beats
beats copied to clipboard
elastic
[Osquerybeat] Jumplists - Custom
Proposed commit message
[!NOTE] Please see this reference if you are not familiar with jumplists, it is a quick read and you will be able to understand this PR better
This PR adds an elastic_jumplists table to the osquery extension. This PR only adds support for custom jumplists. A follow on PR will add support for automatic jumplists, and will add some new columns to the table. For that reason, I will update documentation in the follow on PR.
https://github.com/elastic/beats/pull/48032
Currently, the columns for custom jumplists looks like this
+-----+---------------------------+---------+---------+------------+----+
| cid | name | type | notnull | dflt_value | pk |
+-----+---------------------------+---------+---------+------------+----+
| 0 | application_id | TEXT | 0 | | 0 |
| 1 | application_name | TEXT | 0 | | 0 |
| 2 | username | TEXT | 0 | | 0 |
| 3 | domain | TEXT | 0 | | 0 |
| 4 | sid | TEXT | 0 | | 0 |
| 5 | jumplist_type | INTEGER | 0 | | 0 |
| 6 | source_file_path | TEXT | 0 | | 0 |
| 7 | hostname | TEXT | 0 | | 0 |
| 8 | entry_number | INTEGER | 0 | | 0 |
| 9 | AccessCount | DOUBLE | 0 | | 0 |
| 10 | last_modified_time | TEXT | 0 | | 0 |
| 11 | is_pinned | INTEGER | 0 | | 0 |
| 12 | interaction_count | INTEGER | 0 | | 0 |
| 13 | dest_entry_path | TEXT | 0 | | 0 |
| 14 | dest_entry_path_resolved | TEXT | 0 | | 0 |
| 15 | mac_address | TEXT | 0 | | 0 |
| 16 | creation_time | TEXT | 0 | | 0 |
| 17 | local_path | TEXT | 0 | | 0 |
| 18 | file_size | INTEGER | 0 | | 0 |
| 19 | hot_key | TEXT | 0 | | 0 |
| 20 | icon_index | INTEGER | 0 | | 0 |
| 21 | show_window | TEXT | 0 | | 0 |
| 22 | icon_location | TEXT | 0 | | 0 |
| 23 | command_line_arguments | TEXT | 0 | | 0 |
| 24 | target_modification_time | BIGINT | 0 | | 0 |
| 25 | target_last_accessed_time | BIGINT | 0 | | 0 |
| 26 | target_creation_time | BIGINT | 0 | | 0 |
| 27 | volume_serial_number | TEXT | 0 | | 0 |
| 28 | volume_type | TEXT | 0 | | 0 |
| 29 | volume_label | TEXT | 0 | | 0 |
| 30 | volume_label_offset | INTEGER | 0 | | 0 |
| 31 | name | TEXT | 0 | | 0 |
+-----+---------------------------+---------+---------+------------+----+
Example Output
I am including sample output for our extension, alongside output from a known good jumplist tool JLECmd
Filename: ff99ba2fb2e34b73.customDestinations-ms
JLECmd Output
{
"SourceFile": "C:\\git\\beats\\x-pack\\osquerybeat\\ext\\osquery-extension\\pkg\\jumplists\\testdata\\custom\\ff99ba2fb2e34b73.customDestinations-ms",
"AppId": {
"AppId": "ff99ba2fb2e34b73",
"Description": "Windows Calculator"
},
"Entries": [
{
"Name": "",
"Unknown0": 2,
"Rank": 7.006492E-45,
"Unknown2": 136193,
"HeaderType": 0,
"LnkFiles": [
{
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
"FileSize": 0,
"ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"FriendlyName": "File",
"Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"ExtensionBlocks": [
{
"__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
"Identifier": 46,
"MFTInformation": {
"MFTEntryNumber": 0,
"Note": "Network/special item"
},
"LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"LocalisedName": "",
"Message": "",
"Size": 140,
"Version": 9,
"Signature": 3203334148,
"VersionOffset": 60
}
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
"PropertyStore": {
"Sheets": [
{
"Size": 462,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
"PropertyNames": {
"28": "ms-resource:///Resources/StandardModeText",
"27": "ms-resource:///Resources/StandardModeText",
"30": "",
"29": "ms-appx:///Assets/Standard.png",
"5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"20": "0"
},
"PropertySheetType": "Numeric"
},
{
"Size": 253,
"Version": "31-53-50-53",
"GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
"PropertyNames": {
"2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}"
},
"PropertySheetType": "Numeric"
},
{
"Size": 49,
"Version": "31-53-50-53",
"GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
"PropertyNames": {
"100": "0"
},
"PropertySheetType": "Numeric"
}
]
}
}
],
"SourceFile": "C:\\git\\beats\\Offset_0x18.lnk",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGcAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAfQAIAwAACQAAoM4BAAAxU1BTVShMn3mfOUuo0OHULeHV82UAAAAcAAAAAB8AAAAqAAAAbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBTAHQAYQBuAGQAYQByAGQATQBvAGQAZQBUAGUAeAB0AAAAZQAAABsAAAAAHwAAACoAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABRAAAAHQAAAAAfAAAAHwAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFMAdABhAG4AZABhAHIAZAAuAHAAbgBnAAAAAABtAAAABQAAAAAfAAAALgAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAFQAAABQAAAAAHwAAAAIAAAAwAAAAAAAAAP0AAAAxU1BT4IWf8vlPaBCrkQgAKyez2eEAAAACAAAAAAgAAADQAAAAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAdABhAG4AZABhAHIAZABNAG8AZABlAFQAZQB4AHQAfQAAAAAAAAAxAAAAMVNQU2cmb0PiFOtPswoUbFO1tnQVAAAAZAAAAAAfAAAAAgAAADAAAAAAAAAAAAAAAAAAAAABFAIAAAAAAMAAAAAAAABG",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485893,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
},
"Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}",
"LocationFlags": 0
},
{
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
"FileSize": 0,
"ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"FriendlyName": "File",
"Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"ExtensionBlocks": [
{
"__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
"Identifier": 46,
"MFTInformation": {
"MFTEntryNumber": 0,
"Note": "Network/special item"
},
"LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"LocalisedName": "",
"Message": "",
"Size": 140,
"Version": 9,
"Signature": 3203334148,
"VersionOffset": 60
}
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
"PropertyStore": {
"Sheets": [
{
"Size": 474,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
"PropertyNames": {
"28": "ms-resource:///Resources/ScientificModeText",
"27": "ms-resource:///Resources/ScientificModeText",
"30": "",
"29": "ms-appx:///Assets/Scientific.png",
"5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"20": "1"
},
"PropertySheetType": "Numeric"
},
{
"Size": 257,
"Version": "31-53-50-53",
"GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
"PropertyNames": {
"2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}"
},
"PropertySheetType": "Numeric"
},
{
"Size": 49,
"Version": "31-53-50-53",
"GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
"PropertyNames": {
"100": "1"
},
"PropertySheetType": "Numeric"
}
]
}
}
],
"SourceFile": "C:\\git\\beats\\Offset_0x51C.lnk",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGkAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFMAYwBpAGUAbgB0AGkAZgBpAGMATQBvAGQAZQBUAGUAeAB0AH0AGAMAAAkAAKDaAQAAMVNQU1UoTJ95nzlLqNDh1C3h1fNpAAAAHAAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUwBjAGkAZQBuAHQAaQBmAGkAYwBNAG8AZABlAFQAZQB4AHQAAABpAAAAGwAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUwBjAGkAZQBuAHQAaQBmAGkAYwBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABVAAAAHQAAAAAfAAAAIQAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFMAYwBpAGUAbgB0AGkAZgBpAGMALgBwAG4AZwAAAAAAbQAAAAUAAAAAHwAAAC4AAABNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAIQBBAHAAcAAAABUAAAAUAAAAAB8AAAACAAAAMQAAAAAAAAABAQAAMVNQU+CFn/L5T2gQq5EIACsns9nlAAAAAgAAAAAIAAAA1AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBTAGMAaQBlAG4AdABpAGYAaQBjAE0AbwBkAGUAVABlAHgAdAB9AAAAAAAAADEAAAAxU1BTZyZvQ+IU60+zChRsU7W2dBUAAABkAAAAAB8AAAACAAAAMQAAAAAAAAAAAAAAAAAAAAEUAgAAAAAAwAAAAAAAAEY=",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485893,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
},
"Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}",
"LocationFlags": 0
},
{
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
"FileSize": 0,
"ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"FriendlyName": "File",
"Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"ExtensionBlocks": [
{
"__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
"Identifier": 46,
"MFTInformation": {
"MFTEntryNumber": 0,
"Note": "Network/special item"
},
"LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"LocalisedName": "",
"Message": "",
"Size": 140,
"Version": 9,
"Signature": 3203334148,
"VersionOffset": 60
}
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
"PropertyStore": {
"Sheets": [
{
"Size": 506,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
"PropertyNames": {
"28": "ms-resource:///Resources/GraphingCalculatorModeText",
"27": "ms-resource:///Resources/GraphingCalculatorModeText",
"30": "",
"29": "ms-appx:///Assets/Graphing.png",
"5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"20": "17"
},
"PropertySheetType": "Numeric"
},
{
"Size": 273,
"Version": "31-53-50-53",
"GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
"PropertyNames": {
"2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}"
},
"PropertySheetType": "Numeric"
},
{
"Size": 53,
"Version": "31-53-50-53",
"GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
"PropertyNames": {
"100": "17"
},
"PropertySheetType": "Numeric"
}
]
}
}
],
"SourceFile": "C:\\git\\beats\\Offset_0xA34.lnk",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAHEAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEcAcgBhAHAAaABpAG4AZwBDAGEAbABjAHUAbABhAHQAbwByAE0AbwBkAGUAVABlAHgAdAB9AEwDAAAJAACg+gEAADFTUFNVKEyfeZ85S6jQ4dQt4dXzeQAAABwAAAAAHwAAADQAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEcAcgBhAHAAaABpAG4AZwBDAGEAbABjAHUAbABhAHQAbwByAE0AbwBkAGUAVABlAHgAdAAAAHkAAAAbAAAAAB8AAAA0AAAAbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBHAHIAYQBwAGgAaQBuAGcAQwBhAGwAYwB1AGwAYQB0AG8AcgBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABRAAAAHQAAAAAfAAAAHwAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAEcAcgBhAHAAaABpAG4AZwAuAHAAbgBnAAAAAABtAAAABQAAAAAfAAAALgAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAGQAAABQAAAAAHwAAAAMAAAAxADcAAAAAAAAAAAARAQAAMVNQU+CFn/L5T2gQq5EIACsns9n1AAAAAgAAAAAIAAAA5AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBHAHIAYQBwAGgAaQBuAGcAQwBhAGwAYwB1AGwAYQB0AG8AcgBNAG8AZABlAFQAZQB4AHQAfQAAAAAAAAA1AAAAMVNQU2cmb0PiFOtPswoUbFO1tnQZAAAAZAAAAAAfAAAAAwAAADEANwAAAAAAAAAAAAAAAAAAAAAAARQCAAAAAADAAAAAAAAARg==",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485893,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
},
"Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}",
"LocationFlags": 0
},
{
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
"FileSize": 0,
"ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"FriendlyName": "File",
"Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"ExtensionBlocks": [
{
"__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
"Identifier": 46,
"MFTInformation": {
"MFTEntryNumber": 0,
"Note": "Network/special item"
},
"LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"LocalisedName": "",
"Message": "",
"Size": 140,
"Version": 9,
"Signature": 3203334148,
"VersionOffset": 60
}
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
"PropertyStore": {
"Sheets": [
{
"Size": 474,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
"PropertyNames": {
"28": "ms-resource:///Resources/ProgrammerModeText",
"27": "ms-resource:///Resources/ProgrammerModeText",
"30": "",
"29": "ms-appx:///Assets/Programmer.png",
"5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"20": "2"
},
"PropertySheetType": "Numeric"
},
{
"Size": 257,
"Version": "31-53-50-53",
"GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
"PropertyNames": {
"2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}"
},
"PropertySheetType": "Numeric"
},
{
"Size": 49,
"Version": "31-53-50-53",
"GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
"PropertyNames": {
"100": "2"
},
"PropertySheetType": "Numeric"
}
]
}
}
],
"SourceFile": "C:\\git\\beats\\Offset_0xF90.lnk",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAGkAQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAFAAcgBvAGcAcgBhAG0AbQBlAHIATQBvAGQAZQBUAGUAeAB0AH0AGAMAAAkAAKDaAQAAMVNQU1UoTJ95nzlLqNDh1C3h1fNpAAAAHAAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUAByAG8AZwByAGEAbQBtAGUAcgBNAG8AZABlAFQAZQB4AHQAAABpAAAAGwAAAAAfAAAALAAAAG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8AUAByAG8AZwByAGEAbQBtAGUAcgBNAG8AZABlAFQAZQB4AHQAAAAVAAAAHgAAAAAfAAAAAQAAAAAAAABVAAAAHQAAAAAfAAAAIQAAAG0AcwAtAGEAcABwAHgAOgAvAC8ALwBBAHMAcwBlAHQAcwAvAFAAcgBvAGcAcgBhAG0AbQBlAHIALgBwAG4AZwAAAAAAbQAAAAUAAAAAHwAAAC4AAABNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAIQBBAHAAcAAAABUAAAAUAAAAAB8AAAACAAAAMgAAAAAAAAABAQAAMVNQU+CFn/L5T2gQq5EIACsns9nlAAAAAgAAAAAIAAAA1AAAAEAAewBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMAQwBhAGwAYwB1AGwAYQB0AG8AcgBfADEAMQAuADIANAAxADEALgAxAC4AMABfAHgANgA0AF8AXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlAD8AbQBzAC0AcgBlAHMAbwB1AHIAYwBlADoALwAvAC8AUgBlAHMAbwB1AHIAYwBlAHMALwBQAHIAbwBnAHIAYQBtAG0AZQByAE0AbwBkAGUAVABlAHgAdAB9AAAAAAAAADEAAAAxU1BTZyZvQ+IU60+zChRsU7W2dBUAAABkAAAAAB8AAAACAAAAMgAAAAAAAAAAAAAAAAAAAAEUAgAAAAAAwAAAAAAAAEY=",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485893,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
},
"Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}",
"LocationFlags": 0
},
{
"TargetIDs": [
{
"__type": "Lnk.ShellItems.ShellBag0X32, Lnk",
"FileSize": 0,
"ShortName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"FriendlyName": "File",
"Value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"ExtensionBlocks": [
{
"__type": "ExtensionBlocks.Beef0004, ExtensionBlocks",
"Identifier": 46,
"MFTInformation": {
"MFTEntryNumber": 0,
"Note": "Network/special item"
},
"LongName": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"LocalisedName": "",
"Message": "",
"Size": 140,
"Version": 9,
"Signature": 3203334148,
"VersionOffset": 60
}
]
}
],
"ExtraBlocks": [
{
"__type": "Lnk.ExtraData.PropertyStoreDataBlock, Lnk",
"PropertyStore": {
"Sheets": [
{
"Size": 486,
"Version": "31-53-50-53",
"GUID": "9f4c2855-9f79-4b39-a8d0-e1d42de1d5f3",
"PropertyNames": {
"28": "ms-resource:///Resources/DateCalculationModeText",
"27": "ms-resource:///Resources/DateCalculationModeText",
"30": "",
"29": "ms-appx:///Assets/Date.png",
"5": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App",
"20": "3"
},
"PropertySheetType": "Numeric"
},
{
"Size": 269,
"Version": "31-53-50-53",
"GUID": "f29f85e0-4ff9-1068-ab91-08002b27b3d9",
"PropertyNames": {
"2": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}"
},
"PropertySheetType": "Numeric"
},
{
"Size": 49,
"Version": "31-53-50-53",
"GUID": "436f2667-14e2-4feb-b30a-146c53b5b674",
"PropertyNames": {
"100": "3"
},
"PropertySheetType": "Numeric"
}
]
}
}
],
"SourceFile": "C:\\git\\beats\\Offset_0x14A8.lnk",
"RawBytes": "TAAAAAEUAgAAAAAAwAAAAAAAAEaFAKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAMoAyAAyAAAAAAAAAAAAAABNaWNyb3NvZnQuV2luZG93c0NhbGN1bGF0b3JfOHdla3liM2Q4YmJ3ZSFBcHAAjAAJAAQA774AAAAAAAAAAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQAhAEEAcABwAAAAPAAAAG4AQAB7AE0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwBDAGEAbABjAHUAbABhAHQAbwByAF8AMQAxAC4AMgA0ADEAMQAuADEALgAwAF8AeAA2ADQAXwBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAPwBtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAB9ADADAAAJAACg5gEAADFTUFNVKEyfeZ85S6jQ4dQt4dXzdQAAABwAAAAAHwAAADEAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAAAAAAAdQAAABsAAAAAHwAAADEAAABtAHMALQByAGUAcwBvAHUAcgBjAGUAOgAvAC8ALwBSAGUAcwBvAHUAcgBjAGUAcwAvAEQAYQB0AGUAQwBhAGwAYwB1AGwAYQB0AGkAbwBuAE0AbwBkAGUAVABlAHgAdAAAAAAAFQAAAB4AAAAAHwAAAAEAAAAAAAAASQAAAB0AAAAAHwAAABsAAABtAHMALQBhAHAAcAB4ADoALwAvAC8AQQBzAHMAZQB0AHMALwBEAGEAdABlAC4AcABuAGcAAAAAAG0AAAAFAAAAAB8AAAAuAAAATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgBkAG8AdwBzAEMAYQBsAGMAdQBsAGEAdABvAHIAXwA4AHcAZQBrAHkAYgAzAGQAOABiAGIAdwBlACEAQQBwAHAAAAAVAAAAFAAAAAAfAAAAAgAAADMAAAAAAAAADQEAADFTUFPghZ/y+U9oEKuRCAArJ7PZ8QAAAAIAAAAACAAAAN4AAABAAHsATQBpAGMAcgBvAHMAbwBmAHQALgBXAGkAbgBkAG8AdwBzAEMAYQBsAGMAdQBsAGEAdABvAHIAXwAxADEALgAyADQAMQAxAC4AMQAuADAAXwB4ADYANABfAF8AOAB3AGUAawB5AGIAMwBkADgAYgBiAHcAZQA/AG0AcwAtAHIAZQBzAG8AdQByAGMAZQA6AC8ALwAvAFIAZQBzAG8AdQByAGMAZQBzAC8ARABhAHQAZQBDAGEAbABjAHUAbABhAHQAaQBvAG4ATQBvAGQAZQBUAGUAeAB0AH0AAAAAAAAAAAAxAAAAMVNQU2cmb0PiFOtPswoUbFO1tnQVAAAAZAAAAAAfAAAAAgAAADMAAAAAAAAAAAAAAAAAAAA=",
"Header": {
"Signature": "0002140100000000c000000000000046",
"DataFlags": 10485893,
"FileAttributes": 0,
"TargetCreationDate": "\/Date(-11644473600000)\/",
"TargetModificationDate": "\/Date(-11644473600000)\/",
"TargetLastAccessedDate": "\/Date(-11644473600000)\/",
"FileSize": 0,
"IconIndex": 0,
"HotKey": "",
"ShowWindow": "SwNormal",
"Reserved0": 0,
"Reserved1": 0,
"Reserved2": 0
},
"Name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}",
"LocationFlags": 0
}
]
}
]
}
Osquery Extension Output (This PR)
[
{
"application_id": "ff99ba2fb2e34b73",
"application_name": "Windows Calculator",
"command_line_arguments": "",
"file_size": "0",
"hot_key": "",
"icon_index": "0",
"icon_location": "",
"jumplist_type": "custom",
"local_path": "",
"name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/StandardModeText}",
"show_window": "SW_SHOWNORMAL",
"source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
"target_creation_time": "0",
"target_last_accessed_time": "0",
"target_modification_time": "0",
"volume_label": "",
"volume_label_offset": "0",
"volume_serial_number": "",
"volume_type": ""
},
{
"application_id": "ff99ba2fb2e34b73",
"application_name": "Windows Calculator",
"command_line_arguments": "",
"file_size": "0",
"hot_key": "",
"icon_index": "0",
"icon_location": "",
"jumplist_type": "custom",
"local_path": "",
"name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ScientificModeText}",
"show_window": "SW_SHOWNORMAL",
"source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
"target_creation_time": "0",
"target_last_accessed_time": "0",
"target_modification_time": "0",
"volume_label": "",
"volume_label_offset": "0",
"volume_serial_number": "",
"volume_type": ""
},
{
"application_id": "ff99ba2fb2e34b73",
"application_name": "Windows Calculator",
"command_line_arguments": "",
"file_size": "0",
"hot_key": "",
"icon_index": "0",
"icon_location": "",
"jumplist_type": "custom",
"local_path": "",
"name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/GraphingCalculatorModeText}",
"show_window": "SW_SHOWNORMAL",
"source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
"target_creation_time": "0",
"target_last_accessed_time": "0",
"target_modification_time": "0",
"volume_label": "",
"volume_label_offset": "0",
"volume_serial_number": "",
"volume_type": ""
},
{
"application_id": "ff99ba2fb2e34b73",
"application_name": "Windows Calculator",
"command_line_arguments": "",
"file_size": "0",
"hot_key": "",
"icon_index": "0",
"icon_location": "",
"jumplist_type": "custom",
"local_path": "",
"name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/ProgrammerModeText}",
"show_window": "SW_SHOWNORMAL",
"source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
"target_creation_time": "0",
"target_last_accessed_time": "0",
"target_modification_time": "0",
"volume_label": "",
"volume_label_offset": "0",
"volume_serial_number": "",
"volume_type": ""
},
{
"application_id": "ff99ba2fb2e34b73",
"application_name": "Windows Calculator",
"command_line_arguments": "",
"file_size": "0",
"hot_key": "",
"icon_index": "0",
"icon_location": "",
"jumplist_type": "custom",
"local_path": "",
"name": "@{Microsoft.WindowsCalculator_11.2411.1.0_x64__8wekyb3d8bbwe?ms-resource:///Resources/DateCalculationModeText}",
"show_window": "SW_SHOWNORMAL",
"source_file_path": "C:\\Users\\brian.WIN10DEV\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ff99ba2fb2e34b73.customDestinations-ms",
"target_creation_time": "0",
"target_last_accessed_time": "0",
"target_modification_time": "0",
"volume_label": "",
"volume_label_offset": "0",
"volume_serial_number": "",
"volume_type": ""
}
]
As you can probably see, the JLECmd output is more extensive than what we are providing in this PR. This PR contains as much of the crucial fields as possible, while balancing that against the difficulty to get at some of the fields. JLECmd goes deep into parsing the internal data structures of the LNK file (Shellbags). We can do that as well, but it would be follow on work and not within the scope of this PR.
Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have made corresponding change to the default configuration files
- [ ] I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the
stresstest.shscript to run them under stress conditions and race detector to verify their stability. - [x] I have added an entry in
./changelog/fragmentsusing the changelog tool.
Disruptive User Impact
Author's Checklist
- [ ]
How to test this PR locally
Related issues
Use cases
Screenshots
Logs
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)
:robot: GitHub comments
Just comment with:
rundocs-build: Re-trigger the docs validation. (use unformatted text in the comment!)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b jumplists upstream/jumplists
git merge upstream/main
git push upstream jumplists
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
This is great @brian-mckinney
Would it be possible to join this table with shellbags native osquery table (maybe using sid value) so that it is not needed to go in-depth regarding LNK files? Maybe recent_files and file tables can help here as well.
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b jumplists upstream/jumplists
git merge upstream/main
git push upstream jumplists