Miscelaneous Artifacts

Admin.Client.Upgrade

Remotely push new client updates.

NOTE: The updates can be pulled from any web server. You need to ensure they are properly secured with SSL and at least a random nonce in their path. You may configure the Velociraptor server to serve these through the public directory. Simply place the MSI in the public directory within the data store and set the URL below.

Arg Default Description
clientURL http://127.0.0.1:8000/public/velociraptor.msi The URL to fetch the MSI package.
View Artifact Source

Admin.Events.PostProcessUploads

Sometimes we would like to post process uploads collected as part of the hunt’s artifact collections

Post processing means to watch the hunt for completed flows and run a post processing command on the files obtained from each host.

The command will receive the list of paths of the files uploaded by the artifact. We dont actually care what the command does with those files - we will just relay our stdout/stderr to the artifact’s result set.

Arg Default Description
uploadPostProcessCommand [“/bin/ls”, “-l”]\n The command to run - must be a json array of strings! The list\nof files will be appended to the end of the command.\n
uploadPostProcessArtifact Windows.Registry.NTUser.Upload The name of the artifact to watch.\n
View Artifact Source

Admin.System.CompressUploads

Compresses all uploaded files.

When artifacts collect files they are normally stored on the server uncompressed. This artifact watches all completed flows and compresses the files in the file store when the flow completes. This is very useful for cloud based deployments with limited storage space or when collecting large files.

In order to run this artifact you would normally run it as part of an artifact acquisition process:

$ velociraptor --config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads

Note that there is nothing special about compressed files - you can also just run find and gzip in the file store. Velociraptor will automatically decompress the file when displaying it in the GUI text/hexdump etc.

Arg Default Description
blacklistCompressionFilename (?i).+ntuser.dat Filenames which match this regex will be excluded from compression.
View Artifact Source

Demo.Plugins.Fifo

This is a demo of the fifo() plugin. The Fifo plugin collects and caches rows from its inner query. Every subsequent execution of the query then reads from the cache. The plugin will expire old rows depending on its expiration policy - so we always see recent rows.

You can use this to build queries which consider historical events together with current events at the same time. In this example, we check for a successful logon preceeded by a number of failed logon attempts.

In this example, we use the clock() plugin to simulate events. We simulate failed logon attempts using the clock() plugin every second. By feeding the failed logon events to the fifo() plugin we ensure the fifo() plugin cache contains the last 5 failed logon events.

We simulate a successful logon event every 3 seconds, again using the clock plugin. Once a successful logon event is detected, we go back over the last 5 login events, count them and collect the last failed logon times (using the GROUP BY operator we group the FailedTime for every unique SuccessTime).

If we receive more than 3 events, we emit the row.

This now represents a high value signal! It will only occur when a successful logon event is preceeded by at least 3 failed logon events in the last hour. It is now possible to escalate this on the server via email or other alerts.

Here is sample output:

.. code-block:: json

{
  "Count": 5,
  "FailedTime": [
    1549527272,
    1549527273,
    1549527274,
    1549527275,
    1549527276
  ],
  "SuccessTime": 1549527277
}

Of course in the real artifact we would want to include more information than just times (i.e. who logged on to where etc).

View Artifact Source

Demo.Plugins.GUI

A demo plugin showing some GUI features.

Arg Default Description
ChoiceSelector First Choice
Flag Y
OffFlag
StartDate
View Artifact Source

Elastic.Events.Clients

This server monitoring artifact will watch a selection of client monitoring artifacts for new events and push those to an elastic index.

NOTE: You must ensure you are collecting these artifacts from the clients by adding them to the “Client Events” GUI.

Arg Default Description
WindowsDetectionPsexecService Upload Windows.Detection.PsexecService to Elastic
WindowsEventsDNSQueries Upload Windows.Events.DNSQueries to Elastic
WindowsEventsProcessCreation Upload Windows.Events.ProcessCreation to Elastic
WindowsEventsServiceCreation Upload Windows.Events.ServiceCreation to Elastic
ElasticAddresses http://127.0.0.1:9200/
View Artifact Source

Elastic.Flows.Upload

This server side event monitoring artifact waits for new artifacts to be collected from endpoints and automatically uploads those to an elastic server.

We use the artifact name as the name of the index. This allows users to adjust the index size/lifetime according to the artifact it is holding.

Arg Default Description
ArtifactNameRegex . Only upload these artifacts to elastic
elasticAddresses http://127.0.0.1:9200/
View Artifact Source

Generic.Applications.Office.Keywords

Microsoft Office documents among other document format (such as LibraOffice) are actually stored in zip files. The zip file contain the document encoded as XML in a number of zip members.

This makes it difficult to search for keywords within office documents because the ZIP files are typically compressed.

This artifact searches for office documents by file extension and glob then uses the zip filesystem accessor to launch a yara scan again the uncompressed data of the document. Keywords are more likely to match when scanning the decompressed XML data.

The artifact returns a context around the keyword hit.

NOTE: The InternalMtime column shows the creation time of the zip member within the document which may represent when the document was initially created.

See https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions https://wiki.openoffice.org/wiki/Documentation/OOo3_User_Guides/Getting_Started/File_formats

Arg Default Description
documentGlobs /*.{docx,docm,dotx,dotm,docb,xlsx,xlsm,xltx,xltm,p …
searchGlob C:\Users\**
yaraRule rule Hit {\n strings:\n $a = “secret” wide noc …
View Artifact Source

Generic.Client.Info

Collect basic information about the client.

This artifact is collected when any new client is enrolled into the system. Velociraptor will watch for this artifact and populate its internal indexes from this artifact as well.

You can edit this artifact to enhance the client’s interrogation information as required.

View Artifact Source

Generic.Client.Stats

An Event artifact which generates client’s CPU and memory statistics.

Arg Default Description
Frequency 10 Return stats every this many seconds.
View Artifact Source

Generic.Forensic.Carving.URLs

Carve URLs from files located in a glob. Note that we do not parse any files - we simply carve anything that looks like a URL.

Arg Default Description
UrlGlob [“C:/Documents and Settings/*/Local Settings/Appli …
View Artifact Source

Generic.Forensic.Timeline

This artifact generates a timeline of a file glob in bodyfile format. We currently do not calculate the md5 because it is quite expensive.

Arg Default Description
timelineGlob C:\Users\**
timelineAccessor file
View Artifact Source

MacOS.Detection.Autoruns

Thie artifact collects evidence of autoruns. We also capture the files and upload them.

This code is based on https://github.com/CrowdStrike/automactc/blob/master/modules/mod_autoruns_v102.py

Arg Default Description
sandboxed_loginitems /var/db/com.apple.xpc.launchd/disabled.*.plist
cronTabGlob /private/var/at//tabs/*
LaunchAgentsDaemonsGlob [“/System/Library/LaunchAgents/*.plist”,“/Library/ …
ScriptingAdditionsGlobs [“/System/Library/ScriptingAdditions/*.osax”,“/Lib …
StartupItemsGlobs [“/System/Library/StartupItems//”,“/Library/Star …
MiscItemsGlobs [“/private/etc/periodic.conf”, “/private/etc/perio …
LoginItemsGlobs [“/Users/*/Library/Preferences/com.apple.loginitem …
View Artifact Source

MacOS.System.Users

This artifact collects information about the local users on the system. The information is stored in plist files.

Arg Default Description
UserPlistGlob /private/var/db/dslocal/nodes/Default/users/*.plis …
OnlyShowRealUsers Y
View Artifact Source

Network.ExternalIpAddress

Detect the external ip address of the end point.

Arg Default Description
externalUrl http://www.myexternalip.com/raw The URL of the external IP detection site.
View Artifact Source

Reporting.Hunts.Details

Report details about which client ran each hunt, how long it took and if it has completed.

View Artifact Source

System.Flow.Completion

An internal artifact that produces events for every flow completion in the system.

View Artifact Source

System.Hunt.Participation

Endpoints may participate in hunts. This artifact collects which hunt each system participated in.

Note: This is an automated system hunt. You do not need to start it.

View Artifact Source

System.VFS.DownloadFile

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when the user clicks the “Collect from client” button at the file “Stats” tab.

Arg Default Description
Path / The path of the file to download.
Accessor file
View Artifact Source

System.VFS.ListDirectory

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when a user clicks the “Refresh this directory” button.

Arg Default Description
Path / The path of the file to download.
Accessor file
Depth 0
View Artifact Source

Windows.Analysis.EvidenceOfExecution

In many investigations it is useful to find evidence of program execution.

This artifact combines the findings of several other collectors into an overview of all program execution artifacts. The associated report walks the user through the analysis of the findings.

View Artifact Source

Windows.Applications.ChocolateyPackages

Chocolatey packages installed in a system.

Arg Default Description
ChocolateyInstall
View Artifact Source

Windows.Applications.Chrome.Cookies

Enumerate the users chrome cookies.

The cookies are typically encrypted by the DPAPI using the user’s credentials. Since Velociraptor is typically not running in the user context we can not decrypt these. It may be possible to decrypt the cookies off line.

The pertinant information from a forensic point of view is the user’s Created and LastAccess timestamp and the fact that the user has actually visited the site and obtained a cookie.

Arg Default Description
cookieGlobs \AppData\Local\Google\Chrome\User Data\*\Co …
cookieSQLQuery SELECT creation_utc, host_key, name, value, path, …
userRegex .
View Artifact Source

Windows.Applications.Chrome.Extensions

Fetch Chrome extensions.

Chrome extensions are installed into the user’s home directory. We search for manifest.json files in a known path within each system user’s home directory. We then parse the manifest file as JSON.

Many extensions use locale packs to resolve strings like name and description. In this case we detect the default locale and load those locale files. We then resolve the extension’s name and description from there.

Arg Default Description
extensionGlobs \AppData\Local\Google\Chrome\User Data\*\Ex …
userRegex .
View Artifact Source

Windows.Applications.Chrome.History

Enumerate the users chrome history.

Arg Default Description
historyGlobs \AppData\Local\Google\Chrome\User Data\*\Hi …
urlSQLQuery SELECT url as visited_url, title, visit_count,\n …
userRegex .
View Artifact Source

Windows.Applications.OfficeMacros

Office macros are a favourite initial infection vector. Many users click through the warning dialogs.

This artifact scans through the given directory glob for common office files. We then try to extract any embedded macros by parsing the OLE file structure.

If a macro calls an external program (e.g. Powershell) this is very suspicious!

Arg Default Description
officeExtensions *.{xls,xlsm,doc,docx,ppt,pptm}
officeFileSearchGlob C:\Users\**\ The directory to search for office documents.
View Artifact Source

Windows.Attack.ParentProcess

Maps the Mitre Att&ck framework process executions into artifacts.

References:

Arg Default Description
lookupTable ProcessName,ParentRegex\nsmss.exe,System\nruntimeb …
View Artifact Source

Windows.Attack.Prefetch

Maps the Mitre Att&ck framework process executions into artifacts. This pack was generated from https://github.com/teoseller/osquery-attck

View Artifact Source

Windows.Collectors.File

Collects files using a set of globs. All globs must be on the same device. The globs will be searched in one pass - so you can provide many globs at the same time.

Arg Default Description
collectionSpec Glob\nUsers\*\NTUser.dat\n A CSV file with a Glob column with all the globs to collect.\nNOTE: Globs must not have a leading device since the device\nwill depend on the VSS.\n
RootDevice C: The device to apply all the glob on.
Accessor lazy_ntfs
View Artifact Source

Windows.Collectors.VSS

Collects files with VSS deduplication.

Volume shadow copies is a windows feature where file system snapshots can be made at various times. When collecting files it is useful to go back through the VSS to see older versions of critical files.

At the same time we dont want to collect multiple copies of the same data.

This artifact runs the provided globs over all the VSS and collects the unique modified time + path combinations.

If a file was modified in a previous VSS copy, this artifact will retrieve it at multiple shadow copies.

Arg Default Description
collectionSpec Glob\nUsers\*\NTUser.dat\n A CSV file with a Glob column with all the globs to collect.\nNOTE: Globs must not have a leading device since the device\nwill depend on the VSS.\n
RootDevice C: The device to apply all the glob on.
Accessor lazy_ntfs
VSSDateRegex .
View Artifact Source

Windows.EventLogs.AlternateLogon

Logon specifying alternate credentials - if NLA enabled on destination Current logged-on User Name Alternate User Name Destination Host Name/IP Process Name

Arg Default Description
securityLogFile C:/Windows/System32/Winevt/Logs/Security.evtx
View Artifact Source

Windows.EventLogs.DHCP

This artifact parses the windows dhcp event log looking for evidence of IP address assignments.

In some investigations it is important to be able to identify the machine which was assigned a particular IP address at a point in time. Usually these logs are available from the DHCP server, but in many cases the server logs are not available (for example, if the endpoint was visiting a different network or the DHCP server is on a wireless router with no log retention).

On windows, there are two types of logs:

  1. The first type is the admin log (Microsoft-Windows-Dhcp-Client%4Admin.evt). These only contain errors such as an endpoint trying to continue its lease, but the lease is rejected by the server.

  2. The operational log (Microsoft-Windows-Dhcp-Client%4Operational.evtx) contains the full log of each lease. Unfortunately this log is disabled by default. If it is available we can rely on the information.

Arg Default Description
eventDirGlob C:\Windows\system32\winevt\logs\
adminLog Microsoft-Windows-Dhcp-Client%4Admin.evtx
operationalLog Microsoft-Windows-Dhcp-Client%4Operational.evtx
accessor file
View Artifact Source

Windows.EventLogs.Kerbroasting

Description: This Artifact will return all successful Kerberos TGS Ticket events for Service Accounts (SPN attribute) implemented with weak encryption. These tickets are vulnerable to brute force attack and this event is an indicator of a Kerbroasting attack.

ATT&CK: T1208 - Kerbroasting Typical attacker methodology is to firstly request accounts in the domain with SPN attributes, then request an insecure TGS ticket for brute forcing. This attack is particularly effective as any domain credentials can be used to implement the attack and service accounts often have elevated privileges. Kerbroasting can be used for privilege escalation or persistence by adding a SPN attribute to an unexpected account.

Reference: The Art of Detecting Kerberoast Attacks Log Source: Windows Security Event Log (Domain Controllers) Event ID: 4769 Status: 0x0 (Audit Success) Ticket Encryption: 0x17 (RC4) Service Name: NOT krbtgt or NOT a system account (account name ends in $) TargetUserName: NOT a system account ($@)

Monitor and alert on unusual events with these conditions from an unexpected IP. Note: There are potential false positives so whitelist normal source IPs and manage risk of insecure ticket generation.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\Security.evtx
View Artifact Source

Windows.EventLogs.PowershellScriptblock

This Artifact will search and extract ScriptBlock events (Event ID 4104) from Powershell-Operational Event Logs.

Powershell is commonly used by attackers accross all stages of the attack lifecycle. A valuable hunt is to search Scriptblock logs for signs of malicious content.

There are several parameter’s availible for search leveraging regex. - dateAfter enables search for events after this date.
- dateBefore enables search for events before this date.
- SearchStrings enables regex search over scriptblock text field.
- stringWhiteList enables a regex whitelist for scriptblock text field.
- pathWhitelist enables a regex whitelist for path of scriptblock. - LogLevel enables searching on type of log. Default is Warning level which is logged even if ScriptBlock logging is turned off when suspicious keywords detected in Powershell interpreter.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\Microsoft-Win …
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ss Z
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ss Z
searchStrings regex search over scriptblock text field.
stringWhitelist Regex of string to witelist
pathWhitelist Regex of path to whitelist.
LogLevel Warning Log level. Warning is Powershell default bad keyword list.
View Artifact Source

Windows.EventLogs.ServiceCreationComspec

This Detection hts on the string “COMSPEC” (nocase) in Windows Service Creation events. That is: EventID 7045 from the System event log.

This detects many hack tools that leverage SCM based lateral movement including smbexec.

Arg Default Description
eventLog C:\Windows\system32\winevt\logs\System.evtx
accessor ntfs
View Artifact Source

Windows.Memory.Acquisition

Acquires a full memory image. We download winpmem and use it to acquire a full memory image.

NOTE: This artifact usually takes a long time. You should increase the default timeout to allow it to complete.

View Artifact Source

Windows.NTFS.I30

Carve the $I30 index stream for a directory.

This can reveal previously deleted files. Optionally upload the I30 stream to the server as well.

Arg Default Description
DirectoryGlobs C:\Users\
View Artifact Source

Windows.NTFS.MFT

This artifact scans the $MFT file on the host showing all files within the MFT. This is useful in order to try and recover deleted files. Take the MFT ID of a file of interest and provide it to the Windows.NTFS.Recover artifact.

Arg Default Description
MFTFilename C:/$MFT
Accessor ntfs
FilenameRegex .
View Artifact Source

Windows.NTFS.Recover

Attempt to recover deleted files.

This artifact uploads all streams from an MFTId. If the MFT entry is not allocated there is a chance that the cluster that contain the actual data of the file will be intact still on the disk. Therefore this artifact can be used to attempt to recover a deleted file.

A common use is to recover deleted directory entries using the Windows.NTFS.I30 artifact and identify MFT entries of interest. This is artifact can be used to attempt to recover some data.

Arg Default Description
MFTId 81978
Drive \\.\C:
View Artifact Source

Windows.Network.ArpCache

Address resolution cache, both static and dynamic (from ARP, NDP).

Arg Default Description
wmiQuery SELECT AddressFamily, Store, State, InterfaceIndex …
wmiNamespace ROOT\StandardCimv2
kMapOfState {\n “0”: “Unreachable”,\n “1”: “Incomplete”,\n “2” …
View Artifact Source

Windows.Network.InterfaceAddresses

Network interfaces and relevant metadata.

View Artifact Source

Windows.Network.ListeningPorts

Processes with listening (bound) network sockets/ports.

View Artifact Source

Windows.Network.Netstat

Show information about open sockets. On windows the time when the socket was first bound is also shown.

View Artifact Source

Windows.Network.NetstatEnriched

NetstatEnhanced adds addtional data points to the Netstat artifact and enables verbose search options.

Examples include: Process name and path, authenticode information or network connection details.

Arg Default Description
IPRegex .* regex search over IP address fields.
PortRegex .* regex search over port fields.
Family ALL IP version family selection
Type ALL Transport protocol type selection
Status ALL TCP status selection
ProcessNameRegex .* regex search over source process name
ProcessPathRegex .* regex search over source process path
CommandLineRegex .* regex search over source process commandline
HashRegex .* regex search over source process hash
UsernameRegex .* regex search over source process user context
AuthenticodeSubjectRegex .* regex search over source Authenticode Subject
AuthenticodeIssuerRegex .* regex search over source Authenticode Issuer
AuthenticodeVerified ALL Authenticode signiture selection
View Artifact Source

Windows.Packs.Autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.

View Artifact Source

Windows.Packs.LateralMovement

Detect evidence of lateral movement.

View Artifact Source

Windows.Packs.Persistence

This artifact pack collects various persistence mechanisms in Windows.

View Artifact Source

Windows.Registry.AppCompatCache

Parses the system’s app compatibility cache.

Arg Default Description
AppCompatCacheKey HKEY_LOCAL_MACHINE/System/ControlSet*/Control/Sess …
View Artifact Source

Windows.Registry.EnableUnsafeClientMailRules

Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on). This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism. Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.

HKEY_USERS*\Software\Microsoft\Office*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected) https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro

Arg Default Description
KeyGlob Software\Microsoft\Office\*\Outlook\Security\ …
userRegex .
View Artifact Source

Windows.Registry.EnabledMacro

Checks for Registry key indicating macro was enabled by user.

HKEY_USERS*\Software\Microsoft\Office*\Security\Trusted Documents\TrustRecords reg keys for values ending in FFFFFF7F http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html

Arg Default Description
KeyGlob Software\Microsoft\Office\*\*\Security\Trust …
userRegex .
View Artifact Source

Windows.Registry.MountPoints2

This detection will collect any items in the MountPoints2 registry key. With a “$” in the share path. This key will store all remotely mapped drives unless removed so is a great hunt for simple admin $ mapping based lateral movement.

Arg Default Description
KeyGlob Software\Microsoft\Windows\CurrentVersion\Expl …
View Artifact Source

Windows.Registry.NTUser

This artifact searches for keys or values within the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in. If the user is not logged in, the file is not mapped at all.

This artifact bypasses the locking mechanism by parsing the raw NTFS filesystem to recover the registry hives. We then parse the registry hives to search for the glob provided.

This artifact is designed to be reused by other artifacts that need to access user data.

Any artifacts that look into the HKEY_USERS registry hive should be using the Windows.Registry.NTUser artifact instead of accessing the hive via the API. The API only makes the currently logged in users available in that hive and so if we rely on the windows API we will likely miss any settings for users not currently logged on.

Arg Default Description
KeyGlob Software\Microsoft\Windows\CurrentVersion\Expl …
userRegex .
View Artifact Source

Windows.Registry.NTUser.Upload

This artifact collects all the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in.

This artifact bypasses the locking mechanism by extracting the registry hives using raw NTFS parsing. We then just upload all hives to the server.

Arg Default Description
userRegex .
View Artifact Source

Windows.Registry.PortProxy

Description: This artifact will return any items in the Windows PortProxy service registry path. The most common configuration of this service is via the lolbin netsh.exe; Metaspoit and other common attack tools also have configuration modules.

Reference: Port Proxy detection

ATT&CK: T1090 - Connection Proxy
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.

Arg Default Description
KeyGlob HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\services …
View Artifact Source

Windows.Registry.Sysinternals.Eulacheck

Checks for the Accepted Sysinternals EULA from the registry key “HKCU\Software\Sysinternals[TOOL]\“. When a Sysinternals tool is first run on a system, the EULA must be accepted. This writes a value called EulaAccepted under that key.

Note: This artifact uses HKEY_USERS and therefore will not detect users that are not currently logged on.

Arg Default Description
Sysinternals_Reg_Key HKEY_USERS\*\Software\Sysinternals\*
userRegex .
View Artifact Source

Windows.Registry.UserAssist

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.

The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line (cmd.exe) do not appear in these registry keys.

From a forensics perspective, being able to decode this information can be very useful.

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
UserAssistKey Software\Microsoft\Windows\CurrentVersion\Expl …
userAssistProfile {\n “Win10”: [0, {\n “NumberOfExecutions”: [4, …
View Artifact Source

Windows.Remediation.ScheduledTasks

Remove malicious task from the Windows scheduled task list.

Danger: You need to make sure to test this before running.

Arg Default Description
script Unregister-ScheduledTask -TaskName “%s” -Confirm:$ …
TasksPath c:/Windows/System32/Tasks/**
ArgumentRegex ThisIsAUniqueName
CommandRegEx ThisIsAUniqueName
ReallyDoIt N
View Artifact Source

Windows.Search.FileFinder

Find files on the filesystem using the filename or content.

Performance Note

This artifact can be quite expensive, especially if we search file content. It will require opening each file and reading its entire content. To minimize the impact on the endpoint we recommend this artifact is collected with a rate limited way (about 20-50 ops per second).

This artifact is useful in the following scenarios:

  • We need to locate all the places on our network where customer data has been copied.

  • We’ve identified malware in a data breach, named using short random strings in specific folders and need to search for other instances across the network.

  • We believe our user account credentials have been dumped and need to locate them.

  • We need to search for exposed credit card data to satisfy PCI requirements.

  • We have a sample of data that has been disclosed and need to locate other similar files

Arg Default Description
SearchFilesGlob C:\Users\** Use a glob to define the files that will be searched.
Keywords None A comma delimited list of strings to search for.
Use_Raw_NTFS N
Upload_File N
Calculate_Hash N
MoreRecentThan
ModifiedBefore
View Artifact Source

Windows.Timeline.Prefetch

Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. By parsing this information we are able to determine when binaries are run in the past. On Windows10 we can see the last 8 execution times and creation time (9 potential executions).

This artifact is a timelined output version of the standard Prefetch artifact. There are several parameter’s availible.
- dateAfter enables search for prefetch evidence after this date.
- dateBefore enables search for prefetch evidence before this date.
- binaryRegex enables to filter on binary name, e.g evil.exe.
- hashRegex enables to filter on prefetch hash.

Arg Default Description
prefetchGlobs C:\Windows\Prefetch\*.pf
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ssZ
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ssZ
binaryRegex Regex of executable name.
hashRegex Regex of prefetch hash.
View Artifact Source

Windows.Utils.DownloadBinaries

This server side artifact downloads the external binary blobs we require into the server’s public directory. We also update the inventory and the hashes.

You need to run this artifact at least once after installation to populate the third party binary store. Many client side artifacts depend on this.

Arg Default Description
binaryList Tool,Type,URL,Filename\nAutorun,amd64,https://live
View Artifact Source

Windows.Utils.FetchBinary

A utility artifact which fetches a binary from a URL and caches it on disk. We verify the hash of the binary on disk and if it does not match we fetch it again from the source URL. This artifact is designed to be called from other artifacts. The binary path will be emitted in the FullPath column.

Arg Default Description
binaryURL Specify this as the base of the binary store (if empty we use\nthe server’s public directory).\n
ToolName Autorun
View Artifact Source

Windows.Utils.UpdatePublicHashes

The server maintains a public directory which can be served to all endpoints. The public directory should be initially populated by running the Windows.Utils.DownloadBinaries artifact. It is possible to manually edit the content of this directory but you will need to update the hashes.

Clients maintain their local cache of the files and they use the hash to tell if their local copy is out of date.

This artifact will regenerate the inventory file by re-calculating the hashes of all files in the public directory.

You need to run this artifact on the server if you manually edit the content of the public directory.

View Artifact Source