Windows System

Windows.Sys.AppcompatShims

Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in a nice format.

Arg Default Description
shimKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows N …
customKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows N …
View Artifact Source

Windows.Sys.CertificateAuthorities

Certificate Authorities installed in Keychains/ca-bundles.

View Artifact Source

Windows.Sys.DiskInfo

Retrieve basic information about the physical disks of a system.

View Artifact Source

Windows.Sys.Drivers

Details for in-use Windows device drivers. This does not display installed but unused drivers.

View Artifact Source

Windows.Sys.FirewallRules

List windows firewall rules.

Arg Default Description
regKey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser …
View Artifact Source

Windows.Sys.Interfaces

Report information about the systems interfaces. This artifact simply parses the output from ipconfig /all.

View Artifact Source

Windows.Sys.PhysicalMemoryRanges

List Windows physical memory ranges.

Arg Default Description
physicalMemoryKey HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System …
Profile {\n “CM_RESOURCE_LIST”: [0, {\n “Count”: [0, [ …
View Artifact Source

Windows.Sys.Programs

Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some fields may be blank as Windows installation details are left to the discretion of the product author.

Arg Default Description
programKeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ …
View Artifact Source

Windows.Sys.StartupItems

Applications that will be started up from the various run key locations.

Arg Default Description
runKeyGlobs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ …
startupApprovedGlobs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ …
startupFolderDirectories C:/ProgramData/Microsoft/Windows/Start Menu/Progra …
View Artifact Source

Windows.Sys.Users

List User accounts. We combine two data sources - the output from the NetUserEnum() call and the list of SIDs in the registry.

Arg Default Description
remoteRegKey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows N …
View Artifact Source

Windows.Sysinternals.Autoruns

Uses Sysinternals autoruns to scan the host.

Note this requires syncing the sysinternals binary from the host - you will need to run Windows.Utils.DownloadBinaries on the server first.

Arg Default Description
binaryURL Specify this as the base of the binary store (if empty we use\nthe server’s public directory).\n
AutorunArgs -nobanner -accepteula -t -a * -c *\n A space separated list of args to run with.\n
View Artifact Source

Windows.Sysinternals.SysmonInstall

Sysmon is a kernel level system monitor written by Sysinternals. While we are not able to distribute Sysmon ourselves, Velociraptor can help you manage its deployment and installation.

In order to deploy sysmon on the endpoint, you need to:

  1. Ensure the server contains the latest Sysmon binaries. You will need to download them yourself by running the Windows.Utils.DownloadBinaries server artifact.

  2. Ensure the sysmon configration is appropriate for your deployment. If you edit the file in your public directory (<file store>/public/sysmon_config.xml) you will need to run the Windows.Utils.UpdatePublicHashes server artifact to update the inventory file.

View Artifact Source

Windows.System.Amcache

Get information from the system’s amcache.

The Amcache.hve file is a registry file that stores the information of executed applications. Amcache.hve records the recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program.

This artifact works on Windows 10 1607 version.

References: https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/ https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

Arg Default Description
amCacheGlob %SYSTEMROOT%/appcompat/Programs/Amcache.hve
amCacheRegPath /Root/InventoryApplicationFile/*
View Artifact Source

Windows.System.CmdShell

This artifact allows running arbitrary commands through the system shell cmd.exe.

Since Velociraptor typically runs as system, the commands will also run as System.

This is a very powerful artifact since it allows for arbitrary command execution on the endpoints. Therefore this artifact requires elevated permissions (specifically the EXECVE permission). Typically it is only available with the administrator role.

Arg Default Description
Command dir C:\
View Artifact Source

Windows.System.CriticalServices

This artifact returns information about any services which are considered critical.

The default list contains virus scanners. If the software is not installed at all, it will not be shown.

ATT&CK: T1089

References:

Arg Default Description
lookupTable ServiceName\nWinDefend\nMpsSvc\nSepMasterService\n …
View Artifact Source

Windows.System.DLLs

Enumerate the DLLs loaded by a running process. It includes hash value and certificate information.

Arg Default Description
processRegex . A regex applied to process names.
dllRegex . A regex applied to the full dll path (e.g. whitelist all system dlls)
Calculate_Hash N
CertificateInfo N
View Artifact Source

Windows.System.Handles

Enumerate the handles from selected processes.

Uncheck all the handle types below to fetch all handle types.

Arg Default Description
processRegex . A regex applied to process names.
Files Y Search for File Handles
Key Search for Key Handles
View Artifact Source

Windows.System.LocalAdmins

Gets a list of local admin accounts.

Arg Default Description
script Get-LocalGroupMember -Group “Administrators” SELE …
View Artifact Source

Windows.System.PowerShell

This artifact allows running arbitrary commands through the system powershell.

Since Velociraptor typically runs as system, the commands will also run as System.

This is a very powerful artifact since it allows for arbitrary command execution on the endpoints. Therefore this artifact requires elevated permissions (specifically the EXECVE permission). Typically it is only available with the administrator role.

Arg Default Description
Command dir C:/
View Artifact Source

Windows.System.Pslist

List processes and their running binaries.

Arg Default Description
processRegex .
View Artifact Source

Windows.System.SVCHost

Typically a windows system will have many svchost.exe processes. Sometimes attackers name their processes svchost.exe to try to hide. Typically svchost.exe is spawned by services.exe.

This artifact lists all the processes named svchost.exe and their parents if the parent is not also named services.exe.

View Artifact Source

Windows.System.Services

List all the installed services.

Arg Default Description
servicesKeyGlob HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser …
Calculate_hashes N
CertificateInfo N
View Artifact Source

Windows.System.TaskScheduler

The Windows task scheduler is a common mechanism that malware uses for persistence. It can be used to run arbitrary programs at a later time. Commonly malware installs a scheduled task to run itself periodically to achieve persistence.

This artifact enumerates all the task jobs (which are XML files). The artifact uploads the original XML files and then analyses them to provide an overview of the commands executed and the user under which they will be run.

Arg Default Description
TasksPath c:/Windows/System32/Tasks/**
AlsoUpload
View Artifact Source

Windows.System.UntrustedBinaries

Windows runs a number of services and binaries as part of the operating system. Sometimes malware pretends to run as those well known names in order to hide itself in plain sight. For example, a malware service might call itself svchost.exe so it shows up in the process listing as a benign service.

This artifact checks that the common systems binaries are signed. If a malware replaces these files or names itself in this way their signature might not be correct.

Note that unfortunately Microsoft does not sign all their common binaries so many will not be signed (e.g. conhost.exe).

Arg Default Description
processNamesRegex (?i)lsass svchost
View Artifact Source

Windows.System.VAD

Enumerate the memory regions of each running process.

Arg Default Description
processRegex . A regex applied to process names.
View Artifact Source