Linux Artifacts

Linux Artifacts

Linux.Applications.Chrome.Extensions

Fetch Chrome extensions.

Chrome extensions are installed into the user’s home directory. We search for manifest.json files in a known path within each system user’s home directory. We then parse the manifest file as JSON.

Many extensions use locale packs to resolve strings like name and description. In this case we detect the default locale and load those locale files. We then resolve the extension’s name and description from there.

Arg Default Description
extensionGlobs /.config/google-chrome//Extensions//*/manifest.j …
View Artifact Source

Linux.Applications.Chrome.Extensions.Upload

Upload all users chrome extension.

We dont bother actually parsing anything here, we just grab all the extension files in user’s home directory.

Arg Default Description
extensionGlobs /.config/google-chrome/*/Extensions/**
View Artifact Source

Linux.Applications.Docker.Info

Get Dockers info by connecting to its socket.

Arg Default Description
dockerSocket /var/run/docker.sock Docker server socket. You will normally need to be root to connect.\n
View Artifact Source

Linux.Applications.Docker.Version

Get Dockers version by connecting to its socket.

Arg Default Description
dockerSocket /var/run/docker.sock Docker server socket. You will normally need to be root to connect.\n
View Artifact Source

Linux.Debian.AptSources

Parse Debian apt sources.

We first search for *.list files which contain lines of the form

.. code:: console

deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted

For each line we construct the cache file by spliting off the section (last component) and replacing / and " " with _.

We then try to open the file. If the file exists we parse some metadata from it. If not we leave those columns empty.

Arg Default Description
linuxAptSourcesGlobs /etc/apt/sources.list,/etc/apt/sources.list.d/*.li … Globs to find apt source *.list files.
aptCacheDirectory /var/lib/apt/lists/ Location of the apt cache directory.
View Artifact Source

Linux.Debian.Packages

Parse dpkg status file.

Arg Default Description
linuxDpkgStatus /var/lib/dpkg/status
View Artifact Source

Linux.Events.ProcessExecutions

This artifact collects process execution logs from the Linux kernel.

This artifact relies on the presence of auditctl usually included in the auditd package. On Ubuntu you can install it using:

apt-get install auditd
Arg Default Description
pathToAuditctl /sbin/auditctl We depend on auditctl to install the correct process execution rules.
View Artifact Source

Linux.Events.SSHBruteforce

This is a monitoring artifact which detects a successful SSH login preceeded by some failed attempts within the last hour.

This is particularly important in the case of ssh brute forcers. If one of the brute force password attempts succeeded the password guessing program will likely report the success and move on. This alert might provide sufficient time for admins to lock down the account before attackers can exploit the weak password.

Arg Default Description
syslogAuthLogPath /var/log/auth.log
SSHGrok %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} … A Grok expression for parsing SSH auth lines.
MinimumFailedLogins 2 Minimum number of failed logins before a successful login.
View Artifact Source

Linux.Events.SSHLogin

This monitoring artifact watches the auth.log file for new successful SSH login events and relays them back to the server.

Arg Default Description
syslogAuthLogPath /var/log/auth.log
SSHGrok %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} … A Grok expression for parsing SSH auth lines.
View Artifact Source

Linux.Mounts

List mounted filesystems by reading /proc/mounts

Arg Default Description
ProcMounts /proc/mounts
View Artifact Source

Linux.Proc.Arp

ARP table via /proc/net/arp.

Arg Default Description
ProcNetArp /proc/net/arp
View Artifact Source

Linux.Proc.Modules

Module listing via /proc/modules.

Arg Default Description
ProcModules /proc/modules
View Artifact Source

Linux.Search.FileFinder

Find files on the filesystem using the filename or content.

Performance Note

This artifact can be quite expensive, especially if we search file content. It will require opening each file and reading its entire content. To minimize the impact on the endpoint we recommend this artifact is collected with a rate limited way (about 20-50 ops per second).

This artifact is useful in the following scenarios:

  • We need to locate all the places on our network where customer data has been copied.

  • We’ve identified malware in a data breach, named using short random strings in specific folders and need to search for other instances across the network.

  • We believe our user account credentials have been dumped and need to locate them.

  • We need to search for exposed credit card data to satisfy PCI requirements.

  • We have a sample of data that has been disclosed and need to locate other similar files

Arg Default Description
SearchFilesGlob /home/*/** Use a glob to define the files that will be searched.
Keywords None A comma delimited list of strings to search for.
Upload_File N
Calculate_Hash N
MoreRecentThan
ModifiedBefore
View Artifact Source

Linux.Ssh.AuthorizedKeys

Find and parse ssh authorized keys files.

Arg Default Description
sshKeyFiles .ssh/authorized_keys* Glob of authorized_keys file relative to a user’s home directory.
View Artifact Source

Linux.Ssh.KnownHosts

Find and parse ssh known hosts files.

Arg Default Description
sshKnownHostsFiles .ssh/known_hosts*
View Artifact Source

Linux.Ssh.PrivateKeys

SSH Private keys can be either encrypted or unencrypted. Unencrypted private keys are more risky because an attacker can use them without needing to unlock them with a password.

This artifact searches for private keys in the usual locations and also records if they are encrypted or not.

references

Arg Default Description
KeyGlobs /home/*/.ssh/id_{rsa,dsa}
View Artifact Source

Linux.Sys.ACPITables

Firmware ACPI functional table common metadata and content.

Arg Default Description
kLinuxACPIPath /sys/firmware/acpi/tables
View Artifact Source

Linux.Sys.BashShell

This artifact allows running arbitrary commands through the system shell.

Since Velociraptor typically runs as root, the commands will also run as root.

This is a very powerful artifact since it allows for arbitrary command execution on the endpoints. Therefore this artifact requires elevated permissions (specifically the EXECVE permission). Typically it is only available with the administrator role.

Arg Default Description
Command ls -l /
View Artifact Source

Linux.Sys.CPUTime

Displays information from /proc/stat file about the time the cpu cores spent in different parts of the system.

Arg Default Description
procStat /proc/stat
View Artifact Source

Linux.Sys.Crontab

Displays parsed information from crontab.

Arg Default Description
cronTabGlob /etc/crontab,/etc/cron.d/,/var/at/tabs/,/var/s …
cronTabScripts /etc/cron.daily/,/etc/cron.hourly/,/etc/cron.mon …
View Artifact Source

Linux.Sys.LastUserLogin

Find and parse system wtmp files. This indicate when the user last logged in.

Arg Default Description
wtmpGlobs /var/log/wtmp*
wtmpProfile {\n “timeval”: [8, {\n “tv_sec”: [0, [“int”]],\ …
View Artifact Source

Linux.Sys.Maps

A running binary may link other binaries into its address space. These shared objects contain exported functions which may be used by the binary.

This artifact parses the /proc//maps to emit all mapped files into the process.

Arg Default Description
processRegex . A regex applied to process names.
View Artifact Source

Linux.Sys.SUID

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively [1]. Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an “s” instead of an “x” when viewing a file’s attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].

An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future [2].

References:

Arg Default Description
GlobExpression /usr/**
View Artifact Source

Linux.Sys.Users

Get User specific information like homedir, group etc from /etc/passwd.

Arg Default Description
PasswordFile /etc/passwd The location of the password file.
View Artifact Source

Linux.Syslog.SSHLogin

Parses the auth logs to determine all SSH login attempts.

Arg Default Description
syslogAuthLogPath /var/log/auth.log*
SSHGrok %{SYSLOGTIMESTAMP:Timestamp} (?:%{SYSLOGFACILITY} … A Grok expression for parsing SSH auth lines.
View Artifact Source