Skip to content
.ca
sign in
4 mininfo

DFIR: From alert to root cause using Osquery without leaving Elastic Security

The article details how modern Digital Forensics and Incident Response (DFIR) leverages Osquery within Elastic Security to perform distributed, real-time endpoint investigations. By querying artifacts like Prefetch, Shimcache, and Shellbags, analysts can rapidly reconstruct attack timelines, such as tracing a phishing email to the execution of Mimikatz, without requiring full disk images.

Conf:highAnalyzed:2026-05-01reports
ActorsMimikatz
PhishingElastic SecurityDFIROsqueryMimikatz

Source:Elastic Security Labs

What Happened

Security investigations are changing from taking slow, full copies of computer hard drives to asking computers direct questions in real time. This article explains how a tool called Osquery helps investigators quickly find out exactly what happened on a computer after an alert goes off. For example, if a user clicks a bad link in an email and downloads a dangerous file, investigators can trace every step from the click to the file running. This matters because it saves valuable time during a cyberattack, allowing security teams to stop the damage much faster. Organizations should consider using live querying tools to speed up their incident response.

Key Takeaways

  • Modern DFIR relies on distributed, query-driven forensics rather than time-consuming full disk imaging.
  • Osquery enables real-time interrogation of OS artifacts like Prefetch, Shimcache, UserAssist, and Shellbags.
  • Elastic Security integrates Osquery to bridge the gap between alert triaging and deep-dive forensic reconstruction.
  • A demonstrated attack chain showed how to trace a phishing email to Mimikatz execution using Osquery tables.

Affected Systems

  • Windows

Attack Chain

A user (lab1) receives a phishing email containing a malicious link and opens it using the new Outlook client (OLK.EXE). The link redirects the user via the Edge browser (MSEDGE.EXE) to download a malicious archive named discount.zip. The user manually extracts the archive, navigates through the directories (recorded in Shellbags), and executes the payload, MIMIKATZ.EXE. Elastic Defend detects and terminates the Mimikatz execution, while Osquery is used to reconstruct the timeline from initial access to execution.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: Yes
  • Platforms: Osquery, Elastic Security

The article provides Osquery SQL queries to interrogate Shellbags, Shimcache, UserAssist, and Prefetch tables for forensic timeline reconstruction.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions natively capture process execution (Prefetch/Shimcache equivalents) and file modifications, which are the core artifacts discussed in the scenario. Network Visibility: Low — The article focuses entirely on host-based OS artifacts (registry, prefetch, shellbags) rather than network telemetry. Detection Difficulty: Easy — Mimikatz execution and basic phishing downloads are highly documented and easily detected by modern EDRs, as demonstrated by Elastic Defend blocking it immediately.

Required Log Sources

  • Osquery logs
  • Process Creation (Event ID 4688)
  • File System logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Users are downloading and executing suspicious archives from email clients.Process creation logs showing email clients (OLK.EXE) spawning browsers (MSEDGE.EXE) followed by archive extraction and unknown binary execution.ExecutionMedium
Known credential dumping tools are present on disk but were not executed.Shimcache or AmCache entries containing 'mimikatz' without corresponding Prefetch execution records.Credential AccessLow

Control Gaps

  • Reliance on traditional full disk imaging delays investigation and response times, allowing attackers to move laterally.

Key Behavioral Indicators

  • Presence of 'discount.zip' in browser history or file tables
  • Shellbag entries showing manual navigation to extracted payload directories
  • Prefetch entries for MIMIKATZ.EXE

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Isolate hosts where malicious execution (like Mimikatz) is confirmed.
  • Capture memory dumps for deeper analysis of in-memory threats.

Infrastructure Hardening

  • Deploy distributed querying tools like Osquery to enable real-time forensic data collection.
  • Integrate forensic querying capabilities directly with EDR/SIEM platforms to reduce context switching.

User Protection

  • Implement EDR solutions capable of blocking known credential dumping tools like Mimikatz.
  • Enforce strict email filtering to block phishing links.

Security Awareness

  • Train users to recognize phishing emails offering unrealistic discounts or urgent actions.
  • Educate users on the risks of downloading and extracting unknown ZIP archives.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1204.002 - User Execution: Malicious File
  • T1003 - OS Credential Dumping

Additional IOCs

  • File Paths:
    • x64\mimikatz.exe - Typical path structure for Mimikatz execution observed in Shellbags.
  • Other:
    • lab1 - Targeted user account in the phishing scenario.

Related