Miscelaneous Artifacts

Various Artifacts which do not fit into other categories.

Demo.Plugins.Fifo

This is a demo of the fifo() plugin. The Fifo plugin collects and caches rows from its inner query. Every subsequent execution of the query then reads from the cache. The plugin will expire old rows depending on its expiration policy - so we always see recent rows.

You can use this to build queries which consider historical events together with current events at the same time. In this example, we check for a successful logon preceeded by a number of failed logon attempts.

In this example, we use the clock() plugin to simulate events. We simulate failed logon attempts using the clock() plugin every second. By feeding the failed logon events to the fifo() plugin we ensure the fifo() plugin cache contains the last 5 failed logon events.

We simulate a successful logon event every 3 seconds, again using the clock plugin. Once a successful logon event is detected, we go back over the last 5 login events, count them and collect the last failed logon times (using the GROUP BY operator we group the FailedTime for every unique SuccessTime).

If we receive more than 3 events, we emit the row.

This now represents a high value signal! It will only occur when a successful logon event is preceeded by at least 3 failed logon events in the last hour. It is now possible to escalate this on the server via email or other alerts.

Here is sample output:

.. code-block:: json

{
  "Count": 5,
  "FailedTime": [
    1549527272,
    1549527273,
    1549527274,
    1549527275,
    1549527276
  ],
  "SuccessTime": 1549527277
}

Of course in the real artifact we would want to include more information than just times (i.e. who logged on to where etc).

View Artifact Source

Demo.Plugins.GUI

A demo plugin showing some GUI features.

Arg Default Description
ChoiceSelector First Choice
Flag Y
OffFlag
StartDate
View Artifact Source

Elastic.Events.Clients

This server monitoring artifact will watch a selection of client monitoring artifacts for new events and push those to an elastic index.

NOTE: You must ensure you are collecting these artifacts from the clients by adding them to the “Client Events” GUI.

Arg Default Description
WindowsDetectionPsexecService Upload Windows.Detection.PsexecService to Elastic
WindowsEventsDNSQueries Upload Windows.Events.DNSQueries to Elastic
WindowsEventsProcessCreation Upload Windows.Events.ProcessCreation to Elastic
WindowsEventsServiceCreation Upload Windows.Events.ServiceCreation to Elastic
ElasticAddresses http://127.0.0.1:9200/
View Artifact Source

Elastic.Flows.Upload

This server side event monitoring artifact waits for new artifacts to be collected from endpoints and automatically uploads those to an elastic server.

We use the artifact name as the name of the index. This allows users to adjust the index size/lifetime according to the artifact it is holding.

Arg Default Description
ArtifactNameRegex . Only upload these artifacts to elastic
elasticAddresses http://127.0.0.1:9200/
View Artifact Source

Generic.Applications.Office.Keywords

Microsoft Office documents among other document format (such as LibraOffice) are actually stored in zip files. The zip file contain the document encoded as XML in a number of zip members.

This makes it difficult to search for keywords within office documents because the ZIP files are typically compressed.

This artifact searches for office documents by file extension and glob then uses the zip filesystem accessor to launch a yara scan again the uncompressed data of the document. Keywords are more likely to match when scanning the decompressed XML data.

The artifact returns a context around the keyword hit.

NOTE: The InternalMtime column shows the creation time of the zip member within the document which may represent when the document was initially created.

See https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions https://wiki.openoffice.org/wiki/Documentation/OOo3_User_Guides/Getting_Started/File_formats

Arg Default Description
documentGlobs /*.{docx,docm,dotx,dotm,docb,xlsx,xlsm,xltx,xltm,p …
searchGlob C:\Users\**
yaraRule rule Hit {\n strings:\n $a = “secret” wide noc …
View Artifact Source

Generic.Client.Info

Collect basic information about the client.

This artifact is collected when any new client is enrolled into the system. Velociraptor will watch for this artifact and populate its internal indexes from this artifact as well.

You can edit this artifact to enhance the client’s interrogation information as required.

View Artifact Source

Generic.Client.Stats

An Event artifact which generates client’s CPU and memory statistics.

Arg Default Description
Frequency 10 Return stats every this many seconds.
View Artifact Source

Generic.Forensic.Carving.URLs

Carve URLs from files located in a glob. Note that we do not parse any files - we simply carve anything that looks like a URL.

Arg Default Description
UrlGlob [“C:/Documents and Settings/*/Local Settings/Appli …
View Artifact Source

Generic.Forensic.Timeline

This artifact generates a timeline of a file glob in bodyfile format. We currently do not calculate the md5 because it is quite expensive.

Arg Default Description
timelineGlob C:\Users\**
timelineAccessor file
View Artifact Source

MacOS.Detection.Autoruns

Thie artifact collects evidence of autoruns. We also capture the files and upload them.

This code is based on https://github.com/CrowdStrike/automactc/blob/master/modules/mod_autoruns_v102.py

Arg Default Description
sandboxed_loginitems /var/db/com.apple.xpc.launchd/disabled.*.plist
cronTabGlob /private/var/at//tabs/*
LaunchAgentsDaemonsGlob ["/System/Library/LaunchAgents/*.plist”,"/Library/ …
ScriptingAdditionsGlobs ["/System/Library/ScriptingAdditions/*.osax”,"/Lib …
StartupItemsGlobs ["/System/Library/StartupItems//","/Library/Star …
MiscItemsGlobs ["/private/etc/periodic.conf”, “/private/etc/perio …
LoginItemsGlobs ["/Users/*/Library/Preferences/com.apple.loginitem …
View Artifact Source

MacOS.System.Users

This artifact collects information about the local users on the system. The information is stored in plist files.

Arg Default Description
UserPlistGlob /private/var/db/dslocal/nodes/Default/users/*.plis …
OnlyShowRealUsers Y
View Artifact Source

Network.ExternalIpAddress

Detect the external ip address of the end point.

Arg Default Description
externalUrl http://www.myexternalip.com/raw The URL of the external IP detection site.
View Artifact Source

Reporting.Hunts.Details

Report details about which client ran each hunt, how long it took and if it has completed.

View Artifact Source

Windows.Analysis.EvidenceOfExecution

In many investigations it is useful to find evidence of program execution.

This artifact combines the findings of several other collectors into an overview of all program execution artifacts. The associated report walks the user through the analysis of the findings.

View Artifact Source

Windows.Attack.ParentProcess

Maps the Mitre Att&ck framework process executions into artifacts.

References:

Arg Default Description
lookupTable ProcessName,ParentRegex\nsmss.exe,System\nruntimeb …
View Artifact Source

Windows.Attack.Prefetch

Maps the Mitre Att&ck framework process executions into artifacts. This pack was generated from https://github.com/teoseller/osquery-attck

View Artifact Source

Windows.Memory.Acquisition

Acquires a full memory image. We download winpmem and use it to acquire a full memory image.

NOTE: This artifact usually takes a long time. You should increase the default timeout to allow it to complete.

View Artifact Source

Windows.Packs.Autoexec

Aggregate of executables that will automatically execute on the target machine. This is an amalgamation of other tables like services, scheduled_tasks, startup_items and more.

View Artifact Source

Windows.Packs.LateralMovement

Detect evidence of lateral movement.

View Artifact Source

Windows.Packs.Persistence

This artifact pack collects various persistence mechanisms in Windows.

View Artifact Source

Windows.Search.FileFinder

Find files on the filesystem using the filename or content.

Performance Note

This artifact can be quite expensive, especially if we search file content. It will require opening each file and reading its entire content. To minimize the impact on the endpoint we recommend this artifact is collected with a rate limited way (about 20-50 ops per second).

This artifact is useful in the following scenarios:

  • We need to locate all the places on our network where customer data has been copied.

  • We’ve identified malware in a data breach, named using short random strings in specific folders and need to search for other instances across the network.

  • We believe our user account credentials have been dumped and need to locate them.

  • We need to search for exposed credit card data to satisfy PCI requirements.

  • We have a sample of data that has been disclosed and need to locate other similar files

Arg Default Description
SearchFilesGlob C:\Users\** Use a glob to define the files that will be searched.
Keywords None A comma delimited list of strings to search for.
Use_Raw_NTFS N
Upload_File N
Calculate_Hash N
MoreRecentThan
ModifiedBefore
View Artifact Source

Windows.Timeline.Prefetch

Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the executable to make it faster to run next time. By parsing this information we are able to determine when binaries are run in the past. On Windows10 we can see the last 8 execution times and creation time (9 potential executions).

This artifact is a timelined output version of the standard Prefetch artifact. There are several parameter’s availible.

  • dateAfter enables search for prefetch evidence after this date.
  • dateBefore enables search for prefetch evidence before this date.
  • binaryRegex enables to filter on binary name, e.g evil.exe.
  • hashRegex enables to filter on prefetch hash.
Arg Default Description
prefetchGlobs C:\Windows\Prefetch\*.pf
dateAfter search for events after this date. YYYY-MM-DDTmm:hh:ssZ
dateBefore search for events before this date. YYYY-MM-DDTmm:hh:ssZ
binaryRegex Regex of executable name.
hashRegex Regex of prefetch hash.
View Artifact Source

Windows.Utils.DownloadBinaries

This server side artifact downloads the external binary blobs we require into the server’s public directory. We also update the inventory and the hashes.

You need to run this artifact at least once after installation to populate the third party binary store. Many client side artifacts depend on this.

Arg Default Description
binaryList Tool,Type,URL,Filename\nAutorun,amd64,https://live …
View Artifact Source

Windows.Utils.FetchBinary

A utility artifact which fetches a binary from a URL and caches it on disk. We verify the hash of the binary on disk and if it does not match we fetch it again from the source URL. This artifact is designed to be called from other artifacts. The binary path will be emitted in the FullPath column.

Arg Default Description
binaryURL Specify this as the base of the binary store (if empty we use\nthe server’s public directory).\n
ToolName Autorun
View Artifact Source

Windows.Utils.UpdatePublicHashes

The server maintains a public directory which can be served to all endpoints. The public directory should be initially populated by running the Windows.Utils.DownloadBinaries artifact. It is possible to manually edit the content of this directory but you will need to update the hashes.

Clients maintain their local cache of the files and they use the hash to tell if their local copy is out of date.

This artifact will regenerate the inventory file by re-calculating the hashes of all files in the public directory.

You need to run this artifact on the server if you manually edit the content of the public directory.

View Artifact Source