Skip to content

[Osquery_manager] File Hash Info artifact saved query #16492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomsonpl wants to merge 5 commits into
base: temporary-osquery-artifacts-branch
Choose a base branch
from
+939 −10
Open

[Osquery_manager] File Hash Info artifact saved query #16492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
de7cc0b
Add File Hash Info queries for Windows, macOS, and Linux
tomsonpl Dec 10, 2025
7bd6622
Simplify file hash osquery artifacts and add VirusTotal links
tomsonpl Dec 31, 2025
19fdfdd
Remove file.attributes ECS mapping to address type mismatch
tomsonpl Jan 7, 2026
a3f366a
Add listing file hash queries
tomsonpl Jan 7, 2026
11796d6
Fix file hash listing queries with required path constraints
tomsonpl Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 15 additions & 10 deletions packages/osquery_manager/artifacts_matrix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@

This document tracks the coverage of forensic artifacts in Osquery.

**Last Updated**: 2025-11-07
**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants
**Total Queries**: 30 (3 core forensic variants + 27 additional)
**Completion Rate**: 2.2% (1/46 core artifacts fully supported)
**Last Updated**: 2026-01-07
**Total Core Artifacts**: 4 available + 36 in progress + 6 not available = 46 total variants
**Total Queries**: 36 (9 core forensic variants + 27 additional)
**Completion Rate**: 8.7% (4/46 core artifacts fully supported)

---

## Coverage Summary

| Status | Count | Percentage |
|--------|-------|------------|
| ✅ Available (Fully Supported) | 0 | 0% |
| ⚠️ In Progress (Needs Validation) | 39 | 87.0% |
| ✅ Available (Fully Supported) | 4 | 8.7% |
| ⚠️ In Progress (Needs Validation) | 36 | 78.3% |
| ❌ Not Available (Requires Extensions) | 6 | 13.0% |

---
Expand All @@ -29,9 +29,12 @@ This document tracks the coverage of forensic artifacts in Osquery.
| 4 | Browser URL History | ⚠️ | Win | - | - | No native table. Can be supported via ATC custom tables |
| 4a | Browser URL History | ⚠️ | Linux | - | - | No native table. Can be supported via ATC custom tables |
| 4b | Browser URL History | ⚠️ | Mac | - | - | No native table. Can be supported via ATC custom tables |
| 5 | File Listing | ⚠️ | Win | - | - | file and hash tables |
| 5a | File Listing | ⚠️ | Linux | - | - | file and hash tables |
| 5b | File Listing | ⚠️ | Mac | - | - | file and hash tables |
| 5 | File Hash Info | ✅ | Win | file_hash_info_windows_elastic | [f8e71a30](kibana/osquery_saved_query/osquery_manager-f8e71a30-b621-11ef-9c4a-8b2c7c5a1d3e.json) | Files with hash & authenticode in staging directories (T1036, T1105, T1564.001) |
| 5a | File Hash Info | ✅ | Linux | file_hash_info_linux_elastic | [b7d63c50](kibana/osquery_saved_query/osquery_manager-b7d63c50-b623-11ef-9c4a-8b2c7c5a1d40.json) | Files with hash & container/namespace awareness (T1036, T1105, T1565.001) |
| 5b | File Hash Info | ✅ | Mac | file_hash_info_darwin_elastic | [a3c52b40](kibana/osquery_saved_query/osquery_manager-a3c52b40-b622-11ef-9c4a-8b2c7c5a1d3f.json) | Files with hash & Gatekeeper signature validation (T1036, T1105, T1564.001) |
| 5c | File Hash Listing | ⚠️ | Win | file_hash_listing_windows_elastic | [de99fd6a](kibana/osquery_saved_query/osquery_manager-de99fd6a-3f4f-4645-9466-bd2945124eb2.json) | Unfiltered (ALL files): hash + authenticode + PE metadata; **potentially millions** of rows, consider storage/ingestion impact. Filtered alternative: `file_hash_info_windows_elastic`. |
| 5d | File Hash Listing | ⚠️ | Linux | file_hash_listing_linux_elastic | [fbef8579](kibana/osquery_saved_query/osquery_manager-fbef8579-f4a2-4a9a-ac39-432e89c1f57f.json) | Unfiltered (ALL files): hash + container/namespace awareness; **potentially millions** of rows, consider storage/ingestion impact. Filtered alternative: `file_hash_info_linux_elastic`. |
| 5e | File Hash Listing | ⚠️ | Mac | file_hash_listing_darwin_elastic | [141bfc5e](kibana/osquery_saved_query/osquery_manager-141bfc5e-f5b6-4168-af69-51660d850713.json) | Unfiltered (ALL files): hash + Gatekeeper signature validation; **potentially millions** of rows, consider storage/ingestion impact. Filtered alternative: `file_hash_info_darwin_elastic`. |
| 6 | Installed Services | ⚠️ | Win | - | - | services table |
| 6a | Installed Services | ⚠️ | Linux | - | - | systemd table |
| 6b | Installed Services | ⚠️ | Mac | - | - | launchd table |
Expand Down Expand Up @@ -175,7 +178,9 @@ While some artifacts are not directly available, the existing queries provide st
- ❌ Jumplists (Not Available - Use Shellbags + LNK Files as alternatives)

### File System/Forensics
- ⚠️ File Listing (All platforms: file and hash tables)
- ✅ File Hash Info (Windows: file_hash_info_windows_elastic - file + hash + authenticode tables with PE metadata)
- ✅ File Hash Info (Linux: file_hash_info_linux_elastic - file + hash tables with container/namespace awareness)
- ✅ File Hash Info (macOS: file_hash_info_darwin_elastic - file + hash + signature tables with Gatekeeper validation)
- ⚠️ NTFS USN Journal (Windows: ntfs_journal_events table)
- ❌ MFT (Not Available - Use NTFS USN Journal as alternative or Trail of Bits extension)

Expand Down
149 changes: 149 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-141bfc5e-f5b6-4168-af69-51660d850713.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
{
"attributes": {
"created_at": "2026-01-07T00:00:00.000Z",
"created_by": "elastic",
"description": "Comprehensive file enumeration with hash values and code signature validation across all directories on macOS. Returns all regular files on the system with Gatekeeper signature verification and BSD flags analysis. Use for complete filesystem forensics and malware hunting when location is unknown.\n\nNote: This query returns ALL files and may produce very large result sets (potentially millions of files on production systems). Use with caution and consider the storage/ingestion impact. For targeted analysis, use file_hash_info_darwin_elastic instead.\n\nInterval: This query defaults to every 12 hours (43200 seconds). Adjust based on your environment size and change detection needs.",
"ecs_mapping": [
{
"key": "event.category",
"value": {
"value": ["file"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.action",
"value": {
"value": "osquery.file_hash_listing"
}
},
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.directory",
"value": {
"field": "directory"
}
},
{
"key": "file.name",
"value": {
"field": "filename"
}
},
{
"key": "file.size",
"value": {
"field": "size"
}
},
{
"key": "file.mtime",
"value": {
"field": "modified_time"
}
},
{
"key": "file.ctime",
"value": {
"field": "changed_time"
}
},
{
"key": "file.created",
"value": {
"field": "created_time"
}
},
{
"key": "file.accessed",
"value": {
"field": "accessed_time"
}
},
{
"key": "file.uid",
"value": {
"field": "uid"
}
},
{
"key": "file.gid",
"value": {
"field": "gid"
}
},
{
"key": "file.mode",
"value": {
"field": "mode"
}
},
{
"key": "file.inode",
"value": {
"field": "inode"
}
},
{
"key": "file.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "file.hash.sha1",
"value": {
"field": "sha1"
}
},
{
"key": "file.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "file.code_signature.subject_name",
"value": {
"field": "signature_signer"
}
},
{
"key": "file.code_signature.status",
"value": {
"field": "signature_status"
}
},
{
"key": "tags",
"value": {
"value": ["osquery", "file_forensics", "hash_analysis", "code_signature", "gatekeeper", "macos", "comprehensive"]
}
}
],
"id": "file_hash_listing_darwin_elastic",
"interval": "43200",
"platform": "darwin",
"query": "-- Comprehensive File Hash Listing with Code Signature Validation - macOS\n-- Enumerates ALL regular files with hash values and Gatekeeper signature validation\n-- Warning: unfiltered enumeration may be expensive and produce large result sets\n-- Note: file table requires path constraints - scanning common directories\n\nSELECT\n f.path,\n f.directory,\n f.filename,\n f.size,\n f.type,\n f.bsd_flags,\n f.uid,\n f.gid,\n f.mode,\n f.inode,\n datetime(f.btime, 'unixepoch') AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n h.md5,\n h.sha1,\n h.sha256,\n 'https://www.virustotal.com/gui/file/' || h.sha256 AS vt_link,\n s.authority AS signature_signer,\n CASE\n WHEN s.signed = 1 THEN 'valid'\n WHEN s.signed = 0 THEN 'unsigned'\n ELSE 'unknown'\n END AS signature_status,\n s.identifier AS signature_identifier,\n s.cdhash AS signature_cdhash,\n s.team_identifier AS signature_team_id,\n CASE\n WHEN f.bsd_flags LIKE '%HIDDEN%' OR f.filename LIKE '.%' THEN 'hidden'\n WHEN f.bsd_flags LIKE '%IMMUTABLE%' THEN 'immutable'\n WHEN f.bsd_flags LIKE '%APPEND%' THEN 'append_only'\n ELSE 'normal'\n END AS file_visibility\nFROM file f\nLEFT JOIN hash h ON h.path = f.path\nLEFT JOIN signature s ON s.path = f.path\nWHERE (\n f.path LIKE '/Applications/%'\n OR f.path LIKE '/Users/%'\n OR f.path LIKE '/usr/%'\n OR f.path LIKE '/opt/%'\n OR f.path LIKE '/var/%'\n OR f.path LIKE '/tmp/%'\n OR f.path LIKE '/Library/%'\n)\nAND f.type = 'regular'\nAND f.size > 0",
"updated_at": "2026-01-07T00:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-141bfc5e-f5b6-4168-af69-51660d850713",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2026-01-07T00:00:00.000Z",
"version": "WzEsMV0="
}


147 changes: 147 additions & 0 deletions ...ager/kibana/osquery_saved_query/osquery_manager-a3c52b40-b622-11ef-9c4a-8b2c7c5a1d3f.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
{
"attributes": {
"created_at": "2025-12-09T10:00:00.000Z",
"created_by": "elastic",
"description": "Enumerates files with hash values and code signature validation in common staging/temp directories on macOS. Detects suspicious files, hidden files (bsd_flags), and unsigned binaries. Includes Gatekeeper signature verification via signature table. Target directories: /tmp, /var/tmp, /Users/Shared, /Library/LaunchAgents, /Library/LaunchDaemons.",
"ecs_mapping": [
{
"key": "event.category",
"value": {
"value": ["file"]
}
},
{
"key": "event.type",
"value": {
"value": ["info"]
}
},
{
"key": "event.action",
"value": {
"value": "osquery.file_hash_info"
}
},
{
"key": "file.path",
"value": {
"field": "path"
}
},
{
"key": "file.directory",
"value": {
"field": "directory"
}
},
{
"key": "file.name",
"value": {
"field": "filename"
}
},
{
"key": "file.size",
"value": {
"field": "size"
}
},
{
"key": "file.mtime",
"value": {
"field": "modified_time"
}
},
{
"key": "file.ctime",
"value": {
"field": "changed_time"
}
},
{
"key": "file.created",
"value": {
"field": "created_time"
}
},
{
"key": "file.accessed",
"value": {
"field": "accessed_time"
}
},
{
"key": "file.uid",
"value": {
"field": "uid"
}
},
{
"key": "file.gid",
"value": {
"field": "gid"
}
},
{
"key": "file.mode",
"value": {
"field": "mode"
}
},
{
"key": "file.inode",
"value": {
"field": "inode"
}
},
{
"key": "file.hash.md5",
"value": {
"field": "md5"
}
},
{
"key": "file.hash.sha1",
"value": {
"field": "sha1"
}
},
{
"key": "file.hash.sha256",
"value": {
"field": "sha256"
}
},
{
"key": "file.code_signature.subject_name",
"value": {
"field": "signature_signer"
}
},
{
"key": "file.code_signature.status",
"value": {
"field": "signature_status"
}
},
{
"key": "tags",
"value": {
"value": ["osquery", "file_forensics", "hash_analysis", "code_signature", "gatekeeper", "macos"]
}
}
],
"id": "file_hash_info_darwin_elastic",
"interval": "3600",
"platform": "darwin",
"query": "-- File Hash Information with Code Signature Validation - macOS\n-- Enumerates files in common staging/temp directories with hash values and Gatekeeper signature validation\n-- Detects suspicious files, hidden files (bsd_flags), and unsigned binaries\n\nSELECT\n f.path,\n f.directory,\n f.filename,\n f.size,\n f.type,\n f.bsd_flags,\n f.uid,\n f.gid,\n f.mode,\n f.inode,\n datetime(f.btime, 'unixepoch') AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n h.md5,\n h.sha1,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n s.authority AS signature_signer,\n CASE\n WHEN s.signed = 1 THEN 'valid'\n WHEN s.signed = 0 THEN 'unsigned'\n ELSE 'unknown'\n END AS signature_status,\n s.identifier AS signature_identifier,\n s.cdhash AS signature_cdhash,\n s.team_identifier AS signature_team_id,\n CASE\n WHEN f.bsd_flags LIKE '%HIDDEN%' OR f.filename LIKE '.%' THEN 'hidden'\n WHEN f.bsd_flags LIKE '%IMMUTABLE%' THEN 'immutable'\n WHEN f.bsd_flags LIKE '%APPEND%' THEN 'append_only'\n ELSE 'normal'\n END AS file_visibility\nFROM file f\nLEFT JOIN hash h ON h.path = f.path\nLEFT JOIN signature s ON s.path = f.path\nWHERE f.directory IN (\n '/tmp',\n '/var/tmp',\n '/Users/Shared',\n '/Library/LaunchAgents',\n '/Library/LaunchDaemons',\n '/Library/Application Support'\n)\nAND f.type = 'regular'\nAND f.size > 0\nGROUP BY f.path\nUNION\nSELECT\n f.path,\n f.directory,\n f.filename,\n f.size,\n f.type,\n f.bsd_flags,\n f.uid,\n f.gid,\n f.mode,\n f.inode,\n datetime(f.btime, 'unixepoch') AS created_time,\n datetime(f.mtime, 'unixepoch') AS modified_time,\n datetime(f.atime, 'unixepoch') AS accessed_time,\n datetime(f.ctime, 'unixepoch') AS changed_time,\n h.md5,\n h.sha1,\n h.sha256,\n concat('https://www.virustotal.com/gui/file/', h.sha256) AS vt_link,\n s.authority AS signature_signer,\n CASE\n WHEN s.signed = 1 THEN 'valid'\n WHEN s.signed = 0 THEN 'unsigned'\n ELSE 'unknown'\n END AS signature_status,\n s.identifier AS signature_identifier,\n s.cdhash AS signature_cdhash,\n s.team_identifier AS signature_team_id,\n CASE\n WHEN f.bsd_flags LIKE '%HIDDEN%' OR f.filename LIKE '.%' THEN 'hidden'\n WHEN f.bsd_flags LIKE '%IMMUTABLE%' THEN 'immutable'\n WHEN f.bsd_flags LIKE '%APPEND%' THEN 'append_only'\n ELSE 'normal'\n END AS file_visibility\nFROM users u\nJOIN file f ON f.directory = u.directory || '/Library/LaunchAgents'\nLEFT JOIN hash h ON h.path = f.path\nLEFT JOIN signature s ON s.path = f.path\nWHERE u.uid >= 500\nAND f.type = 'regular'\nAND f.size > 0\nGROUP BY f.path",
"updated_at": "2025-12-09T10:00:00.000Z",
"updated_by": "elastic"
},
"coreMigrationVersion": "9.2.0",
"id": "osquery_manager-a3c52b40-b622-11ef-9c4a-8b2c7c5a1d3f",
"references": [],
"type": "osquery-saved-query",
"updated_at": "2025-12-09T10:00:00.000Z",
"version": "WzEsMV0="
}
Loading