[Osquery_manager] WMI artifacts saved query#16227
Merged
tomsonpl merged 8 commits intotemporary-osquery-artifacts-branchfrom Jan 19, 2026
Merged
[Osquery_manager] WMI artifacts saved query#16227tomsonpl merged 8 commits intotemporary-osquery-artifacts-branchfrom
tomsonpl merged 8 commits intotemporary-osquery-artifacts-branchfrom
Conversation
Comprehensive osquery query detecting WMI-based persistence: - Bound subscriptions (active filter-consumer chains) - Orphaned consumers (residual malware indicators) - Orphaned filters (incomplete cleanup detection) - Hash and authenticode enrichment for executables - Supports CommandLineEventConsumer and ActiveScriptEventConsumer Uses relative_path JOINs per osquery schema for accurate binding correlation. ECS mappings included for Elastic Security integration.
tomsonpl
changed the title
tomsonpl
requested review from
ashokaditya and
parkiino
and removed request for
a team
andrewkroh
added
documentation
…RE ATT&CK coverage - Add event.kind, event.module, event.dataset, host.os.type ECS fields - Add MITRE ATT&CK T1546.003 (Event Triggered Execution: WMI Event Subscription) threat context - Fix ECS mapping: subject_name→signature_signer for process.code_signature.subject_name - Remove incorrect threat.indicator.description mapping - Enhance tags with osquery and windows identifiers - Fix query column alias: a.subject_name AS signature_signer for proper ECS mapping
- Add ECS mappings for file.created, file.mtime, file.accessed, file.ctime, file.size - Join with file table to retrieve timestamp metadata for referenced executables/scripts - Convert timestamps to UTC ISO 8601 format using datetime() for ECS standardization - Update description to mention file timestamp enrichment
calladoum-elastic
approved these changes
Dec 11, 2025
calladoum-elastic
left a comment
calladoum-elastic
left a comment
There was a problem hiding this comment.
minor comment, otherwise lgtm
...manager/kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json
Outdated
Show resolved
Hide resolved
ferullo
reviewed
Dec 15, 2025
| { | ||
| "key": "file.path", | ||
| "value": { | ||
| "field": "script_file_name" |
Contributor
There was a problem hiding this comment.
I don't think this is the same file that all the other file.* fields correspond to. I think they all correspond to process.* info, right? It feels like this needs to be addressed somehow. Do we need the script_file_name mapped to ECS? If not could the process.* and file.* fielsets be merged?
Contributor
Author
There was a problem hiding this comment.
Good idea, let me keep these fields unmapped for forensics purposes, so in the end we're end up with having just one namespace - file.
Would this work for you?
- Replace event.kind/module/dataset with event.action mapping - Move code signature fields from process.* to file.* namespace - Remove redundant MITRE ATT&CK threat.* static mappings (covered in description) - Add VirusTotal link generation for hash lookups - Simplify tags array - Update timestamps to 2025-12-31
- Add h.sha1 hash column and file.hash.sha1 mapping - Consolidate hash mappings to file.* namespace - Remove path field mappings to prevent inconsistent field population
ferullo
approved these changes
Jan 12, 2026
…tifact # Conflicts: # packages/osquery_manager/artifacts_matrix.md
tomsonpl
merged commit 33e4776
into
temporary-osquery-artifacts-branch
7 of 8 checks passed
💔 Build Failed
Failed CI StepsHistory
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WMI Persistence Event Subscriptions
Summary
This PR adds an osquery saved query to detect WMI Event Subscription persistence (MITRE ATT&CK T1546.003) on Windows systems. WMI eventing is a powerful persistence mechanism that allows attackers to execute arbitrary commands or scripts when specific system events occur, making it difficult to detect without specialized tooling.
The query provides complete forensic visibility by detecting:
Results are enriched with file hashes and code signatures for referenced executables and scripts.
Core Forensic Artifacts Coverage
MITRE ATT&CK Coverage
Queries by Platform
🪟 Windows - WMI Event Subscription Persistence Detection
Description
Detects WMI event subscriptions used for persistence (MITRE ATT&CK T1546.003). Includes bound subscriptions (active persistence) AND orphaned components (filters/consumers without bindings) which may indicate residual or partially removed malware. WMI eventing allows attackers to execute arbitrary commands or scripts when specific system events occur. Enriched with file hashes and code signatures for referenced executables and scripts.
Detection Focus:
Result
Query returns WMI subscription components with their relationships and enrichment data:
boundorphaned_consumerorphaned_filterPlatform
windowsInterval
3600seconds (1 hour)Query ID
wmi_persistence_event_subscriptions_windows_elasticECS Field Mappings
Event Context:
event.category→["configuration"]event.type→["info"]event.kind→"state"event.module→"osquery"event.dataset→"osquery.wmi_persistence"host.os.type→"windows"Process/Executable Fields:
process.command_line→command_line_templateprocess.executable→executable_pathprocess.hash.md5→md5process.hash.sha256→sha256process.code_signature.subject_name→signature_signerprocess.code_signature.status→signature_statusFile Fields:
file.path→script_file_nameThreat Context:
threat.framework→"MITRE ATT&CK"threat.tactic.id→["TA0003"]threat.tactic.name→["Persistence"]threat.technique.id→["T1546.003"]threat.technique.name→["Event Triggered Execution: Windows Management Instrumentation Event Subscription"]Tags:
osquery,persistence,wmi,event_subscription,mitre_t1546_003,windowsSQL Query