Miscelaneous Artifacts

Various Artifacts which do not fit into other categories.

Demo.Plugins.Fifo

This is a demo of the fifo() plugin. The Fifo plugin collects and caches rows from its inner query. Every subsequent execution of the query then reads from the cache. The plugin will expire old rows depending on its expiration policy - so we always see recent rows.

You can use this to build queries which consider historical events together with current events at the same time. In this example, we check for a successful logon preceeded by a number of failed logon attempts.

In this example, we use the clock() plugin to simulate events. We simulate failed logon attempts using the clock() plugin every second. By feeding the failed logon events to the fifo() plugin we ensure the fifo() plugin cache contains the last 5 failed logon events.

We simulate a successful logon event every 3 seconds, again using the clock plugin. Once a successful logon event is detected, we go back over the last 5 login events, count them and collect the last failed logon times (using the GROUP BY operator we group the FailedTime for every unique SuccessTime).

If we receive more than 3 events, we emit the row.

This now represents a high value signal! It will only occur when a successful logon event is preceeded by at least 3 failed logon events in the last hour. It is now possible to escalate this on the server via email or other alerts.

Here is sample output:

.. code-block:: json

{
  "Count": 5,
  "FailedTime": [
    1549527272,
    1549527273,
    1549527274,
    1549527275,
    1549527276
  ],
  "SuccessTime": 1549527277
}

Of course in the real artifact we would want to include more information than just times (i.e. who logged on to where etc).

View Artifact Source

Demo.Plugins.GUI

A demo plugin showing some GUI features.

Arg Default Description
ChoiceSelector First Choice
Flag Y
OffFlag
StartDate
View Artifact Source

Elastic.Events.Clients

This server monitoring artifact will watch a selection of client monitoring artifacts for new events and push those to an elastic index.

NOTE: You must ensure you are collecting these artifacts from the clients by adding them to the “Client Events” GUI.

Arg Default Description
WindowsDetectionPsexecService Upload Windows.Detection.PsexecService to Elastic
WindowsEventsDNSQueries Upload Windows.Events.DNSQueries to Elastic
WindowsEventsProcessCreation Upload Windows.Events.ProcessCreation to Elastic
WindowsEventsServiceCreation Upload Windows.Events.ServiceCreation to Elastic
ElasticAddresses http://127.0.0.1:9200/
View Artifact Source

Elastic.Flows.Upload

This server side event monitoring artifact waits for new artifacts to be collected from endpoints and automatically uploads those to an elastic server.

We use the artifact name as the name of the index. This allows users to adjust the index size/lifetime according to the artifact it is holding.

Arg Default Description
ArtifactNameRegex . Only upload these artifacts to elastic
elasticAddresses http://127.0.0.1:9200/
View Artifact Source

Generic.Applications.Office.Keywords

Microsoft Office documents among other document format (such as LibraOffice) are actually stored in zip files. The zip file contain the document encoded as XML in a number of zip members.

This makes it difficult to search for keywords within office documents because the ZIP files are typically compressed.

This artifact searches for office documents by file extension and glob then uses the zip filesystem accessor to launch a yara scan again the uncompressed data of the document. Keywords are more likely to match when scanning the decompressed XML data.

The artifact returns a context around the keyword hit.

NOTE: The InternalMtime column shows the creation time of the zip member within the document which may represent when the document was initially created.

See https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions https://wiki.openoffice.org/wiki/Documentation/OOo3_User_Guides/Getting_Started/File_formats

Arg Default Description
documentGlobs /*.{docx,docm,dotx,dotm,docb,xlsx,xlsm,xltx,xltm,p …
searchGlob C:\Users\**
yaraRule rule Hit {\n strings:\n $a = “secret” wide noc …
View Artifact Source

Generic.Client.Info

Collect basic information about the client.

This artifact is collected when any new client is enrolled into the system. Velociraptor will watch for this artifact and populate its internal indexes from this artifact as well.

You can edit this artifact to enhance the client’s interrogation information as required.

View Artifact Source

Generic.Client.Profile

This artifact collects profiling information about the running client. This is useful when you notice a high CPU load in the client and want to know why.

The following options are most useful:

  1. Goroutines: This shows the backtraces of all currently running goroutines. It will generally show most of the code working in the current running set of queries.

  2. Heap: This shows all allocations currently in use and where they are allocated from. This is useful if the client is taking too much memory.

  3. Profile: This takes a CPU profile of the running process for the number of seconds specified in the Duration parameter. You can read profiles using:

go tool pprof -callgrind -output=profile.grind profile.bin
kcachegrind profile.grind

Note that this really only makes sense when another query is running at the same time since this artifacts itself will not be doing very much other than just measuring the state of the process.

Arg Default Description
Allocs A sampling of all past memory allocations
Block Stack traces that led to blocking on synchronization primitives
Goroutine Stack traces of all current goroutines
Heap A sampling of memory allocations of live objects
Mutex Stack traces of holders of contended mutexes
Profile CPU profile
Trace CPU trace
Verbose Print more detail
Duration 30 Duration of sampling for Profile and Trace.
View Artifact Source

Generic.Client.Stats

An Event artifact which generates client’s CPU and memory statistics.

Arg Default Description
Frequency 10 Return stats every this many seconds.
View Artifact Source

Generic.Forensic.Carving.URLs

Carve URLs from files located in a glob. Note that we do not parse any files - we simply carve anything that looks like a URL.

Arg Default Description
UrlGlob [“C:/Documents and Settings/*/Local Settings/Appli …
View Artifact Source

Generic.Forensic.Timeline

This artifact generates a timeline of a file glob in bodyfile format. We currently do not calculate the md5 because it is quite expensive.

Arg Default Description
timelineGlob C:\Users\**
timelineAccessor file
View Artifact Source

Generic.Utils.FetchBinary

A utility artifact which fetches a binary from a URL and caches it on disk. We verify the hash of the binary on disk and if it does not match we fetch it again from the source URL.

This artifact is designed to be called from other artifacts. The binary path will be emitted in the FullPath column.

As a result of launching an artifact with declared “required_tools” field, the server will populate the following environment variables.

Tool__HASH - The hash of the binary Tool__FILENAME - The filename to store it. Tool__URL - The URL.

Arg Default Description
ToolName Autorun_amd64
SleepDuration 20 A time to sleep before fetching the binary.
View Artifact Source

MacOS.Detection.Autoruns

Thie artifact collects evidence of autoruns. We also capture the files and upload them.

This code is based on https://github.com/CrowdStrike/automactc/blob/master/modules/mod_autoruns_v102.py

Arg Default Description
sandboxed_loginitems /var/db/com.apple.xpc.launchd/disabled.*.plist
cronTabGlob /private/var/at//tabs/*
LaunchAgentsDaemonsGlob ["/System/Library/LaunchAgents/*.plist”,"/Library/ …
ScriptingAdditionsGlobs ["/System/Library/ScriptingAdditions/*.osax","/Lib …
StartupItemsGlobs ["/System/Library/StartupItems//","/Library/Star …
MiscItemsGlobs ["/private/etc/periodic.conf", “/private/etc/perio …
LoginItemsGlobs ["/Users/*/Library/Preferences/com.apple.loginitem …
View Artifact Source

MacOS.System.Users

This artifact collects information about the local users on the system. The information is stored in plist files.

Arg Default Description
UserPlistGlob /private/var/db/dslocal/nodes/Default/users/*.plis …
OnlyShowRealUsers Y
View Artifact Source

Network.ExternalIpAddress

Detect the external ip address of the end point.

Arg Default Description
externalUrl http://www.myexternalip.com/raw The URL of the external IP detection site.
View Artifact Source

Reporting.Default

A default template for HTML export. This template will be used to host html exports such as the notebook and the reporting templates. Velociraptor will evaluate this template on the following dict:

  • key main: contains a string with all the results of rendering the notebook inside.

Notes

  1. All html elements are allowed in a html template.

  2. It is possible to run arbitrary VQL (and therefore arbitrary code) inside HTML templates. Therefore to modify this you will need the SERVER_ARTIFACT_WRITER permission.

View Artifact Source

Reporting.Hunts.Details

Report details about which client ran each hunt, how long it took and if it has completed.

View Artifact Source

Windows.Analysis.EvidenceOfExecution

In many investigations it is useful to find evidence of program execution.

This artifact combines the findings of several other collectors into an overview of all program execution artifacts. The associated report walks the user through the analysis of the findings.

View Artifact Source

Windows.Application.TeamViewer.Incoming

Parses the TeamViewer Connections_incoming.txt log file.

When inbound logging enabled, this file will show all inbound TeamViewer connections.

Arg Default Description
FileGlob C:\Program Files (x86)\TeamViewer\Connections_i …
DateAfter search for events after this date. YYYY-MM-DDTmm:hh:ss Z
DateBefore search for events before this date. YYYY-MM-DDTmm:hh:ss Z
TeamViewerIDRegex . Regex of TeamViewer ID
SourceHostRegex . Regex of source host
UserRegex . Regex of user
SearchVSS Add VSS into query.
View Artifact Source

Windows.Attack.ParentProcess

Maps the Mitre Att&ck framework process executions into artifacts.

References:

Arg Default Description
lookupTable ProcessName,ParentRegex\nsmss.exe,System\nruntimeb …
View Artifact Source

Windows.Attack.Prefetch

Maps the Mitre Att&ck framework process executions into artifacts. This pack was generated from https://github.com/teoseller/osquery-attck

View Artifact Source

Windows.Memory.Acquisition

Acquires a full memory image. We download winpmem and use it to acquire a full memory image.

NOTE: This artifact usually takes a long time. You should increase the default timeout to allow it to complete.

View Artifact Source

Windows.Packs.Autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.

View Artifact Source

Windows.Packs.LateralMovement

Detect evidence of lateral movement.

View Artifact Source

Windows.Packs.Persistence

This artifact pack collects various persistence mechanisms in Windows.

View Artifact Source

Windows.Search.FileFinder

Find files on the filesystem using the filename or content.

Performance Note

This artifact can be quite expensive, especially if we search file content. It will require opening each file and reading its entire content. To minimize the impact on the endpoint we recommend this artifact is collected with a rate limited way (about 20-50 ops per second).

This artifact is useful in the following scenarios:

  • We need to locate all the places on our network where customer data has been copied.

  • We’ve identified malware in a data breach, named using short random strings in specific folders and need to search for other instances across the network.

  • We believe our user account credentials have been dumped and need to locate them.

  • We need to search for exposed credit card data to satisfy PCI requirements.

  • We have a sample of data that has been disclosed and need to locate other similar files

Arg Default Description
SearchFilesGlob C:\Users\** Use a glob to define the files that will be searched.
Accessor auto The accessor to use
YaraRule None A yara rule to search for matching files.
Upload_File N
Calculate_Hash N
MoreRecentThan
ModifiedBefore
View Artifact Source

Windows.Search.VSS

This artifact will find all relevant files in the VSS. Typically used to out deduplicated paths for processing by other artifacts.

Input either search Glob or FullPath. Output is standard Glob results with additional fields: SHA1 hash for deduplication, Type for prioritisation, and Deduped to indicate if FullPath has been deduped with another row.

Arg Default Description
SearchFilesGlob C:\Windows\System32\winevt\Logs\Security.evtx Use a glob to define the files that will be searched.
View Artifact Source

Windows.Search.Yara

Searches for a specific malicious file or set of files by a Yara rule.

You will need to upload your yara file using:

velociraptor tools upload --name YaraRules my_yara_file.yara
Arg Default Description
nameRegex (exe txt
View Artifact Source

Windows.Timeline.MFT

Output all filtered MFT records.

This Artifact enables querying the MFT with advanced filters such as time, path or other ntfs attributes.

Output is to Timeline field format to enable simple review accross Timeline queries. The TimeOutput paramater enables configuring which NTFS attribute timestamps are in focus as event_time. for example: STANDARD_INFORMATION (4), FILE_NAME (4) or ALL (8)

This artifact also has the same anomaly logic as AnalyzeMFT added to each row to assist analysis.

Arg Default Description
MFTFilename C:/$MFT
Accessor ntfs
PathRegex . regex search over FullPath.
NameRegex . regex search over File Name
Inode search for inode
DateAfter search for events after this date. YYYY-MM-DDTmm:hh:ssZ
DateBefore search for events before this date. YYYY-MM-DDTmm:hh:ssZ
SizeMax Entries in the MFT over this size in bytes.
SizeMin Entries in the MFT under this size in bytes.
EntryType Both Type of entry. File, Directory or Both.\n
AllocatedType Both Type of entry. Allocated, Unallocated or Both.\n
TimeOutput STANDARD_INFORMATION Timestamps to output as event_time. SI, FN or both. \nNOTE: both will output 8 rows per MFT entry.\n
View Artifact Source

Windows.Timeline.Prefetch

Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. By parsing this information we are able to determine when binaries are run in the past. On Windows10 we can see the last 8 execution times and creation time (9 potential executions).

This artifact is a timelined output version of the standard Prefetch artifact. There are several parameter’s availible.

  • dateAfter enables search for prefetch evidence after this date.
  • dateBefore enables search for prefetch evidence before this date.
  • binaryRegex enables to filter on binary name, e.g evil.exe.
  • hashRegex enables to filter on prefetch hash.
Arg Default Description
prefetchGlobs C:\Windows\Prefetch\*.pf
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ssZ
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ssZ
binaryRegex Regex of executable name.
hashRegex Regex of prefetch hash.
View Artifact Source

Windows.Timeline.Registry.RunMRU

Output all available RunMRU registry keys in timeline format.

RunMRU is when a user enters a command into the START > Run prompt.
Entries will be logged in the user hive under: Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The artifact numbers all entries with the most recent at reg_mtime starting at 0. Second recent 1, Third recent 2 etc.

Default output enables a line per MRU entry.
A tickbox enables Grouped results with order in a single line.

Note: This artifact will collect RunMRU from ntuser.dat files and may exclude very recent entries in transaction (HKCU). Future versions of this content will address this gap.

Arg Default Description
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ss Z
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ss Z
targetUser target user regex
regexValue regex search over RunMRU values.
groupResults groups MRU entries to one message line
View Artifact Source