[Osquery_manager] File Hash Info artifact saved query #16492
+624
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add file_hash_info_windows_elastic: Files with hash & authenticode in staging directories - Add file_hash_info_darwin_elastic: Files with hash & Gatekeeper signature validation - Add file_hash_info_linux_elastic: Files with hash & container/namespace awareness - Add MITRE ATT&CK coverage: T1036, T1036.003, T1105, T1564.001, T1565.001 - Enhance ECS mappings with file.*, event.*, threat.* fields - Update artifacts_matrix.md: 4 artifacts now available (8.7% completion) - Update coreMigrationVersion to 9.2.0
tomsonpl
requested review from
parkiino and
szwarckonrad
and removed request for
a team
💚 Build Succeeded
|
andrewkroh
added
documentation
|
@tomsonpl Can you add another query for file hashes without any filtering? Same as you did for file directory listing.Would be good to get a whole list of files with hashes, without any filters. There could be cases where malware is stored in other locations apart from those listed there. |
ferullo
reviewed
Dec 15, 2025
| "id": "file_hash_info_linux_elastic", | ||
| "interval": "3600", | ||
| "platform": "linux", | ||
| "query": "-- File Hash Information with Container/Namespace Awareness - Linux (T1036, T1105, T1565.001)\n-- Enumerates files in common staging/temp directories with hash values\n-- Includes container awareness via pid_with_namespace and mount_namespace_id\n-- Useful for detecting containerized file access and suspicious binaries\n\nSELECT\n f.path,\n f.directory,\n f.filename,\n f.size,\n f.type,\n f.pid_with_namespace,\n f.mount_namespace_id,\n f.uid,\n f.gid,\n f.mode,\n f.inode,\n f.device,\n f.hard_links,\n f.symlink,\n f.symlink_target_path,\n u.username,\n g.groupname,\n CASE WHEN f.btime > 0 THEN datetime(f.btime, 'unixepoch') ELSE NULL END AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n h.md5,\n h.sha1,\n h.sha256,\n CASE\n WHEN f.filename LIKE '.%' AND (CAST(SUBSTR(f.mode, -1, 1) AS INTEGER) & 2) > 0 THEN 'hidden_world_writable'\n WHEN f.filename LIKE '.%' THEN 'hidden'\n WHEN (CAST(SUBSTR(f.mode, -1, 1) AS INTEGER) & 2) > 0 THEN 'world_writable'\n ELSE 'normal'\n END AS file_visibility,\n LENGTH(f.mode) AS mode_length,\n SUBSTR(f.mode, -1, 1) AS mode_digit_other,\n SUBSTR(f.mode, -2, 1) AS mode_digit_group,\n SUBSTR(f.mode, -3, 1) AS mode_digit_owner,\n CASE\n WHEN (CAST(SUBSTR(f.mode, -1, 1) AS INTEGER) & 1) > 0 THEN 'executable'\n WHEN (CAST(SUBSTR(f.mode, -2, 1) AS INTEGER) & 1) > 0 THEN 'executable'\n WHEN (CAST(SUBSTR(f.mode, -3, 1) AS INTEGER) & 1) > 0 THEN 'executable'\n ELSE 'not_executable'\n END AS executable_status,\n CASE\n WHEN f.mount_namespace_id != '' AND f.mount_namespace_id IS NOT NULL THEN 'containerized'\n ELSE 'host'\n END AS container_context\nFROM file f\nLEFT JOIN hash h ON h.path = TRIM(f.path)\nLEFT JOIN users u ON u.uid = f.uid\nLEFT JOIN groups g ON g.gid = f.gid\nWHERE (\n f.path LIKE '/tmp/%'\n OR f.path LIKE '/var/tmp/%'\n OR f.path LIKE '/dev/shm/%'\n OR f.path LIKE '/home/%'\n OR f.path LIKE '/opt/%'\n OR f.path LIKE '/etc/cron.d/%'\n OR f.path LIKE '/etc/cron.daily/%'\n OR f.path LIKE '/etc/cron.hourly/%'\n OR f.path LIKE '/var/spool/cron/%'\n)\nAND f.type = 'regular'\nAND f.size > 0", |
Contributor
There was a problem hiding this comment.
This didn't work as is for me with Osquerybeat 9.1.2
| { | ||
| "key": "threat.technique.name", | ||
| "value": { | ||
| "value": ["Masquerading", "Ingress Tool Transfer", "Stored Data Manipulation"] |
Contributor
There was a problem hiding this comment.
I haven't been reviewing the fields under threat.* because I'm not really sure what they should be but I noticed these and they don't seem right. @calladoum-elastic have you been reviewing them?
Do they all need review? Do we need to include them in the first place?
| } | ||
| }, | ||
| { | ||
| "key": "file.attributes", |
Contributor
There was a problem hiding this comment.
ECS says this should be an array of values not a single string. Does that matter?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
File Hash Information Artifact
The File Hash Information artifact provides comprehensive file enumeration with hash values and code signature validation across staging, temporary, and persistence directories. This enables detection of suspicious files, malware staging, hidden files, and unsigned binaries - critical for identifying ingress tool transfer, masquerading, and defense evasion techniques.
Core Forensic Artifacts Coverage
Queries by Platform
🪟 Windows - File Hash & Code Signature Analysis
Description
Enumerates files with hash values and code signature validation in common staging/temp directories on Windows. Detects suspicious files, renamed executables (via original_filename PE metadata comparison), hidden/system files, and unsigned binaries. Includes PE metadata extraction and authenticode signature verification.
Detection Focus:
Target Directories:
C:\Users\Public\C:\Windows\Temp\C:\ProgramData\C:\Users\*\AppData\Local\Temp\C:\Users\*\Downloads\Result
Query returns file metadata, timestamps, hash values (MD5, SHA1, SHA256), PE version information, authenticode signature status, and visibility/rename status indicators for forensic analysis.
Platform
windowsInterval
3600seconds (1 hour)Query ID
file_hash_info_windows_elasticECS Field Mappings
event.category→["file"]event.type→["info"]event.kind→stateevent.module→osqueryevent.dataset→osquery.file_hash_infohost.os.type→windowsfile.path→pathfile.directory→directoryfile.name→filenamefile.size→sizefile.mtime→modified_timefile.ctime→changed_timefile.created→created_timefile.accessed→accessed_timefile.uid→uidfile.gid→gidfile.mode→modefile.inode→inodefile.attributes→attributesfile.type→typefile.pe.original_file_name→original_filenamefile.pe.file_version→file_versionfile.pe.product→product_versionfile.hash.md5→md5file.hash.sha1→sha1file.hash.sha256→sha256file.code_signature.subject_name→signature_signerfile.code_signature.status→signature_statusthreat.framework→MITRE ATT&CKthreat.tactic.id→["TA0005", "TA0011"]threat.tactic.name→["Defense Evasion", "Command and Control"]threat.technique.id→["T1036", "T1036.003", "T1105", "T1564.001"]threat.technique.name→["Masquerading", "Masquerading: Rename System Utilities", "Ingress Tool Transfer", "Hidden Files and Directories"]tags→["osquery", "file_forensics", "hash_analysis", "code_signature", "mitre_t1036", "mitre_t1036_003", "mitre_t1105", "mitre_t1564_001", "windows"]SQL Query
🍎 macOS - File Hash & Gatekeeper Signature Validation
Description
Enumerates files with hash values and Gatekeeper code signature validation in common staging/temp directories on macOS. Detects suspicious files, hidden files (via bsd_flags and dot-prefix naming), and unsigned binaries. Includes comprehensive signature verification via the macOS signature table.
Detection Focus:
Target Directories:
/tmp/var/tmp/Users/Shared/Library/LaunchAgents/Library/LaunchDaemons/Library/Application Support~/Library/LaunchAgents(per-user)Result
Query returns file metadata, timestamps, BSD flags, hash values (MD5, SHA1, SHA256), Gatekeeper signature status, team identifier, and visibility indicators for forensic analysis.
Platform
darwinInterval
3600seconds (1 hour)Query ID
file_hash_info_darwin_elasticECS Field Mappings
event.category→["file"]event.type→["info"]event.kind→stateevent.module→osqueryevent.dataset→osquery.file_hash_infohost.os.type→macosfile.path→pathfile.directory→directoryfile.name→filenamefile.size→sizefile.mtime→modified_timefile.ctime→changed_timefile.created→created_timefile.accessed→accessed_timefile.uid→uidfile.gid→gidfile.mode→modefile.inode→inodefile.hash.md5→md5file.hash.sha1→sha1file.hash.sha256→sha256file.code_signature.subject_name→signature_signerfile.code_signature.status→signature_statusthreat.framework→MITRE ATT&CKthreat.tactic.id→["TA0005", "TA0011"]threat.tactic.name→["Defense Evasion", "Command and Control"]threat.technique.id→["T1036", "T1105", "T1564.001"]threat.technique.name→["Masquerading", "Ingress Tool Transfer", "Hidden Files and Directories"]tags→["osquery", "file_forensics", "hash_analysis", "code_signature", "gatekeeper", "mitre_t1036", "mitre_t1105", "mitre_t1564_001", "macos"]SQL Query
🐧 Linux - File Hash & Container/Namespace Awareness
Description
Enumerates files with hash values in common staging/temp directories on Linux with container and namespace awareness. Detects suspicious files, hidden files, world-writable files, and executable permissions. Includes namespace detection via
pid_with_namespaceandmount_namespace_idcolumns for containerized environment forensics.Detection Focus:
Target Directories:
/tmp/*/var/tmp/*/dev/shm/*/home/*/opt/*/etc/cron.d/*,/etc/cron.daily/*,/etc/cron.hourly/*/var/spool/cron/*Result
Query returns file metadata, timestamps, hash values (MD5, SHA1, SHA256), permission analysis, username/group resolution, and container context indicators for forensic analysis.
Platform
linuxInterval
3600seconds (1 hour)Query ID
file_hash_info_linux_elasticECS Field Mappings
event.category→["file"]event.type→["info"]event.kind→stateevent.module→osqueryevent.dataset→osquery.file_hash_infohost.os.type→linuxfile.path→pathfile.directory→directoryfile.name→filenamefile.size→sizefile.mtime→modified_timefile.ctime→changed_timefile.accessed→accessed_timefile.uid→uidfile.gid→gidfile.mode→modefile.inode→inodefile.hash.md5→md5file.hash.sha1→sha1file.hash.sha256→sha256user.name→usernameuser.group.name→groupnamethreat.framework→MITRE ATT&CKthreat.tactic.id→["TA0005", "TA0011", "TA0040"]threat.tactic.name→["Defense Evasion", "Command and Control", "Impact"]threat.technique.id→["T1036", "T1105", "T1565.001"]threat.technique.name→["Masquerading", "Ingress Tool Transfer", "Stored Data Manipulation"]tags→["osquery", "file_forensics", "hash_analysis", "container_aware", "namespace", "mitre_t1036", "mitre_t1105", "mitre_t1565_001", "linux"]SQL Query