From e51393b70d1382c008f19812e46378c65035a7a4 Mon Sep 17 00:00:00 2001 From: Tomasz Ciecierski Date: Thu, 20 Nov 2025 16:54:34 +0100 Subject: [PATCH] prefetch artifact --- packages/osquery_manager/artifacts_matrix.md | 19 ++--- ...-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json | 81 +++++++++++++++++++ 2 files changed, 91 insertions(+), 9 deletions(-) create mode 100644 packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json diff --git a/packages/osquery_manager/artifacts_matrix.md b/packages/osquery_manager/artifacts_matrix.md index fb90f03f8b0..d1ffe7cb500 100644 --- a/packages/osquery_manager/artifacts_matrix.md +++ b/packages/osquery_manager/artifacts_matrix.md @@ -2,10 +2,10 @@ This document tracks the coverage of forensic artifacts in Osquery. -**Last Updated**: 2025-11-07 -**Total Core Artifacts**: 1 available + 39 in progress + 6 not available = 46 total variants -**Total Queries**: 30 (3 core forensic variants + 27 additional) -**Completion Rate**: 2.2% (1/46 core artifacts fully supported) +**Last Updated**: 2025-11-20 +**Total Core Artifacts**: 2 available + 38 in progress + 6 not available = 46 total variants +**Total Queries**: 31 (4 core forensic variants + 27 additional) +**Completion Rate**: 4.3% (2/46 core artifacts fully supported) --- @@ -13,8 +13,8 @@ This document tracks the coverage of forensic artifacts in Osquery. | Status | Count | Percentage | |--------|-------|------------| -| ✅ Available (Fully Supported) | 0 | 0% | -| ⚠️ In Progress (Needs Validation) | 39 | 87.0% | +| ✅ Available (Fully Supported) | 2 | 4.3% | +| ⚠️ In Progress (Needs Validation) | 38 | 82.6% | | ❌ Not Available (Requires Extensions) | 6 | 13.0% | --- @@ -54,7 +54,7 @@ This document tracks the coverage of forensic artifacts in Osquery. | 14a | Persistence | ⚠️ | Linux | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | | 14b | Persistence | ⚠️ | Mac | - | - | Supported across multiple tables (services, startup_items, scheduled_tasks) | | 15 | PowerShell History | ⚠️ | Win | - | - | powershell_events table | -| 16 | Prefetch Files | ⚠️ | Win | - | - | prefetch table | +| 16 | Prefetch Files | ✅ | Win | prefetch_windows_elastic | [c9f4](kibana/osquery_saved_query/osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json) | Native prefetch table (CORRECTED: parses .pf files to extract executable names, run counts, last run times, and accessed resources - equivalent to VQL Windows.Forensics.Prefetch) | | 17 | Process Listing | ⚠️ | Win | - | - | processes table | | 17a | Process Listing | ⚠️ | Linux | - | - | processes table | | 17b | Process Listing | ⚠️ | Mac | - | - | processes table | @@ -127,12 +127,13 @@ The following artifacts cannot be queried with standard osquery and require exte |:-:|----------|:------:|-------| | 1 | Browser URL History (All Platforms) | ⚠️ | No native table, databases locked while browser running. Can be supported via ATC custom tables. Alternative: Downloads folder analysis, file system queries for browser cache | | 2 | BITS Jobs Database (Windows) | ⚠️ | Not a native table, but can be queried via windows_eventlog table | +| 3 | Prefetch Files (Windows) | ✅ | CORRECTED: Native prefetch table available since Osquery v5.x - fully parses .pf files to extract executable names, run counts, last run times, and accessed resources. Equivalent to VQL Windows.Forensics.Prefetch artifact. | ### Alternative Coverage While some artifacts are not directly available, the existing queries provide strong coverage through related artifacts: -**Execution Tracking**: Use Prefetch + AppCompatCache (shimcache) + File Listing + Process Listing instead of AmCache +**Execution Tracking**: Use Prefetch (native prefetch table) + AppCompatCache (shimcache) + File Listing + Process Listing instead of AmCache **User Activity**: Use Shellbags + LNK Files + Recent Files instead of Jumplists/Browser History **File System Monitoring**: Use NTFS USN Journal + File Listing with Hashes instead of MFT **Resource Access**: Use Network Connections (process_open_sockets) + Process Listing instead of Open Handles @@ -154,7 +155,7 @@ While some artifacts are not directly available, the existing queries provide st ### Execution Artifacts - ⚠️ AppCompatCache (Windows: shimcache table) - ⚠️ PowerShell History (Windows: powershell_events table) -- ⚠️ Prefetch Files (Windows: prefetch table) +- ✅ Prefetch Files (Windows: native prefetch table - CORRECTED to use proper parsing, not file enumeration) - ❌ AmCache (Not Available - Use AppCompatCache + Prefetch as alternatives) ### Persistence Mechanisms diff --git a/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json new file mode 100644 index 00000000000..95baa55cf28 --- /dev/null +++ b/packages/osquery_manager/kibana/osquery_saved_query/osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "created_at": "2025-11-20T15:30:00.000Z", + "created_by": "elastic", + "description": "Investigate Windows Prefetch artifacts for execution history. Prefetch files (.pf) track application launches, execution counts, and associated file/directory access patterns. This query uses the native Osquery prefetch table to parse .pf files and extract forensic intelligence including executable names, run counts, last execution times, and accessed resources. Limited to executables run in the last 90 days to reduce noise. Results capped at 1024 (Windows prefetch directory limit). Equivalent to Velociraptor Windows.Forensics.Prefetch artifact.", + "ecs_mapping": [ + { + "key": "process.name", + "value": { + "field": "filename" + } + }, + { + "key": "file.name", + "value": { + "field": "filename" + } + }, + { + "key": "process.hash.md5", + "value": { + "field": "hash" + } + }, + { + "key": "event.created", + "value": { + "field": "last_execution_time" + } + }, + { + "key": "event.sequence", + "value": { + "field": "run_count" + } + }, + { + "key": "file.size", + "value": { + "field": "size" + } + }, + { + "key": "host.id", + "value": { + "field": "volume_serial" + } + }, + { + "key": "file.path", + "value": { + "field": "accessed_files" + } + }, + { + "key": "file.directory", + "value": { + "field": "accessed_directories" + } + }, + { + "key": "file.path", + "value": { + "field": "prefetch_file_path" + } + } + ], + "id": "prefetch_windows_elastic", + "interval": "3600", + "platform": "windows", + "query": "SELECT\n datetime(last_run_time, 'unixepoch') AS last_execution_time,\n filename,\n hash,\n run_count,\n other_run_times,\n size,\n volume_serial,\n volume_creation,\n accessed_files_count,\n accessed_directories_count,\n accessed_files,\n accessed_directories,\n path AS prefetch_file_path\nFROM prefetch\nWHERE last_run_time > (strftime('%s', 'now') - 7776000)\nORDER BY last_run_time DESC\nLIMIT 1024", + "updated_at": "2025-11-20T15:30:00.000Z", + "updated_by": "elastic" + }, + "coreMigrationVersion": "8.3.0", + "id": "osquery_manager-c9f4e1a0-a7e4-11ef-9b3d-94b24cd614c6", + "references": [], + "type": "osquery-saved-query", + "updated_at": "2025-11-20T15:30:00.000Z", + "version": "WzEwMCwxXQ==" +}