Applications

These artifacts collect information related to the windows applications.

Windows.Applications.ChocolateyPackages

Chocolatey packages installed in a system.

Arg Default Description
ChocolateyInstall
View Artifact Source

Windows.Applications.Chrome.Cookies

Enumerate the users chrome cookies.

The cookies are typically encrypted by the DPAPI using the user’s credentials. Since Velociraptor is typically not running in the user context we can not decrypt these. It may be possible to decrypt the cookies off line.

The pertinant information from a forensic point of view is the user’s Created and LastAccess timestamp and the fact that the user has actually visited the site and obtained a cookie.

Arg Default Description
cookieGlobs \AppData\Local\Google\Chrome\User Data\*\Co …
cookieSQLQuery SELECT creation_utc, host_key, name, value, path, …
userRegex .
View Artifact Source

Windows.Applications.Chrome.Extensions

Fetch Chrome extensions.

Chrome extensions are installed into the user’s home directory. We search for manifest.json files in a known path within each system user’s home directory. We then parse the manifest file as JSON.

Many extensions use locale packs to resolve strings like name and description. In this case we detect the default locale and load those locale files. We then resolve the extension’s name and description from there.

Arg Default Description
extensionGlobs \AppData\Local\Google\Chrome\User Data\*\Ex …
userRegex .
View Artifact Source

Windows.Applications.Chrome.History

Enumerate the users chrome history.

Arg Default Description
historyGlobs \AppData\Local\Google\Chrome\User Data\*\Hi …
urlSQLQuery SELECT url as visited_url, title, visit_count,\n …
userRegex .
View Artifact Source

Windows.Applications.OfficeMacros

Office macros are a favourite initial infection vector. Many users click through the warning dialogs.

This artifact scans through the given directory glob for common office files. We then try to extract any embedded macros by parsing the OLE file structure.

If a macro calls an external program (e.g. Powershell) this is very suspicious!

Arg Default Description
officeExtensions *.{xls,xlsm,doc,docx,ppt,pptm}
officeFileSearchGlob C:\Users\**\ The directory to search for office documents.
View Artifact Source