Miscelaneous Artifacts

Admin.Client.Upgrade

Remotely push new client updates.

NOTE: The updates can be pulled from any web server. You need to ensure they are properly secured with SSL and at least a random nonce in their path. You may configure the Velociraptor server to serve these through the public directory.

Arg Default Description
clientURL http://127.0.0.1:8000/public/velociraptor.exe
configURL http://127.0.0.1:8000/public/client.config.yaml
View Artifact Source

Admin.Events.PostProcessUploads

Sometimes we would like to post process uploads collected as part of the hunt’s artifact collections

Post processing means to watch the hunt for completed flows and run a post processing command on the files obtained from each host.

The command will receive the list of paths of the files uploaded by the artifact. We dont actually care what the command does with those files - we will just relay our stdout/stderr to the artifact’s result set.

Arg Default Description
uploadPostProcessCommand [“/bin/ls”, “-l”]\n The command to run - must be a json array of strings! The list\nof files will be appended to the end of the command.\n
uploadPostProcessArtifact Windows.Registry.NTUser.Upload The name of the artifact to watch.\n
View Artifact Source

Admin.System.CompressUploads

Compresses all uploaded files.

When artifacts collect files they are normally stored on the server uncompressed. This artifact watches all completed flows and compresses the files in the file store when the flow completes. This is very useful for cloud based deployments with limited storage space or when collecting large files.

In order to run this artifact you would normally run it as part of an artifact acquisition process:

$ velociraptor --config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads

Note that there is nothing special about compressed files - you can also just run find and gzip in the file store. Velociraptor will automatically decompress the file when displaying it in the GUI text/hexdump etc.

Arg Default Description
blacklistCompressionFilename (?i).+ntuser.dat Filenames which match this regex will be excluded from compression.
View Artifact Source

Demo.Plugins.Fifo

This is a demo of the fifo() plugin. The Fifo plugin collects and caches rows from its inner query. Every subsequent execution of the query then reads from the cache. The plugin will expire old rows depending on its expiration policy - so we always see recent rows.

You can use this to build queries which consider historical events together with current events at the same time. In this example, we check for a successful logon preceded by a number of failed logon attempts.

In this example, we use the clock() plugin to simulate events. We simulate failed logon attempts using the clock() plugin every second. By feeding the failed logon events to the fifo() plugin we ensure the fifo() plugin cache contains the last 5 failed logon events.

We simulate a successful logon event every 3 seconds, again using the clock plugin. Once a successful logon event is detected, we go back over the last 5 login events, count them and collect the last failed logon times (using the GROUP BY operator we group the FailedTime for every unique SuccessTime).

If we receive more than 3 events, we emit the row.

This now represents a high value signal! It will only occur when a successful logon event is preceded by at least 3 failed logon events in the last hour. It is now possible to escalate this on the server via email or other alerts.

Here is sample output:

.. code-block:: json

{
  "Count": 5,
  "FailedTime": [
    1549527272,
    1549527273,
    1549527274,
    1549527275,
    1549527276
  ],
  "SuccessTime": 1549527277
}

Of course in the real artifact we would want to include more information than just times (i.e. who logged on to where etc).

View Artifact Source

Generic.Applications.Office.Keywords

Microsoft Office documents among other document format (such as LibraOffice) are actually stored in zip files. The zip file contain the document encoded as XML in a number of zip members.

This makes it difficult to search for keywords within office documents because the ZIP files are typically compressed.

This artifact searches for office documents by file extension and glob then uses the zip filesystem accessor to launch a yara scan again the uncompressed data of the document. Keywords are more likely to match when scanning the decompressed XML data.

The artifact returns a context around the keyword hit.

NOTE: The InternalMtime column shows the creation time of the zip member within the document which may represent when the document was initially created.

See https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions https://wiki.openoffice.org/wiki/Documentation/OOo3_User_Guides/Getting_Started/File_formats

Arg Default Description
documentGlobs /*.{docx,docm,dotx,dotm,docb,xlsx,xlsm,xltx,xltm,pptx,pptm,potx,potm,ppam,ppsx,ppsm,sldx,sldm,odt,ott,oth,odm}
searchGlob C:\Users\**
yaraRule rule Hit {\n strings:\n $a = “secret” wide nocase\n $b = “secret” nocase\n\n condition:\n any of them\n}\n
View Artifact Source

Generic.Client.Stats

An Event artifact which generates client’s CPU and memory statistics.

Arg Default Description
Frequency 10 Return stats every this many seconds.
View Artifact Source

Generic.Forensic.Carving.URLs

Carve URLs from files located in a glob. Note that we do not parse any files - we simply carve anything that looks like a URL.

Arg Default Description
UrlGlob [“C:/Documents and Settings/*/Local Settings/Application Data/Google/Chrome/User Data/”,\n “C:/Users/*/AppData/Local/Google/Chrome/User Data/”,\n “C:/Documents and Settings/*/Local Settings/History/”,\n “C:/Documents and Settings/*/Local Settings/Temporary Internet Files/”,\n “C:/Users/*/AppData/Local/Microsoft/Windows/WebCache/”,\n “C:/Users/*/AppData/Local/Microsoft/Windows/INetCache/”,\n “C:/Users/*/AppData/Local/Microsoft/Windows/INetCookies/”,\n “C:/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/”,\n “C:/Documents and Settings/*/Application Data/Mozilla/Firefox/Profiles/**”\n ]\n
View Artifact Source

Generic.Forensic.Timeline

This artifact generates a timeline of a file glob in bodyfile format. We currently do not calculate the md5 because it is quite expensive.

Arg Default Description
timelineGlob C:\Users\**
timelineAccessor file
View Artifact Source

Network.ExternalIpAddress

Detect the external ip address of the end point.

Arg Default Description
externalUrl http://www.myexternalip.com/raw The URL of the external IP detection site.
View Artifact Source

Reporting.Hunts.Details

Report details about which client ran each hunt, how long it took and if it has completed.

View Artifact Source

System.Hunt.Participation

Endpoints may participate in hunts. This artifact collects which hunt each system participated in.

Note: This is an automated system hunt. You do not need to start it.

View Artifact Source

Windows.Analysis.EvidenceOfExecution

In many investigations it is useful to find evidence of program execution.

This artifact combines the findings of several other collectors into an overview of all program execution artifacts. The associated report walks the user through the analysis of the findings.

View Artifact Source

Windows.Applications.ChocolateyPackages

Chocolatey packages installed in a system.

Arg Default Description
ChocolateyInstall
View Artifact Source

Windows.Applications.Chrome.Cookies

Enumerate the users chrome cookies.

The cookies are typically encrypted by the DPAPI using the user’s credentials. Since Velociraptor is typically not running in the user context we can not decrypt these. It may be possible to decrypt the cookies off line.

The pertinent information from a forensic point of view is the user’s Created and LastAccess timestamp and the fact that the user has actually visited the site and obtained a cookie.

Arg Default Description
cookieGlobs \AppData\Local\Google\Chrome\User Data\*\Cookies
cookieSQLQuery SELECT creation_utc, host_key, name, value, path, expires_utc,\n last_access_utc, encrypted_value\nFROM cookies\n
View Artifact Source

Windows.Applications.Chrome.Extensions

Fetch Chrome extensions.

Chrome extensions are installed into the user’s home directory. We search for manifest.json files in a known path within each system user’s home directory. We then parse the manifest file as JSON.

Many extensions use locale packs to resolve strings like name and description. In this case we detect the default locale and load those locale files. We then resolve the extension’s name and description from there.

Arg Default Description
extensionGlobs \AppData\Local\Google\Chrome\User Data\*\Extensions\*\*\manifest.json
View Artifact Source

Windows.Applications.Chrome.History

Enumerate the users chrome history.

Arg Default Description
historyGlobs \AppData\Local\Google\Chrome\User Data\*\History
urlSQLQuery SELECT url as visited_url, title, visit_count,\n typed_count, last_visit_time\nFROM urls\n
View Artifact Source

Windows.Applications.OfficeMacros

Office macros are a favourite initial infection vector. Many users click through the warning dialogs.

This artifact scans through the given directory glob for common office files. We then try to extract any embedded macros by parsing the OLE file structure.

If a macro calls an external program (e.g. Powershell) this is very suspicious!

Arg Default Description
officeExtensions *.{xls,xlsm,doc,docx,ppt,pptm}
officeFileSearchGlob C:\Users\**\ The directory to search for office documents.
View Artifact Source

Windows.Attack.ParentProcess

Maps the Mitre Att&ck framework process executions into artifacts.

References:

Arg Default Description
lookupTable ProcessName,ParentRegex\nsmss.exe,System\nruntimebroker.exe,svchost.exe\ntaskhostw.exe,svchost.exe\nservices.exe,wininit.exe\nlsass.exe,wininit.exe\nsvchost.exe,services.exe\ncmd.exe,explorer.exe\npowershell.exe,explorer.exe\niexplore.exe,explorer.exe\nfirefox.exe,explorer.exe\nchrome.exe,explorer.exe\n
View Artifact Source

Windows.Attack.Prefetch

Maps the Mitre Att&ck framework process executions into artifacts. This pack was generated from https://github.com/teoseller/osquery-attck

View Artifact Source

Windows.EventLogs.DHCP

This artifact parses the windows dhcp event log looking for evidence of IP address assignments.

In some investigations it is important to be able to identify the machine which was assigned a particular IP address at a point in time. Usually these logs are available from the DHCP server, but in many cases the server logs are not available (for example, if the endpoint was visiting a different network or the DHCP server is on a wireless router with no log retention).

On windows, there are two types of logs:

  1. The first type is the admin log (Microsoft-Windows-Dhcp-Client%4Admin.evt). These only contain errors such as an endpoint trying to continue its lease, but the lease is rejected by the server.

  2. The operational log (Microsoft-Windows-Dhcp-Client%4Operational.evtx) contains the full log of each lease. Unfortunately this log is disabled by default. If it is available we can rely on the information.

Arg Default Description
eventDirGlob C:\Windows\system32\winevt\logs\
adminLog Microsoft-Windows-Dhcp-Client%4Admin.evtx
operationalLog Microsoft-Windows-Dhcp-Client%4Operational.evtx
accessor file
View Artifact Source

Windows.Network.ArpCache

Address resolution cache, both static and dynamic (from ARP, NDP).

Arg Default Description
wmiQuery SELECT AddressFamily, Store, State, InterfaceIndex, IPAddress,\n InterfaceAlias, LinkLayerAddress\nfrom MSFT_NetNeighbor\n
wmiNamespace ROOT\StandardCimv2
kMapOfState {\n “0”: “Unreachable”,\n “1”: “Incomplete”,\n “2”: “Probe”,\n “3”: “Delay”,\n “4”: “Stale”,\n “5”: “Reachable”,\n “6”: “Permanent”,\n “7”: “TBD”\n}\n
View Artifact Source

Windows.Network.InterfaceAddresses

Network interfaces and relevant metadata.

View Artifact Source

Windows.Network.ListeningPorts

Processes with listening (bound) network sockets/ports.

View Artifact Source

Windows.Network.Netstat

Show information about open sockets. On windows the time when the socket was first bound is also shown.

View Artifact Source

Windows.Packs.Autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.

View Artifact Source

Windows.Packs.Persistence

This artifact pack collects various persistence mechanisms in Windows.

View Artifact Source

Windows.Registery.AppCompatCache

Parses the system’s app compatibility cache.

Arg Default Description
AppCompatCacheKey HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Session Manager/AppCompatCache/AppCompatCache
View Artifact Source

Windows.Registry.NTUser

This artifact searches for keys or values within the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in. If the user is not logged in, the file is not mapped at all.

This artifact bypasses the locking mechanism by parsing the raw NTFS filesystem to recover the registry hives. We then parse the registry hives to search for the glob provided.

This artifact is designed to be reused by other artifacts that need to access user data.

Any artifacts that look into the HKEY_USERS registry hive should be using the Windows.Registry.NTUser artifact instead of accessing the hive via the API. The API only makes the currently logged in users available in that hive and so if we rely on the windows API we will likely miss any settings for users not currently logged on.

Arg Default Description
KeyGlob Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\**
UserHomes C:\Users\*\NTUSER.DAT
View Artifact Source

Windows.Registry.NTUser.Upload

This artifact collects all the user’s NTUser.dat registry hives.

When a user logs into a windows machine the system creates their own “profile” which consists of a registry hive mapped into the HKEY_USERS hive. This hive file is locked as long as the user is logged in.

This artifact bypasses the locking mechanism by extracting the registry hives using raw NTFS parsing. We then just upload all hives to the server.

View Artifact Source

Windows.Registry.Sysinternals.Eulacheck

Checks for the Accepted Sysinternals EULA from the registry key “HKCU\Software\Sysinternals[TOOL]\“. When a Sysinternals tool is first run on a system, the EULA must be accepted. This writes a value called EulaAccepted under that key.

Note: This artifact uses HKEY_USERS and therefore will not detect users that are not currently logged on.

Arg Default Description
Sysinternals_Reg_Key HKEY_USERS\*\Software\Sysinternals\*
View Artifact Source

Windows.Registry.UserAssist

Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number of executions and last execution date and time are available in these keys.

The information within the binary UserAssist values contains only statistical data on the applications launched by the user via Windows Explorer. Programs launched via the command­line (cmd.exe) do not appear in these registry keys.

From a forensics perspective, being able to decode this information can be very useful.

Arg Default Description
UserFilter If specified we filter by this user ID.
ExecutionTimeAfter If specified only show executions after this time.
UserAssistKey Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count\*
userAssistProfile {\n “Win10”: [0, {\n “NumberOfExecutions”: [4, [“unsigned int”]],\n “LastExecution”: [60, [“unsigned long long”]]\n }]\n}\n
View Artifact Source

Windows.Search.FileFinder

Find files on the filesystem using the filename or content.

Performance Note

This artifact can be quite expensive, especially if we search file content. It will require opening each file and reading its entire content. To minimize the impact on the endpoint we recommend this artifact is collected with a rate limited way (about 20-50 ops per second).

This artifact is useful in the following scenarios:

  • We need to locate all the places on our network where customer data has been copied.

  • We’ve identified malware in a data breach, named using short random strings in specific folders and need to search for other instances across the network.

  • We believe our user account credentials have been dumped and need to locate them.

  • We need to search for exposed credit card data to satisfy PCI requirements.

  • We have a sample of data that has been disclosed and need to locate other similar files

Arg Default Description
SearchFilesGlob C:\Users\** Use a glob to define the files that will be searched.
Keywords None A comma delimited list of strings to search for.
Use_Raw_NTFS N
Upload_File N
Calculate_Hash N
MoreRecentThan
ModifiedBefore
View Artifact Source