Skip to content

[Osquery_manager] Shellbags artifact saved query #16066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
Open

[Osquery_manager] Shellbags artifact saved query #16066

wants to merge 1 commit into from
+66 −9

Conversation

@tomsonpl
Copy link
Contributor

@tomsonpl tomsonpl commented Nov 20, 2025
edited
Loading

Windows Shellbags Artifact

Windows Shellbags provide critical forensic evidence of user directory access patterns through Windows Explorer. This artifact tracks folder browsing history, including directories accessed via mapped network drives, USB devices, and local folders. Shellbags persist even after files or folders are deleted, making them invaluable for investigating user behavior, lateral movement, and data exfiltration activities.

Read https://p.elstc.co/paste/8mcHsmyg#Ab4Xl7T57kn-7xX9HdNGxhcjVojZGF4zD7Td9PxebNy

Core Forensic Artifacts Coverage

# Artifact OS Query File Description
1 Windows Shellbags Windows shellbags_windows_elastic a4b2c8d0 Windows Shellbags forensic analysis for user activity investigation

Queries by Platform

🪟 Windows - Shellbags User Activity Analysis

Description

Collects Windows Shellbags data to identify directories accessed via Windows Explorer, providing visibility into user folder browsing patterns. This query extracts critical forensic artifacts including user SIDs, registry hive sources, directory paths, file system timestamps, and MFT references for comprehensive user activity investigation.

Result

Screenshot 2025-11-20 at 15 08 13

Query results provide a chronologically ordered view of all directories accessed by users on the system. Each entry includes the user SID, registry source location, full path, three timestamps (modified, created, accessed), and MFT reference numbers. Results are sorted by most recent modification time, enabling rapid identification of current user activity and historical browsing patterns.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

shellbags_windows_elastic

ECS Field Mappings

  • user.idsid
  • registry.hivesource
  • file.pathpath
  • file.mtimemodified_time
  • file.createdcreated_time
  • file.accessedaccessed_time

SQL Query

SELECT
  sid,
  source,
  path,
  modified_time,
  created_time,
  accessed_time,
  mft_entry,
  mft_sequence
FROM shellbags
WHERE path != '' AND path IS NOT NULL
ORDER BY modified_time DESC;

Forensic Context

Registry Locations Monitored:

  • HKCU\Software\Microsoft\Windows\Shell\BagMRU
  • HKCU\Software\Microsoft\Windows\Shell\Bags
  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
  • HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

This query provides essential Windows forensic capability for investigating user activity patterns, lateral movement, and data access behaviors through persistent shell artifacts.

@tomsonpl tomsonpl marked this pull request as ready for review November 20, 2025 14:48
@tomsonpl tomsonpl requested a review from a team as a code owner November 20, 2025 14:48
@tomsonpl tomsonpl added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager labels Nov 20, 2025
@tomsonpl tomsonpl changed the base branch from main to temporary-osquery-artifacts-branch November 20, 2025 14:59
@elasticmachine
Copy link

elasticmachine commented Nov 20, 2025

💚 Build Succeeded

@tomsonpl tomsonpl changed the title Osquery artifact shellbags [Osquery_manager] Shellbags artifact saved query Nov 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashokaditya ashokaditya Awaiting requested review from ashokaditya ashokaditya is a code owner automatically assigned from elastic/security-defend-workflows

@szwarckonrad szwarckonrad Awaiting requested review from szwarckonrad szwarckonrad is a code owner automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomsonpl @elasticmachine