Skip to content

[Osquery_manager] Powershell history artifact saved query #16079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
+139 −6
Open

[Osquery_manager] Powershell history artifact saved query #16079

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6e195c3
powershell history artifact
tomsonpl Nov 21, 2025
af21bcd
fix
tomsonpl Nov 21, 2025
da4e383
fix version
tomsonpl Nov 21, 2025
00dad67
fix version
tomsonpl Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Last Updated**: 2025-11-21
**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Completion Rate**: 4.3% (2/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 2 | 4.3% |
| ⚠️ In Progress (Needs Validation) | 38 | 82.6% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand Down Expand Up @@ -53,7 +53,7 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 14 | Persistence | ⚠️ | Win | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) |
| 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table |
| 15 | PowerShell History | | Win | [a1b2](kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json) | powershell_events | Comprehensive PowerShell forensic monitoring (Event IDs 4103, 4104, 4688) for fileless malware detection |
| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table |
| 17 | Process Listing | ⚠️ | Win | - | - | processes table |
| 17a | Process Listing | ⚠️ | Linux | - | - | processes table |
Expand Down
133 changes: 133 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
{
"attributes": {
"created_at": "2025-11-21T00:00:00.000Z",
"created_by": "elastic",
"description": "Comprehensive PowerShell forensic monitoring query capturing module logging (Event ID 4103), script block logging (Event ID 4104), and process creation with command line auditing (Event ID 4688). This query detects obfuscated commands, full script execution, and parent/child process relationships for fileless malware detection.",
"ecs_mapping": [
{
"key": "event.created",
"value": {
"field": "datetime"
}
},
{
"key": "event.code",
"value": {
"field": "eventid"
}
},
{
"key": "event.provider",
"value": {
"field": "provider_name"
}
},
{
"key": "log.level",
"value": {
"field": "level"
}
},
{
"key": "host.name",
"value": {
"field": "computer_name"
}
},
{
"key": "process.pid",
"value": {
"field": "pid"
}
},
{
"key": "process.thread.id",
"value": {
"field": "tid"
}
},
{
"key": "event.action",
"value": {
"field": "task"
}
},
{
"key": "powershell.provider.name",
"value": {
"field": "ProviderName"
}
},
{
"key": "powershell.context_info",
"value": {
"field": "ContextInfo"
}
},
{
"key": "powershell.payload",
"value": {
"field": "Payload"
}
},
{
"key": "powershell.file.script_block_id",
"value": {
"field": "ScriptBlockId"
}
},
{
"key": "powershell.file.script_block_text",
"value": {
"field": "ScriptBlockText"
}
},
{
"key": "file.path",
"value": {
"field": "ScriptPath"
}
},
{
"key": "process.command_line",
"value": {
"field": "CommandLine"
}
},
{
"key": "process.name",
"value": {
"field": "ProcessName"
}
},
{
"key": "process.parent.name",
"value": {
"field": "ParentProcessName"
}
}
],
"id": "powershell_history_windows_elastic",
"interval": "300",
"platform": "windows",
"query": "-- Comprehensive PowerShell Forensic Monitoring Query\n-- Captures Event IDs 4103 (Module Logging), 4104 (Script Block Logging), 4688 (Process Creation)\n-- Source: windows_eventlog table - Windows Event Logs (Historical)\n-- Focus: Fileless malware detection, obfuscated command tracking, command line auditing\n-- MITRE ATT&CK: T1059.001 (PowerShell)\n-- Last updated: 2025-11-21\n\n-- Query PowerShell Operational logs for Event IDs 4103 and 4104\nSELECT\n datetime,\n eventid,\n provider_name,\n level,\n task,\n computer_name,\n channel,\n pid,\n tid,\n data,\n -- Event ID 4103: Module Logging - Extract obfuscated command context\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ProviderName')\n ELSE NULL\n END AS ProviderName,\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.ContextInfo')\n ELSE NULL\n END AS ContextInfo,\n CASE \n WHEN eventid = 4103 THEN json_extract(data, '$.EventData.Payload')\n ELSE NULL\n END AS Payload,\n -- Event ID 4104: Script Block Logging - Extract full script content\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockId')\n ELSE NULL\n END AS ScriptBlockId,\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.ScriptBlockText')\n ELSE NULL\n END AS ScriptBlockText,\n CASE \n WHEN eventid = 4104 THEN json_extract(data, '$.EventData.Path')\n ELSE NULL\n END AS ScriptPath,\n NULL AS CommandLine,\n NULL AS ProcessName,\n NULL AS ParentProcessName\nFROM windows_eventlog\nWHERE \n channel = 'Microsoft-Windows-PowerShell/Operational'\n AND eventid IN (4103, 4104)\nUNION ALL\n-- Query Security logs for Event ID 4688 (Process Creation)\nSELECT\n datetime,\n eventid,\n provider_name,\n level,\n task,\n computer_name,\n channel,\n pid,\n tid,\n data,\n NULL AS ProviderName,\n NULL AS ContextInfo,\n NULL AS Payload,\n NULL AS ScriptBlockId,\n NULL AS ScriptBlockText,\n NULL AS ScriptPath,\n -- Event ID 4688: Process Creation - Extract command line and process hierarchy\n json_extract(data, '$.EventData.CommandLine') AS CommandLine,\n json_extract(data, '$.EventData.NewProcessName') AS ProcessName,\n json_extract(data, '$.EventData.ParentProcessName') AS ParentProcessName\nFROM windows_eventlog\nWHERE \n channel = 'Security'\n AND eventid = 4688\n AND data LIKE '%powershell%'\nORDER BY datetime DESC;",
"tags": [
"T1059.001",
"PowerShell",
"Execution",
"Fileless Malware",
"Script Block Logging",
"Module Logging",
"Process Auditing"
],
"updated_at": "2025-11-21T00:00:00.000Z",
"updated_by": "elastic",
"version": "1.0.0"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-a1b2c3d4-e5f6-11ed-8f39-bf9c07530bbb",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-11-21T00:00:00.000Z",
"version": "WzEwNTUzLDJd"
}