[Osquery_manager] LNK artifacts saved query #16059
Conversation
tomsonpl
requested review from
joeypoon and
pzl
and removed request for
a team
andrewkroh
added
Integration:osquery_manager
andrewkroh
added
the
Team:Defend Workflows
|
Verify if the folders for LNK files are only startup or Desktop, I believe you can store LNK files anywhere. |
|
I think there's a limitation or a BUG in osquery itself, created an issue: osquery/osquery#8725 let's see what they say :) |
- Expand LNK file locations coverage with users table enumeration - Add cross-reference to YARA-based detection query - Document known limitation: shortcut_target_path may return empty - List affected ECS fields in description for transparency - Add SQL comments explaining limitation and workaround
- Add content-based detection scanning LNK binary for malicious patterns - Detect LOLBins: powershell, cmd, wscript, mshta, rundll32, certutil - Detect encoded commands, hidden execution, download cradles - Detect network indicators (http/https URLs) - Use CTE + JOIN pattern for YARA path constraints - Use scalar subqueries for hash enrichment (JOIN breaks YARA) - Bypasses osquery shortcut_target_path parsing limitation - Cross-reference to lnk_forensics_windows_elastic for enumeration
- Add lnk_yara_detection query (#28) to additional queries table - Update total query count from 31 to 32 - Update LNK files entry in User Activity section - Note YARA-based binary content scanning capability
ferullo
left a comment
ferullo
left a comment
There was a problem hiding this comment.
I see many columns returned in results from my host that are not mapped and do not have any values. What about pruning down the columns to just those being mapped or that you can provide screenshot data for to confirm what content will be in them?
| { | ||
| "key": "file.created", | ||
| "value": { | ||
| "field": "btime" |
There was a problem hiding this comment.
Can this be converted to a datetime string for usability/readability and because file.created is mapped as a datestring.
| { | ||
| "key": "file.mtime", | ||
| "value": { | ||
| "field": "mtime" |
| { | ||
| "key": "file.accessed", | ||
| "value": { | ||
| "field": "atime" |
| { | ||
| "key": "file.ctime", | ||
| "value": { | ||
| "field": "ctime" |
| { | ||
| "key": "file.type", | ||
| "value": { | ||
| "field": "type" |
There was a problem hiding this comment.
This isn't what file.type is defined as. I only see regular in results from my results. What else are valid values? Maybe just don't map it?
| "key": "file.hash.md5", | ||
| "value": { | ||
| "field": "md5" | ||
| } | ||
| }, | ||
| { | ||
| "key": "file.hash.sha1", | ||
| "value": { | ||
| "field": "sha1" | ||
| } | ||
| }, |
There was a problem hiding this comment.
In other queries sha1 is not returned. What do you think about standardizing which hashes are returned across all these queries. Perhaps just sha256?
There was a problem hiding this comment.
After refactoring, all 3 hash fields should be available when possible. Do you think it's too much?
|
Thanks for the review, this artifact will have to be done again. I used yara scanning here, because there is a bug in Osquery. Described here: osquery/osquery#8727 . However - we might get the proper results if I adjust the query a little bit and then we could get directly from lnk. |
… ECS mappings - Apply path LIKE pattern instead of directory= to ensure shortcut metadata is populated - Add event.* ECS fields (category, type, module, dataset) - Add MITRE ATT&CK threat context fields (framework, tactic, technique) - Add human-readable datetime() formatting for timestamp columns - Fix column aliasing (authenticode_* → signature_*) for proper ECS mapping - Remove Shellbags cross-reference for cleaner query execution - Update coreMigrationVersion to 9.2.0
- Delete lnk_yara_detection_windows_elastic saved query - Update artifacts_matrix.md to remove YARA LNK references - Update query count from 32 to 31 - Consolidate LNK forensics to single comprehensive query
Address review feedback from @ferullo: osquery's file.type column returns 'regular' while ECS file.type expects 'file', causing semantic mismatch. Remove the mapping to maintain ECS compliance. The type column remains in query results for raw data visibility.
...manager/kibana/osquery_saved_query/osquery_manager-a1b2c3d4-lnk1-11ef-8f39-bf9c07530bbb.json
Outdated
Show resolved
Hide resolved
calladoum-elastic
left a comment
calladoum-elastic
left a comment
There was a problem hiding this comment.
Minor change (remove the AND lnk.filename block) and LGTM
- Remove MITRE ATT&CK technique references from description - Remove threat.* ECS field mappings (framework, tactic, technique) - Remove mitre_attack metadata array with 6 technique entries - Change event.dataset to event.action for better alignment - Remove event.module and host.os.type field mappings - Simplify tags array to core categorization only
Hey, thanks for testing! I believe the empty columns you're seeing are context-dependent, not universally empty. 
|
- Add vt_link column for one-click VirusTotal hash reputation lookup - Remove filename exclusion filter (Excel.lnk, Word.lnk, etc.) to ensure complete forensic coverage - legitimate shortcuts can still be abused - Update timestamps to reflect modification date
| { | ||
| "key": "process.command_line", | ||
| "value": { | ||
| "field": "combined_command" |
There was a problem hiding this comment.
I saw some values like Displays the files and folders on your computer. for this field. Are you ok putting it in process.command_line? FWIW, I can't find a better field.
There was a problem hiding this comment.
Good catch, if there was no path, then comment was used (alone). I haven't faced it, thanks for finding it!
There was a problem hiding this comment.
👍 the times I saw this behavior it seemed like the link was a special behavior rather than a link to a path so I get why it would "overlap" with the command line. Again, I don't see an SQL or ECS issue with this, I just wanted to make sure you didn't either.
- fix process.command_line, preserve shortcut_comment via labels
…ct-lnk # Conflicts: # packages/osquery_manager/artifacts_matrix.md
💚 Build Succeeded
History
|
LNK File Forensics Artifact
The Windows LNK Shortcut File Forensics artifact provides comprehensive visibility into shortcut files across forensically significant locations, enabling detection of persistence mechanisms, malicious executables, and suspicious user activity. This query extracts full shortcut metadata enriched with hash values and authenticode signatures, with intelligent filtering for threat-relevant indicators.
Core Forensic Artifacts Coverage
Queries by Platform
🪟 Windows - LNK Shortcut File Forensics with Persistence & Threat Detection
Description
Comprehensive Windows LNK shortcut file forensics across all critical locations: user/system Startup folders (persistence), Desktop folders, Recent Items (user activity), Quick Launch, SendTo menu, and Start Menu Programs. Extracts full shortcut metadata (target path, target type, location, start_in, run mode, comment/arguments) enriched with hash values and authenticode signatures for both LNK files and their targets.
Detection Focus:
MITRE ATT&CK Mapping:
Result
Query results include comprehensive LNK metadata with detection flags:
large_size_flag,startup_persistence_flag,risky_executable_flag,suspicious_arguments_flag,http_download_flag,unc_path_flag,large_arguments_flagPlatform
windowsInterval
3600seconds (1 hour)Query ID
lnk_forensics_windows_elasticECS Field Mappings
Event Fields:
event.category→["file"](static)event.type→["info"](static)event.module→osquery(static)event.dataset→osquery.lnk_forensics(static)Host Fields:
host.os.type→windows(static)File Fields:
file.path→pathfile.name→filenamefile.directory→directoryfile.size→sizefile.created→created_timefile.mtime→modified_timefile.accessed→accessed_timefile.ctime→changed_timefile.extension→extensionfile.hash.md5→md5file.hash.sha1→sha1file.hash.sha256→sha256Code Signature Fields:
file.code_signature.subject_name→signature_signerfile.code_signature.issuer→signature_issuerfile.code_signature.status→signature_statusProcess Fields:
process.executable→shortcut_target_pathprocess.command_line→combined_commandThreat Intelligence Fields:
threat.framework→MITRE ATT&CK(static)threat.tactic.id→["TA0003", "TA0002", "TA0008", "TA0011"](static)threat.tactic.name→["Persistence", "Execution", "Lateral Movement", "Command and Control"](static)threat.technique.id→["T1547.001", "T1204.002", "T1059.001", "T1059.003", "T1021", "T1105"](static)threat.technique.name→["Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "User Execution: Malicious File", "Command and Scripting Interpreter: PowerShell", "Command and Scripting Interpreter: Windows Command Shell", "Remote Services", "Ingress Tool Transfer"](static)Tags:
osquery,forensics,persistence,file-analysis,malware-detection,mitre_t1547_001,mitre_t1204_002,mitre_t1059_001,mitre_t1059_003,mitre_t1105,windowsSQL Query