  • Identification of suspicious or unauthorized application usage
  • Correlation of file hashes with threat intelligence

Forensic Value:

  • Provides execution count for frequency analysis
  • Last execution timestamp for timeline correlation
  • User SID resolution to human-readable usernames
  • Hash enrichment for executable verification (when file path exists on disk)

Result

Screenshot 2025-12-03 at 11 33 42

Query results include application paths, extracted filenames, user SIDs with resolved usernames, execution timestamps in UTC, run counts, and MD5/SHA256 hashes when the executable exists on disk.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

userassist_windows_elastic

ECS Field Mappings

  • file.pathpath
  • file.namename
  • user.idsid
  • user.nameusername
  • file.hash.md5md5
  • file.hash.sha256sha256
  • event.category["process"] (static)
  • event.type["info"] (static)
  • tags["userassist", "mitre_t1204", "forensics"] (static)

SQL Query

-- UserAssist: Track applications executed via Windows Explorer
-- Forensic value: Shows user-initiated program executions with timestamps
SELECT
  ua.path AS path,
  REPLACE(ua.path, RTRIM(ua.path, REPLACE(ua.path, '\', '')), '') AS name,
  ua.sid AS sid,
  u.username AS username,
  datetime(ua.last_execution_time, 'unixepoch', 'UTC') AS last_execution_utc,
  ua.last_execution_time,
  ua.count AS execution_count,
  h.md5 AS md5,
  h.sha256 AS sha256
FROM userassist ua
LEFT JOIN users u ON ua.sid = u.uuid
LEFT JOIN hash h ON ua.path = h.path
WHERE ua.path != ''
  AND ua.last_execution_time > 0

MITRE ATT&CK Coverage

  • T1204 - User Execution: Tracks when users execute malicious files via social engineering or other means

This PR was AI assisted with Claude Code

@tomsonpl
Add UserAssist forensic query for Windows
b76599f 
- Query userassist table for Explorer-launched application tracking
- Extract filename from path for quick identification
- Resolve SID to username via users table JOIN
- Enrich with MD5/SHA256 hashes via hash table LEFT JOIN
- Map to ECS fields: file.path, file.name, user.id, user.name, file.hash.*
- Tag with MITRE ATT&CK T1204 (User Execution)

Note: UserAssist only captures Explorer shell executions, not command-line runs
@tomsonpl
Update artifacts_matrix: Mark UserAssist as available
1166ad6 
- Change User Assist status from In Progress to Available
- Update coverage stats: 1 available, 38 in progress, 6 not available
- Add query reference link to userassist_windows_elastic
- Update last modified date to 2025-12-03
@tomsonpl tomsonpl marked this pull request as ready for review December 3, 2025 10:41
@tomsonpl tomsonpl requested a review from a team as a code owner December 3, 2025 10:41
@tomsonpl tomsonpl requested review from gergoabraham and paul-tavares and removed request for a team December 3, 2025 10:41
@tomsonpl
Remove incorrect command-line limitation from UserAssist query
e5f862e 
The UserAssist registry does track command-line executions - remove
inaccurate documentation stating otherwise.
@elasticmachine
Copy link

elasticmachine commented Dec 3, 2025

💚 Build Succeeded

@tomsonpl tomsonpl changed the title Osquery userassist artifact [Osquery_manager] UserAssist artifact saved query Dec 3, 2025
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows] labels Dec 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gergoabraham gergoabraham Awaiting requested review from gergoabraham gergoabraham is a code owner automatically assigned from elastic/security-defend-workflows

@paul-tavares paul-tavares Awaiting requested review from paul-tavares paul-tavares is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager Team:Defend Workflows Security team for Endpoint and OSQuery workflows [elastic/security-defend-workflows]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tomsonpl @elasticmachine @andrewkroh