Skip to content

[Osquery_manager] LNK artifacts saved query #16059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
+179 −8
Open

[Osquery_manager] LNK artifacts saved query #16059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e79165c
lnk artifact
tomsonpl Nov 20, 2025
4bf83d1
fix
tomsonpl Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 9 additions & 8 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2025-11-20
**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
**Total Queries**: 31 (4 core forensic variants + 27 additional)
**Completion Rate**: 4.3% (2/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 2 | 4.3% |
| ⚠️ In Progress (Needs Validation) | 38 | 82.6% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand All @@ -36,7 +36,7 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table |
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
| 7 | Jumplists | ❌ | Win | - | - | Not natively supported — PR #7260 closed due to OLE format complexity |
| 8 | LNK files | ⚠️ | Win | - | - | shortcut_files table (deprecated), file table and recent_files table is an alternative (osquery upgrade needed for recent files) |
| 8 | LNK files | | Win | lnk_forensics_windows_elastic | [a1b2c3d4-lnk1](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json) | Uses file table's native Windows shortcut parsing with hash and shellbags enrichment. Detects suspicious patterns: risky executables (cmd, powershell, wscript, etc.), malicious arguments (encoded commands, download cradles, temp paths, UNC paths), large files (>20KB), HTTP/HTTPS strings, and persistence locations (Startup folders). Correlates LNK targets with Windows Explorer directory access patterns from shellbags registry data to identify user interaction. Includes suspicious indicator flags and intelligent result prioritization. |
| 9 | ARP Cache | ⚠️ | Win | - | - | arp_cache table |
| 9a | ARP Cache | ⚠️ | Linux | - | - | arp_cache table |
| 9b | ARP Cache | ⚠️ | Mac | - | - | arp_cache table |
Expand Down Expand Up @@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage
| 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
| 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
| 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
| 27 | lnk_forensics | ✅ | Win | [a1b2](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json) | LNK shortcut file forensics with suspicious pattern detection and shellbags enrichment (risky executables, malicious arguments, large files, persistence locations, directory access correlation) |

**Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.

Expand Down Expand Up @@ -167,7 +168,7 @@ While some artifacts are not directly available, the existing queries provide st
- ⚠️ BITS Jobs Database (Windows: via windows_eventlog)

### User Activity
- ⚠️ LNK files (Windows: shortcut_files, file, recent_files tables)
- LNK files (Windows: file table with native shortcut parsing + hash enrichment + shellbags correlation + suspicious pattern detection)
- ⚠️ Shell History (Linux/Mac: shell_history table)
- ⚠️ Shellbags (Windows: shellbags table)
- ⚠️ User Assist (Windows: userassist table)
Expand Down
170 changes: 170 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
{
"attributes": {
"created_at": "2025-11-20T00:00:00.000Z",
"created_by": "elastic",
"description": "Collect Windows LNK shortcut files from critical persistence and public locations with suspicious indicators enriched with shellbags data. Focuses on Startup folders and Public Desktop locations. Detects risky executables (cmd.exe, powershell.exe, etc.), suspicious command-line arguments (encoded commands, download cradles, UNC paths), and large LNK files. Correlates LNK targets with Windows Explorer directory access patterns from shellbags registry data. Note: Scoped to system-wide and public locations only to satisfy osquery path constraints. Best used in combination with timeline analysis and manual investigation of flagged items.",
"ecs_mapping": [
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.name",
"value": {
"field": "filename"
}
},
{
"key": "file.directory",
"value": {
"field": "directory"
}
},
{
"key": "file.size",
"value": {
"field": "size"
}
},
{
"key": "file.created",
"value": {
"field": "btime"
}
},
{
"key": "file.mtime",
"value": {
"field": "mtime"
}
},
{
"key": "file.accessed",
"value": {
"field": "atime"
}
},
{
"key": "file.ctime",
"value": {
"field": "ctime"
}
},
{
"key": "file.type",
"value": {
"field": "type"
}
},
{
"key": "file.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "file.hash.sha1",
"value": {
"field": "sha1"
}
},
{
"key": "file.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "file.extension",
"value": {
"field": "extension"
}
},
{
"key": "process.executable",
"value": {
"field": "shortcut_target_path"
}
},
{
"key": "process.command_line",
"value": {
"field": "combined_command"
}
},
{
"key": "user.id",
"value": {
"field": "shellbags_sid"
}
},
{
"key": "registry.path",
"value": {
"field": "shellbags_source"
}
}
],
"id": "lnk_forensics_windows_elastic",
"interval": "3600",
"platform": "windows",
"query": "-- Windows LNK Shortcut File Forensics with Suspicious Pattern Detection + Shellbags Enrichment\n-- Source: file table with native Windows shortcut parsing + shellbags registry data\n-- Focus: Risky executables, malicious arguments, large files, persistence mechanisms\n-- Scope: System-wide Startup folder and Public Desktop only (osquery constraint requirement)\n\nWITH lnk_files AS (\n SELECT \n f.path,\n f.filename,\n f.directory,\n f.size,\n f.btime,\n f.mtime,\n f.atime,\n f.ctime,\n f.type,\n f.shortcut_target_path,\n f.shortcut_target_type,\n f.shortcut_target_location,\n f.shortcut_start_in,\n f.shortcut_run,\n f.shortcut_comment,\n 'lnk' AS extension,\n CASE \n WHEN f.shortcut_target_path IS NOT NULL AND f.shortcut_comment IS NOT NULL \n THEN f.shortcut_target_path || ' ' || f.shortcut_comment\n WHEN f.shortcut_target_path IS NOT NULL \n THEN f.shortcut_target_path\n ELSE f.shortcut_comment\n END AS combined_command\n FROM file f\n WHERE (\n f.directory = 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n OR f.directory = 'C:\\Users\\Public\\Desktop'\n )\n AND f.filename LIKE '%.lnk'\n)\nSELECT \n lnk.path,\n lnk.filename,\n lnk.directory,\n lnk.size,\n lnk.btime,\n lnk.mtime,\n lnk.atime,\n lnk.ctime,\n lnk.type,\n lnk.shortcut_target_path,\n lnk.shortcut_target_type,\n lnk.shortcut_target_location,\n lnk.shortcut_start_in,\n lnk.shortcut_run,\n lnk.shortcut_comment,\n lnk.combined_command,\n lnk.extension,\n h.md5,\n h.sha1,\n h.sha256,\n sb.sid AS shellbags_sid,\n sb.source AS shellbags_source,\n sb.modified_time AS shellbags_modified_time,\n sb.created_time AS shellbags_created_time,\n sb.accessed_time AS shellbags_accessed_time,\n sb.mft_entry AS shellbags_mft_entry,\n CASE WHEN lnk.size > 20000 THEN 1 ELSE 0 END AS large_size_flag,\n CASE WHEN lnk.directory LIKE '%\\Startup%' THEN 1 ELSE 0 END AS startup_persistence_flag,\n CASE \n WHEN lnk.shortcut_target_path LIKE '%\\cmd.exe' \n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n THEN 1 ELSE 0 \n END AS risky_executable_flag,\n CASE \n WHEN lnk.combined_command LIKE '%\\AppData\\%'\n OR lnk.combined_command LIKE '%\\Users\\Public\\%'\n OR lnk.combined_command LIKE '%\\Temp\\%'\n OR lnk.combined_command LIKE '%comspec%'\n OR lnk.combined_command LIKE '%&cd&echo%'\n OR lnk.combined_command LIKE '% -NoP %'\n OR lnk.combined_command LIKE '% -W Hidden %'\n OR lnk.combined_command LIKE '% -decode %'\n OR lnk.combined_command LIKE '% /decode %'\n OR lnk.combined_command LIKE '% -e %JAB%'\n OR lnk.combined_command LIKE '% -e %SUVYI%'\n OR lnk.combined_command LIKE '% -e %SQBFAFgA%'\n OR lnk.combined_command LIKE '% -e %aWV4I%'\n OR lnk.combined_command LIKE '% -e %aQBlAHgA%'\n OR lnk.combined_command LIKE '%start /b%'\n OR lnk.combined_command LIKE '%start \\b%'\n OR lnk.combined_command LIKE '%.downloadstring(%'\n OR lnk.combined_command LIKE '%.downloadfile(%'\n OR lnk.combined_command LIKE '%iex %'\n THEN 1 ELSE 0\n END AS suspicious_arguments_flag,\n CASE \n WHEN lnk.combined_command LIKE '%http://%'\n OR lnk.combined_command LIKE '%https://%'\n OR lnk.combined_command LIKE '%ftp://%'\n OR lnk.combined_command LIKE '%ftps://%'\n THEN 1 ELSE 0\n END AS http_download_flag,\n CASE \n WHEN lnk.combined_command LIKE '% \\\\\\\\%'\n OR lnk.shortcut_start_in LIKE '\\\\\\\\%'\n THEN 1 ELSE 0\n END AS unc_path_flag,\n CASE \n WHEN LENGTH(lnk.shortcut_comment) > 250 \n THEN 1 ELSE 0\n END AS large_arguments_flag\nFROM lnk_files lnk\nLEFT JOIN hash h ON lnk.path = h.path\nLEFT JOIN shellbags sb ON sb.path = lnk.shortcut_start_in\nWHERE (\n lnk.size > 20000\n OR lnk.directory LIKE '%\\Startup%'\n OR lnk.shortcut_target_path LIKE '%\\cmd.exe'\n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n OR lnk.combined_command LIKE '%\\AppData\\%'\n OR lnk.combined_command LIKE '%\\Users\\Public\\%'\n OR lnk.combined_command LIKE '%\\Temp\\%'\n OR lnk.combined_command LIKE '%comspec%'\n OR lnk.combined_command LIKE '%&cd&echo%'\n OR lnk.combined_command LIKE '% -NoP %'\n OR lnk.combined_command LIKE '% -W Hidden %'\n OR lnk.combined_command LIKE '% -decode %'\n OR lnk.combined_command LIKE '% /decode %'\n OR lnk.combined_command LIKE '% -e %JAB%'\n OR lnk.combined_command LIKE '% -e %SUVYI%'\n OR lnk.combined_command LIKE '% -e %SQBFAFgA%'\n OR lnk.combined_command LIKE '% -e %aWV4I%'\n OR lnk.combined_command LIKE '% -e %aQBlAHgA%'\n OR lnk.combined_command LIKE '%start /b%'\n OR lnk.combined_command LIKE '%start \\b%'\n OR lnk.combined_command LIKE '%.downloadstring(%'\n OR lnk.combined_command LIKE '%.downloadfile(%'\n OR lnk.combined_command LIKE '%iex %'\n OR lnk.combined_command LIKE '%http://%'\n OR lnk.combined_command LIKE '%https://%'\n OR lnk.combined_command LIKE '%ftp://%'\n OR lnk.combined_command LIKE '%ftps://%'\n OR lnk.combined_command LIKE '% \\\\\\\\%'\n OR lnk.shortcut_start_in LIKE '\\\\\\\\%'\n OR LENGTH(lnk.shortcut_comment) > 250\n)\nAND (\n lnk.directory LIKE '%\\Startup%'\n OR (\n lnk.filename NOT LIKE 'Excel.lnk'\n AND lnk.filename NOT LIKE 'Word.lnk'\n AND lnk.filename NOT LIKE 'PowerPoint.lnk'\n AND lnk.filename NOT LIKE 'Outlook.lnk'\n AND lnk.filename NOT LIKE 'OneNote.lnk'\n AND lnk.filename NOT LIKE 'Windows Media Player.lnk'\n AND lnk.filename NOT LIKE 'Windows Explorer.lnk'\n AND lnk.filename NOT LIKE 'Internet Explorer.lnk'\n )\n)\nORDER BY \n CASE WHEN lnk.directory LIKE '%\\Startup%' THEN 1 ELSE 2 END,\n CASE \n WHEN lnk.shortcut_target_path LIKE '%\\cmd.exe' \n OR lnk.shortcut_target_path LIKE '%\\powershell.exe'\n OR lnk.shortcut_target_path LIKE '%\\cscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\wscript.exe'\n OR lnk.shortcut_target_path LIKE '%\\rundll32.exe'\n OR lnk.shortcut_target_path LIKE '%\\regsvr32.exe'\n OR lnk.shortcut_target_path LIKE '%\\mshta.exe'\n OR lnk.shortcut_target_path LIKE '%\\wmic.exe'\n OR lnk.shortcut_target_path LIKE '%\\conhost.exe'\n THEN 1 ELSE 2 \n END,\n lnk.mtime DESC;",
"updated_at": "2025-11-20T00:00:00.000Z",
"updated_by": "elastic",
"tags": [
"forensics",
"persistence",
"lateral-movement",
"user-activity",
"file-analysis",
"malware-detection",
"command-and-control"
],
"mitre_attack": [
{
"id": "T1547.001",
"tactic": "Persistence",
"technique": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
"reference": "https://attack.mitre.org/techniques/T1547/001/"
},
{
"id": "T1204.002",
"tactic": "Execution",
"technique": "User Execution: Malicious File",
"reference": "https://attack.mitre.org/techniques/T1204/002/"
},
{
"id": "T1021",
"tactic": "Lateral Movement",
"technique": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
},
{
"id": "T1059.001",
"tactic": "Execution",
"technique": "Command and Scripting Interpreter: PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
},
{
"id": "T1059.003",
"tactic": "Execution",
"technique": "Command and Scripting Interpreter: Windows Command Shell",
"reference": "https://attack.mitre.org/techniques/T1059/003/"
},
{
"id": "T1105",
"tactic": "Command and Control",
"technique": "Ingress Tool Transfer",
"reference": "https://attack.mitre.org/techniques/T1105/"
}
]
},
"coreMigrationVersion": "8.3.0",
"id": "osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-11-20T00:00:00.000Z",
"version": "WzEsMV0="
}