Skip to content

[Osquery_manager] WMI artifacts saved query #16227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomsonpl wants to merge 4 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
+176 −10
Open

[Osquery_manager] WMI artifacts saved query #16227

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6c17fd7
Add WMI persistence event subscriptions query (T1546.003)
tomsonpl Dec 3, 2025
d8f08b1
Update artifacts matrix with WMI persistence coverage
tomsonpl Dec 3, 2025
bd68b93
Enhance WMI persistence query with comprehensive ECS mappings and MIT…
tomsonpl Dec 8, 2025
8b3bcfa
Add file timestamp enrichment to WMI persistence query
tomsonpl Dec 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2025-12-03
**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants
**Total Queries**: 31 (4 core forensic variants + 27 additional)
**Completion Rate**: 4.3% (2/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 2 | 4.3% |
| ⚠️ In Progress (Needs Validation) | 38 | 82.6% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand Down Expand Up @@ -66,8 +66,8 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 21a | Tasks | ⚠️ | Linux | - | - | scheduled_tasks table |
| 21b | Tasks | ⚠️ | Mac | - | - | scheduled_tasks table |
| 22 | User Assist | ⚠️ | Win | - | - | userassist table |
| 23 | WMI Config & Used Apps | ⚠️ | Win | - | - | wmi_cli_event_consumers, wmi_script_event_consumers |
| 24 | WMI Providers & Filters | ⚠️ | Win | - | - | wmi_event_filters, wmi_filter_consumer_binding |
| 23 | WMI Config & Used Apps | | Win | wmi_persistence_event_subscriptions | [4003](kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json) | wmi_cli_event_consumers, wmi_script_event_consumers - Combined with #24 into single comprehensive query |
| 24 | WMI Providers & Filters | | Win | wmi_persistence_event_subscriptions | [4003](kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json) | wmi_event_filters, wmi_filter_consumer_binding - Combined with #23 into single comprehensive query |
| 25 | MFT | ❌ | Win | - | - | Not natively supported. Available via Trail of Bits extension |

---
Expand Down Expand Up @@ -105,6 +105,7 @@ These queries existed in the original repository and provide additional coverage
| 24 | unsigned_startup_items_vt | ✅ | Win | [b068](kibana/osquery_saved_query/osquery_manager-b0683c20-0dbb-11ed-a49c-6b13b058b135.json) | Unsigned startup items with VirusTotal integration |
| 25 | unsigned_dlls_on_system_folders_vt | ✅ | Win | [63c1](kibana/osquery_saved_query/osquery_manager-63c1fe20-176f-11ed-89c6-331eb0db6d01.json) | Unsigned DLLs in system folders with VirusTotal integration |
| 26 | executables_in_temp_folder_vt | ✅ | Win | [3e55](kibana/osquery_saved_query/osquery_manager-3e553650-17fd-11ed-89c6-331eb0db6d01.json) | Executables/drivers in temp folders with VirusTotal integration |
| 27 | wmi_persistence_event_subscriptions | ✅ | Win | [4003](kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json) | WMI persistence detection (T1546.003) - bound subscriptions and orphaned components with hash/signature enrichment |

**Note**: Queries with VirusTotal integration require the VirusTotal extension configured in osquery.

Expand Down Expand Up @@ -162,8 +163,8 @@ While some artifacts are not directly available, the existing queries provide st
- ⚠️ Persistence (All platforms: multiple tables)
- ⚠️ Registry (Windows: registry table)
- ⚠️ Tasks (All platforms: scheduled_tasks table)
- ⚠️ WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers)
- ⚠️ WMI Providers & Filters (Windows: wmi_event_filters, wmi_filter_consumer_binding)
- WMI Config & Used Apps (Windows: wmi_cli_event_consumers, wmi_script_event_consumers)
- WMI Providers & Filters (Windows: wmi_event_filters, wmi_filter_consumer_binding)
- ⚠️ BITS Jobs Database (Windows: via windows_eventlog)

### User Activity
Expand Down
165 changes: 165 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-40033716-3580-48fe-a17d-441a838acd8a.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,165 @@
{
"attributes": {
"created_at": "2025-12-03T10:00:00.000Z",
"created_by": "elastic",
"description": "Detects WMI event subscriptions used for persistence (MITRE ATT&CK T1546.003). Includes bound subscriptions (active persistence) AND orphaned components (filters/consumers without bindings) which may indicate residual or partially removed malware. WMI eventing allows attackers to execute arbitrary commands or scripts when specific system events occur. Enriched with file hashes, code signatures, and file timestamps for referenced executables and scripts.",
"ecs_mapping": [
{
"key": "event.category",
"value": {
"value": ["configuration"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.kind",
"value": {
"value": "state"
}
},
{
"key": "event.module",
"value": {
"value": "osquery"
}
},
{
"key": "event.dataset",
"value": {
"value": "osquery.wmi_persistence"
}
},
{
"key": "host.os.type",
"value": {
"value": "windows"
}
},
{
"key": "process.command_line",
"value": {
"field": "command_line_template"
}
},
{
"key": "process.executable",
"value": {
"field": "executable_path"
}
},
{
"key": "process.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "process.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "process.code_signature.subject_name",
"value": {
"field": "signature_signer"
}
},
{
"key": "process.code_signature.status",
"value": {
"field": "signature_status"
}
},
{
"key": "file.path",
"value": {
"field": "script_file_name"
Copy link
Contributor

@ferullo ferullo Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is the same file that all the other file.* fields correspond to. I think they all correspond to process.* info, right? It feels like this needs to be addressed somehow. Do we need the script_file_name mapped to ECS? If not could the process.* and file.* fielsets be merged?

}
},
{
"key": "file.created",
"value": {
"field": "created_time"
}
},
{
"key": "file.mtime",
"value": {
"field": "modified_time"
}
},
{
"key": "file.accessed",
"value": {
"field": "accessed_time"
}
},
{
"key": "file.ctime",
"value": {
"field": "changed_time"
}
},
{
"key": "file.size",
"value": {
"field": "file_size"
}
},
{
"key": "tags",
"value": {
"value": ["osquery", "persistence", "wmi", "event_subscription", "mitre_t1546_003", "windows"]
}
},
{
"key": "threat.framework",
"value": {
"value": "MITRE ATT&CK"
}
},
{
"key": "threat.tactic.id",
"value": {
"value": ["TA0003"]
}
},
{
"key": "threat.tactic.name",
"value": {
"value": ["Persistence"]
}
},
{
"key": "threat.technique.id",
"value": {
"value": ["T1546.003"]
}
},
{
"key": "threat.technique.name",
"value": {
"value": ["Event Triggered Execution: Windows Management Instrumentation Event Subscription"]
}
}
],
"id": "wmi_persistence_event_subscriptions_windows_elastic",
"interval": "3600",
"platform": "windows",
"query": "-- WMI Persistence Event Subscriptions - Complete Coverage (T1546.003)\n-- Detects bound subscriptions and orphaned components for full forensic visibility\n-- Timestamps converted to UTC ISO 8601 format per ECS standardization\n\nWITH wmi_subscriptions AS (\n -- Part 1: Bound subscriptions (complete filter-consumer chains)\n SELECT\n 'bound' AS status,\n filter.name AS filter_name,\n filter.query AS filter_query,\n filter.query_language,\n filter.class AS filter_class,\n COALESCE(cli.name, script.name) AS consumer_name,\n CASE\n WHEN cli.name IS NOT NULL THEN 'CommandLineEventConsumer'\n WHEN script.name IS NOT NULL THEN 'ActiveScriptEventConsumer'\n ELSE 'Unknown'\n END AS consumer_type,\n COALESCE(cli.class, script.class) AS consumer_class,\n COALESCE(cli.relative_path, script.relative_path) AS consumer_relative_path,\n cli.command_line_template,\n cli.executable_path,\n script.scripting_engine,\n script.script_file_name,\n script.script_text,\n COALESCE(\n NULLIF(cli.executable_path, ''),\n NULLIF(cli.command_line_template, ''),\n NULLIF(script.script_file_name, '')\n ) AS hashable_path\n FROM wmi_filter_consumer_binding binding\n LEFT JOIN wmi_event_filters filter ON binding.filter = filter.relative_path\n LEFT JOIN wmi_cli_event_consumers cli ON binding.consumer = cli.relative_path\n LEFT JOIN wmi_script_event_consumers script ON binding.consumer = script.relative_path\n\n UNION ALL\n\n -- Part 2: Orphaned CLI consumers (possible residual malware)\n SELECT\n 'orphaned_consumer' AS status,\n '' AS filter_name,\n '' AS filter_query,\n '' AS query_language,\n '' AS filter_class,\n cli.name AS consumer_name,\n 'CommandLineEventConsumer' AS consumer_type,\n cli.class AS consumer_class,\n cli.relative_path AS consumer_relative_path,\n cli.command_line_template,\n cli.executable_path,\n '' AS scripting_engine,\n '' AS script_file_name,\n '' AS script_text,\n COALESCE(NULLIF(cli.executable_path, ''), NULLIF(cli.command_line_template, '')) AS hashable_path\n FROM wmi_cli_event_consumers cli\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.consumer = cli.relative_path\n )\n\n UNION ALL\n\n -- Part 3: Orphaned Script consumers (possible residual malware)\n SELECT\n 'orphaned_consumer' AS status,\n '' AS filter_name,\n '' AS filter_query,\n '' AS query_language,\n '' AS filter_class,\n script.name AS consumer_name,\n 'ActiveScriptEventConsumer' AS consumer_type,\n script.class AS consumer_class,\n script.relative_path AS consumer_relative_path,\n '' AS command_line_template,\n '' AS executable_path,\n script.scripting_engine,\n script.script_file_name,\n script.script_text,\n NULLIF(script.script_file_name, '') AS hashable_path\n FROM wmi_script_event_consumers script\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.consumer = script.relative_path\n )\n\n UNION ALL\n\n -- Part 4: Orphaned filters (possible residual malware)\n SELECT\n 'orphaned_filter' AS status,\n filter.name AS filter_name,\n filter.query AS filter_query,\n filter.query_language,\n filter.class AS filter_class,\n '' AS consumer_name,\n '' AS consumer_type,\n '' AS consumer_class,\n '' AS consumer_relative_path,\n '' AS command_line_template,\n '' AS executable_path,\n '' AS scripting_engine,\n '' AS script_file_name,\n '' AS script_text,\n '' AS hashable_path\n FROM wmi_event_filters filter\n WHERE NOT EXISTS (\n SELECT 1 FROM wmi_filter_consumer_binding binding\n WHERE binding.filter = filter.relative_path\n )\n)\n\nSELECT\n ws.status,\n ws.filter_name,\n ws.filter_query,\n ws.query_language,\n ws.filter_class,\n ws.consumer_name,\n ws.consumer_type,\n ws.consumer_class,\n ws.consumer_relative_path,\n ws.command_line_template,\n ws.executable_path,\n ws.scripting_engine,\n ws.script_file_name,\n ws.script_text,\n h.md5,\n h.sha256,\n a.subject_name AS signature_signer,\n a.result AS signature_status,\n -- File timestamps converted to UTC ISO 8601 with readable aliases (ECS standard)\n datetime(f.btime, 'unixepoch') AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n f.size AS file_size\nFROM wmi_subscriptions ws\nLEFT JOIN hash h ON h.path = ws.hashable_path AND ws.hashable_path != ''\nLEFT JOIN authenticode a ON a.path = ws.hashable_path AND ws.hashable_path != ''\nLEFT JOIN file f ON f.path = ws.hashable_path AND ws.hashable_path != ''",
Copy link

@calladoum-elastic calladoum-elastic Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

h.sha1 is missing. Is that on purpose?
#16059 exposed the 3 (i.e. md5/sha1/sha256)

"updated_at": "2025-12-09T10:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-40033716-3580-48fe-a17d-441a838acd8a",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-12-09T10:00:00.000Z",
"version": "WzEsMV0="
}