home.social

#artifactsofautumn — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #artifactsofautumn, aggregated by home.social.

  1. @velocidex Thanks, and agreed! I'm planning on getting the posts into a central location soon. Right now, folks can find them via the #ArtifactsOfAutumn tag.

  2. 🦖Day 92 (THE LAST DAY!) of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange\.Windows.EventLogs.WonkaVision

    Link: docs.velociraptor.app/exchange

    ----

    WonkaVision is a proof of concept (POC) tool to analyze Kerberos tickets and attempt to determine if they are forged (ex. #GoldenTicket), created by @exploitph and @4ndr3w6S.

    github.com/0xe7/WonkaVision

    Presentation:
    github.com/0xe7/Talks/blob/mai

    ----

    This artifact can run WonkaVision, then collect its generated Windows event logs. From the event logs, we can detect potentially forged Kerberos tickets.

    ----

    This concludes the #ArtifactsOfAutumn. Hope you enjoyed it, and thanks for all of the support!

    #DFIR
    #Forensics
    #GoldenTicket
    #infosec
    #ThreatHunting
    #WonkaVision

  3. 🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.IRIS.Sync.Asset

    Author: @StephMikiss

    Link: docs.velociraptor.app/exchange

    ----

    This artifact synchronizes clients from Velociraptor to DFIR-IRIS (dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.

    ----

    For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!

    dfir-iris.org/

    ----

    Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.

    If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.

    ----

    This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.

    This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #IRIS
    #ThreatHunting

  4. 🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.MacOS.UnifiedLogHunter

    Link:
    docs.velociraptor.app/exchange

    ----

    With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.

    Read more here:

    devstreaming-cdn.apple.com/vid

    These logs can be of great importance to investigators searching for artifacts of adversary activity.

    ----

    @crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.

    crowdstrike.com/blog/how-to-le

    mandiant.com/resources/blog/re

    ----

    This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.

    It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.

    ----

    If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.

    docs.velociraptor.app/exchange

    ----

    This information provided by this artifact includes:

    - Event time/message/type
    - Message type
    - Category
    - Subsystem
    - PID
    - Process image Path/UUID
    - Sender image Path/UUID
    - Sender program counter
    - Activity ID
    - Parent activity ID

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #macOS
    #ThreatHunting
    #UnifiedLogs

  5. @r34p3r @velocidex @mgreen27 @svch0st This is the 89th entry in the series 😀​. All of the entries should be accessible using the #ArtifactsOfAutumn tag (here, and previously on Twitter). I plan on compiling them into a single resource at some point after the end of the series.

  6. 🦖Day 89 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.Server.Import.DetectRaptor

    Author: @mgreen27, with content references to @svch0st and #Sigma.

    Link: docs.velociraptor.app/exchange

    ----

    DetectRaptor is a collection of publicly available Velociraptor detection content. Most content is managed by a series of CSV files and artifacts are automatically updated.

    github.com/mgreen27/DetectRapt

    This artifact will import the latest DetectRaptor bundle into the current server.

    ----

    DetectRaptor currently includes the following artifacts:

    Windows.Detection.Applications Windows.Detection.BinaryRename
    Windows.Detection.Evtx
    Windows.Detection.MFT
    Windows.Detection.NamedPipes
    Windows.Detection.Webhistory
    Windows.Detection.ZoneIdentifier
    Server.StartHunts

    ----

    Most of these artifacts contain content in CSV files that provide for bulk detection capability.

    The CSVs can be updated as needed to add new detections.

    The artifacts are generated from a VQL template, and the associated CSV via their own Python script.

    ----

    The Server.StartHunts artifact is useful for kicking off hunts for the artifacts within the DetectRaptor hundle.

    We can leverage the DetectRaptor bundle in a hunt or single client collection to cast a wide net, then review detection hits for items of interest.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #ThreatHunting

  7. 🦖Day 88 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.Linux.System.BashLogout

    Link: docs.velociraptor.app/exchange

    ----

    This artifact captures information from about Bash logout files for examination of abnormal activity.

    Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.

    ----

    An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.

    Once example of this is running the following commands at logout to clear the user's Bash history:

    'history -c'
    'cat /dev/null > ~/.bash_history'

    attack.mitre.org/techniques/T1

    ----

    This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.

    Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #Linux
    #T1070.003
    #ThreatHunting

  8. 🦖Day 87 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.Server.Enrichment.OpenAI

    Link: docs.velociraptor.app/exchange

    ----

    Have you been enamored with all of the talk of #ChatGPT and #OpenAI, and how it could potentially assist defenders during detection engineering, incident response, or threat hunting?

    Now you can experiment with integration of this functionality into Velociraptor!

    ----

    This artifact allows for enrichment of results by querying the OpenAI API.

    It leverages the 'text-davinci-003' language model by default, although the model is configurable.

    The maximum number of tokens is also configurable, which can affect the response provided by OpenAI.

    ----

    The intention of this artifact is to enrich results from other artifacts, although, it can be used on its own as well.

    In one example, we ask if a command line value ('nc -l 1337') is suspicious. 🔍

    In another example, we ask about the best features of Velociraptor🦖😃

    ----

    NOTE: You may want to be careful providing sensitive information to OpenAI. However, this artifact can still be used to experiment with potential analysis and investigation improvements. With great power comes great responsibility! 🕷️🕸️

    READ:
    help.openai.com/en/articles/57

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #ChatGPT
    #DFIR
    #Forensics
    #Infosec
    #OpenAI
    #ThreatHunting

  9. 🦖Day 86 of the
    @velocidex
    #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows.Memory.Acquisition

    Link: docs.velociraptor.app/artifact

    ----

    This artifact leverages Winpmem to acquire a full memory image of the endpoint.

    While it is ideal to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.

    ----

    This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.

    The image could then be processed with your favorite memory analysis framework.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #MemoryForensics

  10. 🦖Day 85 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.MacOS.Applications.Notes

    Link: docs.velociraptor.app/exchange

    ----

    This artifact provides details about notes taken using the default Notes application on macOS.

    These notes can be useful during an investigation, especially if tied to interesting files.

    Deleted notes and attachments can also be recovered in some instances.

    ----

    The information provided by this artifact includes:

    - User that created the note
    - Note ID/title/text
    - Note creation time
    - Note modification time
    - Note last opened time
    - Note folder ID/location
    - Attachment name/size/UUID

    Attachments can also be uploaded, if desired.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you want to learn more about the macOS Notes database, check out Yogesh Khatri's blog article using the link below!

    swiftforensics.com/2018/02/rea

    #DFIR
    #Forensics
    #Infosec
    #macOS
    #ThreatHunting

  11. 🦖Day 84 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows.NTFS.ADSHunter

    Author: @mgreen27

    Link:
    docs.velociraptor.app/artifact

    ----

    Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

    Within MFT entries are file attributes, such as Extended Attributes (EA) and Alternate Data Streams or (ADSs) when more than one Data attribute is present. The stream can be used to store arbitrary data (and even complete files).

    Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

    attack.mitre.org/techniques/T1

    ----

    BitPaymer, a ransomware variant, has been known to leverage ADSs by copying itself to an ADS called ':bin', then creating a process from the stream.

    attack.mitre.org/software/S057

    crowdstrike.com/blog/big-game-

    ----

    This artifact hunts for alternate data streams using a variety of options for targeting, including:

    - Directory
    - ADS name (inclusion or exclusion)
    - ADS Content
    - Minimum content size
    - Maximum content size

    Once found, a stream can also be uploaded to the Velociraptor server.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you would like to experiment with ADSs for yourself, check out the link to the associated Atomic Red Team tests below!

    atomicredteam.io/defense-evasi

    #DFIR
    #Forensics
    #Infosec
    #T1564.004
    #ThreatHunting
    #Windows

  12. 🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Server.Utils.BackupGCS/S3

    Link:
    docs.velociraptor.app/artifact

    docs.velociraptor.app/artifact

    ----

    These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.

    docs.velociraptor.app/vql_refe

    docs.velociraptor.app/vql_refe

    ----

    Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.

    @eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.

    If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!

    sans.org/presentations/breache

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #Plaso
    #ThreatHunting
    #Timesketch

  13. 🦖Day 82 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.Linux.Forensics.RecentlyUsed

    Author: @rxurien

    Link: docs.velociraptor.app/exchange

    ----

    For GNOME-based desktop environments, the '.local/share/recently-used.xbel' file located under each user's home directory can provide valuable information during an investigation, such as a list of recent files accessed by applications, as well as a source of download history.

    ----

    This artifact uses the parse_xml() function to parse the XML-based 'recently-used.xbel' file.

    docs.velociraptor.app/vql_refe

    ----

    This information provided by this artifact includes:

    - Associated user
    - File that was referenced by the application
    - Time added, modified, and last visited
    - MIME Type
    - Application name and CLI arguments/parameters
    - Relevant 'recently-used.xbel' file

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you would like to learn more about this technique and others, check out the links below!

    #DFIR
    #Forensics
    #Infosec
    #Linux
    #ThreatHunting

  14. 🦖Day 81 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows\.Persistence\.PowershellRegistry

    Link: docs.velociraptor.app/artifact

    ----

    A common way of persistence is to install a hook into a user profile registry hive, using PowerShell. When the user logs in, the PowerShell script downloads a payload and executes it.

    attack.mitre.org/techniques/T1
    attack.mitre.org/techniques/T1

    ----

    This artifact searches user registry hives for signatures related to general Powershell execution.

    A YARA signature is used to target the user’s profile, which is extracted using raw NTFS parsing, in case the user is currently logged on and the registry hive is locked.

    ----

    Once detected, a row is returned and the registry hive is uploaded to the Velociraptor server.

    In the provided images, we can see an example using mshta\.exe to execute code.

    redcanary.com/threat-detection

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you would like to learn more about this technique and others, check out the link below, as well as it's references!

    docs.velociraptor.app/blog/htm

    #DFIR
    #Forensics
    #Infosec
    #PowerShell
    #ThreatHunting
    #Windows

  15. 🦖Day 80 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: MacOS.Network\.DHCP

    Link: docs.velociraptor.app/exchange

    ----

    It can be useful to view DHCP lease information on an endpoint.

    If the lease length, DHCP server IP address, SSID, or other configuration details are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.

    Either way, the information provided by this artifact can be used to help defenders find unexpected DHCP lease configuration, or associate a device and interface to an IP address.

    ----

    The information provided by this artifact includes:

    - Which interfaces are using a DHCP lease
    - Last modified time of the interface lease file
    - Full path to the lease file
    - DHCP server address
    - SSID
    - Assigned IP address
    - Lease length
    - Least start date

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you would like to learn DHCP-based attacks, such as DHCP spoofing, check out the MITRE ATT&CK article using the link below!
    attack.mitre.org/techniques/T1

    #DFIR
    #Forensics
    #Infosec
    #macOS
    #ThreatHunting

  16. 🦖Day 79 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Server.Utils.\ImportCollection

    Link: docs.velociraptor.app/artifact

    ----

    Velociraptor's offline collector feature is an excellent capability to have when dropping into client environments with little to no previous infrastructure, or when triaging systems that are not easily or immediately connected to a corporate network.

    docs.velociraptor.app/blog/202

    ----

    Users can leverage the offline collector wizard (that leverages the Server.Utils\.CreateCollector artifact) to quickly create a base collector binary, packed with all of the necessary artifacts and tools for their standard host triage.

    From there, defenders simply run the binary and an encrypted ZIP file containing the collection results is created.

    Until recently, this ZIP file could be encrypted using a password, but this was not ideal, as the password had to be embedded inside the collector configuration.

    This meant that anyone with access to the collector binary could see the password. There have recently been great improvements to the collector, to include PKI. An X.509 certificate (the Velociraptor server's by default), or a public key can now be used to encrypt the ZIP file.

    ----

    What this means is that only the server can un-encrypt the ZIP file, and we can now import encrypted collections automatically, without the need for specifying any password.

    Simply point to the encrypted collection ZIP file from the Server.Utils.ImportCollection artifact!

    Once imported, we can review the results within the GUI, just like a typical collection.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    If you would like to learn more about the improvements to the offline collections, check out the link below!
    docs.velociraptor.app/blog/202

    #DFIR
    #Forensics
    #Infosec
    #ThreatHunting

  17. 🦖Day 78 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows.System\.PSReadline

    Author: @mgreen27

    Link: docs.velociraptor.app/artifact

    ----

    Adversaries may abuse PowerShell commands and scripts for execution.

    In fact, PowerShell is commonly used by attackers across all stages of the attack lifecycle.

    They can use PowerShell to perform a number of actions, including discovery of information and execution of code.

    ----

    This artifact will search and extract lines from PSReadline history file.

    The PSReadline module is responsible for command history and from Powershell 5 on Windows 10 default configuration saves a copy of the console history to disk.

    ----

    The following parameters are available for use with this artifact:

    'SearchStrings' - regex search over a PSReadline line

    'StringWhiteList' - regex whitelist for results

    'UserRegex' - regex search on username

    'UploadFiles' - upload in-scope ConsoleHost_history.txt files

    ----

    Here (image), we can see multiple attempts to download and execute a .ps1 file using 'Net.WebClient' through PowerShell.

    Our view into the source of 'Default_File_Path\.ps1' and what it does is somewhat hindered, but we can see that the bit.\ly URL contains the text 'L3g1tCrad1e'.

    ----

    If we were to look at what originally happened during the PowerShell session, we would see that in each instance, the Default_File_Path.ps1 file was downloaded and executed 👀

    ----

    These commands were not necessarily malicious, but used for illustrative purposes. If you would like to test these commands for yourself, check out the Atomic Red Team test using the link below!

    github.com/redcanaryco/atomic-

    ----

    Overall, this artifact includes the following information about the PowerShell console history file:

    - Last modified time and other timestamps
    - Line number
    - Line (commands that were run)
    - User
    - Path to the PowerShell console history file

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the MITRE ATT&CK page for 'Command and Scripting Interpreter: PowerShell' below!
    attack.mitre.org/techniques/T1

    #DFIR
    #Forensics
    #Infosec
    #Windows
    #T1509.001
    #ThreatHunting

  18. 🦖Day 77 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.Linux.System\.PAM

    Link: docs.velociraptor.app/exchange

    ----

    Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts.

    PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services.

    ----

    Malicious modifications to PAM may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.

    ----

    This artifact uses the parse_lines() plugin to parse within the '/etc/pam.d/' directory so that investigators can quickly filter and review the results for relevant or suspicious entries. The 'RecordFilter' parameter can be used to look for specific patterns or strings.

    ----

    Here (results image), we can see an entry in '/etc/pam.d/common-auth' that executes a script called 'toomanysecrets\.sh' upon user login👀. Aside from that, the is also an entry in '/etc/pam.d/su-l' for 'pam_succeed_if' that appears to allow any user escalate to root without the password🥴!

    ----

    For example, executing the command 'su -l root' as 'pbeesly' allows for root access without prompting for a password.

    ----
    If we look at the contents of 'toomanysecrets\.sh', it appears to write to a log file called '/var/log/toomanysecrets.log'.

    If we look at the content of the log file, we see...usernames...and...passwords! 😵‍💫

    ----

    Based on what we've found, we can see how useful it can be to have the ability to search the PAM configuration for anomalies, especially across many hosts.

    Overall, we can quickly glean the following information from this artifact:

    - Last modified time
    - File path
    - Configuration item

    ----

    If you would like to simulate this activity yourself, try out the Atomic Red Team test below!
    github.com/redcanaryco/atomic-

    If you would like to learn more about how PAM can be abused to gather usernames and passwords at login, check out the following link!
    book.hacktricks.xyz/linux-hard

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the MITRE ATT&CK page for 'Modify Authentication Process: Pluggable Authentication Modules' below!
    attack.mitre.org/techniques/T1

    #DFIR
    #Forensics
    #Infosec
    #Linux
    #T1556.003
    #ThreatHunting

  19. 🦖Day 76 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Server.Utils\.SaveFavoriteFlow

    Link: docs.velociraptor.app/artifact

    ----

    Did you know you can save your favorite Velociraptor collections?

    It may take a bit of effort to setup and configure an ideal combination of parameters and artifacts within a collection.

    This artifact allows the user to save a collection to a 'Favorites' section, for later use.

    ----

    This artifact is typically called by clicking the icon from the "collected" page for a client.

    However, this artifact could also be called via the Velociraptor API, or another artifact.

    ----

    Once the 'Save Collection' button/icon has been clicked, a prompt will appear in which users can enter details about the collection.

    ----

    Once saved, the collection can be selected for use.

    Simply click the💙icon in the upper right-hand corner of the collection UI to select your favorite collection.

    ----

    After clicking the desired collection, the associated artifacts will be displayed, and the collection can be launched.

    ----

    If you decide you would like to delete a saved collection, you can do so by clicking the trash can icon when a saved collection is selected.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #ThreatHunting

  20. 🦖Day 75 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange.MacOS.Applications\.SavedState

    Link: docs.velociraptor.app/exchange

    ----

    On macOS, certain application state is stored in '/Users/*/Library/Saved Application State/'.

    We can check these files to determine the last time an application was opened, the title of the application window, and when the app/window was later restored (login/reboot).

    ----

    In general, the following has been observed with regard to saved state files:

    - The ‘SavedState’ files are created when the application is started.

    - SavedState directory - Btime - Last time the application was opened by the user.

    - SavedState directory - ModTime - When the application state was last restored (such as after login/reboot).

    - .data files - the actual data within the app, such as the scrollback for a Terminal window. The data within can be an (AES-128-CBC) encrypted blob. This data can be decrypted using the appropriate NSDataKey value found in windows.plist.

    - windows.plist – contains the name of application windows (NSTitle), and data like:
    - NSDataKey - Enc key
    - NSDockMenu\.name – names respective to the user’s dock/etc.
    - NSWindowID – can used to link the NSDataKey to the PersistentUIRecord value in the .data file(s).

    ----

    The information provided by this artifact includes:

    - Birth time and modification time of each file
    - File name and path
    - Dock menu name (where applicable)
    - Window title (where applicable)
    - Window details (other data, such as enc key and reference to .data file)

    ----

    There's a bit to unpack there, but the articles in the links below should provide more of a walkthrough around Saved Application State in macOS.

    Thanks, @crowdstrike and @twsecblog !

    crowdstrike.com/blog/reconstru

    sans.org/blog/osx-lion-user-in

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #macOS
    #ThreatHunting

  21. 🦖Day 74 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows[.]Persistence[.]PowershellProfile

    Author: @mgreen27

    Link: docs.velociraptor.app/artifact

    ----

    PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence.

    ----

    When a backdoored PowerShell session is opened, the modified script will be executed unless the '-NoProfile' flag is used upon launch.

    An adversary may also be able to escalate privileges if a script in a PS profile is loaded and executed by an account with higher privileges, for example, a domain administrator.

    ----

    In the past, Turla has used PowerShell profiles to maintain persistence on an infected machine.

    attack.mitre.org/groups/G0010
    welivesecurity.com/2019/05/29/

    ----

    This artifact will search and parse PowerShell profile scripts.

    By default, both user and system-wide profiles will be searched. The user can also use regex to target and exclude specific content.

    ----

    Here (image), we can see that the PowerShell profile for the user 'wlambert' specifies that 'Start-Process' should call 'C:\User\Downloads\wlambert\malz.exe'. Again, this would be called every time a PowerShell session is initiated. 👀

    ----

    In this instance, 'malz.exe' is simply a copy of good 'ol calc.exe 😀

    ----

    This profile modification was simulated by running the following commands from a PS session:

    - 'Add-Content $profile -Value ""'
    - 'Add-Content $profile -value "Start-Process C:\Users\wlambert\Downloads\malz.exe"'

    The profile content can be checked with 'Get-Content $profile'.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the links below for more information about Powershell Profiles!

    Atomic Red Team Test:
    atomicredteam.io/persistence/T

    MITRE ATT&CK Reference:
    attack.mitre.org/techniques/T1

    #DFIR
    #Forensics
    #Infosec
    #Persistence
    #Windows
    #T1546
    #T1546.013
    #ThreatHunting

  22. 🦖Day 73 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange[.]MacOS[.]System[.]MountedDiskImages

    Link: docs.velociraptor.app/exchange

    ----

    This artifact enumerates mounted disk images on a macOS endpoint. This can be useful to for determining interaction with a downloaded .dmg file.

    Although, the mounting of the file may not necessarily render malicious outcomes to the end user, it does represent a possibility, and further confirms interaction during cases where infection seem likely, or has been confirmed.

    ----

    At any rate, this artifact lets us easily see what disk images are mounted across a fleet of many hosts at once, and provides supplementary data that can be useful for investigation.

    ----
    The information provided by this artifact includes:

    - Image Path
    - Mount point
    - Image size
    - If image is encrypted
    - If image is removable
    - If image is writeable

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #MacOS
    #ThreatHunting

  23. 🦖Day 72 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange[.]Linux[.]Sys[.]APTHistory

    Link: docs.velociraptor.app/exchange

    ----

    APT (Advanced Package Tool) maintains a log of software installation/removal/upgrades, as well as associated command-line invocations.

    This artifact parses the APT history.log, as well as archived history logs to provide this information.

    ----

    The 'parse_records_with_regex()' plugin and the 'parse_string_with_regex()' function are used to extract relevant log events from the history file(s).

    docs.velociraptor.app/vql_refe

    docs.velociraptor.app/vql_refe

    ----

    An adversary could install software for discovery or persistence purposes.

    Alternatively, they could remove software for destructive, deterrent, or visibility purposes.

    Instead of just listing the installed software, we have more information to provide to an incident responder.

    ----

    Here we can see that 'gdb' was installed by the user 'wlambert'. We can also see that after installation, it was removed.

    Aside from user-level events, system-level events such as unattended upgrades are also logged.

    ----

    The information provided by this artifact includes:

    - OSPath (History file path)
    - Event start date
    - Event end date
    - Command and arguments
    - User ('requested by', where applicable)
    - Install/Remove/Upgrade information

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #Linux
    #ThreatHunting

  24. 🦖Day 71 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Server[.]Monitoring[.]ScheduleHunt

    Link: docs.velociraptor.app/artifact

    ----

    We may want to run the same hunt at a set interval, such as once a week, at a particular time.

    This artifact is a great example of how we can leverage the hunt() function and scheduling through usage of the clock() plugin to accomplish this objective.

    ----

    By default, this artifact runs continuously as a server event artifact, performing a client interrogation at the defined interval, however, this artifact can be copied and modified to hunt for other artifacts.

    For example, if we wanted to hunt across many systems for untrusted binaries, we could modify the Server[.]Monitoring[.]ScheduleHunt artifact to call the Windows[.]System[.]UntrustedBinaries artifact.

    ----

    Next, we can specify when we want this hunt to run.

    In this case, we want it to run at 3:25 (UTC) every Wednesday.

    Finally, we can begin reviewing the results of the hunt once it is scheduled and clients enroll in the hunt. 👀

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #Infosec
    #DFIR
    #ThreatHunting

  25. 🦖Day 70 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows[.]System[.]UntrustedBinaries

    Link: docs.velociraptor.app/artifact

    ----

    There are many binaries and services that make up the majority of the default Windows operating system and provide key services.

    Malware may attempt to leverage the names of these binaries/services in order to hide itself in plain sight.

    attack.mitre.org/techniques/T1

    ----

    Malware might name itself svchost.exe so it shows up in the process listing as a benign service, for example.

    This artifact checks that the common system binaries are signed.

    ----

    If malware attempts to masquerade one of these processes, it could be easily spotted, since it would not contain proper signing information.

    Alternatively, it's important to note that Microsoft does not sign all of its common binaries.

    For example, 'conhost.exe' not signed.

    ----

    Regardless, this is a valuable artifact that can quickly identify untrusted software. It also accepts a process regex parameter to suit your own needs.

    Here, svchost.exe was found to be untrusted, and running out of 'C:\Windows\Temp\', as opposed to 'C:\Windows\system32\'.

    ----

    The following command was run for simulation purposes:

    './svchost.exe gui --datastore signed-testing'

    This command/test used an unsigned Velociraptor binary to mimic an untrusted svchost.exe process.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Forensics
    #Infosec
    #ThreatHunting
    #Windows

  26. 🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage

    Link: docs.velociraptor.app/exchange

    ----

    If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.

    Similarly, deviations from normal patterns of communication from typical network-connected programs can also be considered suspicious.

    ----

    Either way, we can get an idea of the network traffic to which an application is associated with by gathering the details from the 'netusage.sqlite' database from a macOS host.

    In recent version of macOS, this database is located in '/private/var/networkd/db/'.

    ----

    This artifact uses Velociraptor's 'sqlite()' plugin to query the 'netusage.sqlite' database.

    docs.velociraptor.app/vql_refe

    This particular query will gather information from the 'ZLIVEUSAGE' and 'ZPROCESS' table, and is derived from the mac4n6 APOLLO project:

    github.com/mac4n6/APOLLO/blob/

    ----

    Details provided by this artifact include:

    - Timestamp
    - First timestamp
    - Live usage timestamp
    - Bundle ID
    - Process name
    - WIFI inbound traffic
    - WIFI outbound traffic
    - Wired inbound traffic
    - Wired outbound traffic
    - Live usage table ID

    ----

    Also, check out the link below to learn more about the 'netusage.sqlite' database!

    mac4n6.com/blog/2019/1/6/netwo

    #DFIR
    #Infosec
    #macOS
    #opensource
    #security
    #ThreatHunting

  27. 🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Linux[.]Sys[.]JournalCtl

    Link: docs.velociraptor.app/exchange

    ----

    This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.

    These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.

    ----

    Information provided by this artifact includes:

    - Timestamp
    - Message
    - Boot ID
    - Machine ID (h)
    - Cursor
    - Syslog facility/priority (h)
    - Monotonic timestamp (h)
    - Transport (h)

    *h -> column is hidden from the output by default, and can be viewed with the column selector.

    ----

    This artifact could be improved to leverage journalctl's native filtering mechanisms to increase performance, as well as potentially parsing the 'systemd.journal' file directly.

    Until then, filtering can be accomplished with Velociraptor's built-in features.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    #DFIR
    #Linux
    #ThreatHunting

  28. 🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows[.]Forensics[.]RecycleBin

    Author: @svch0st

    Link: docs.velociraptor.app/artifact

    ----

    This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.

    This folder contains:
    - $I files ("Recycled" file metadata)
    - $R files (the original data)

    ----

    The contents of the Recycle Bin directory are organized by SID ('C:\$Recycle.Bin\%SID%\').

    It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.

    ----

    We can optionally upload recovered files using the 'AlsoUpload' parameter when creating a collection for this artifact.

    ----

    This artifact provides the following information:

    - Time when file was deleted
    - Name
    - Original file path
    - File size
    - Full path/$I path
    - Recycle path/$R path
    - Upload details

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the links below for more information about the Recycle Bin in Windows!

    forensicswiki.xyz/wiki/index.p
    magnetforensics.com/blog/artif

    #DFIR
    #Infosec
    #ThreatHunting

  29. 🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Server[.]Orgs[.]NewOrg

    Link: docs.velociraptor.app/artifact

    ----

    With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment.

    ----

    This artifact creates a new organization in a deployment. Upon doing so, the 'OrgId' is used to track information about the new organization.

    The current user will be the administrator for this organization.

    ----

    We can switch organizations, by navigating to 'User Settings', then clicking the name of the appropriate organization.

    ----

    To list all created organizations, we can leverage the 'Server[.]Orgs[.]ListOrgs' artifact.

    This artifact will list all of the organizations within the deployment, and provides an option to download client configuration files.

    ----

    After creating a new organization and obtaining the client configuration files, we can proceed to add new users to the organization, as well as deploy clients.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the blog article/link below to learn more about the multi-tenancy feature in Velociraptor!
    docs.velociraptor.app/blog/202

    #DFIR
    #Infosec
    #ThreatHunting

  30. 🦖Day 65 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: MacOS[.]Applications[.]KnowledgeC

    Link: docs.velociraptor.app/exchange

    ----

    This artifact parses the KnowledgeC database on macOS endpoints.

    The KnowledgeC database can include information such as the following for macOS endpoints:

    - Application Usage
    - Application Activities
    - Safari Browser History
    - Device Power Status

    ----

    The knowledgeC.db can exist as a SQLite database in the following directories:

    - '/private/var/db/CoreDuet/KnowledgeC/'
    - '$UserHome/Library/Application Support/Knowledge/'.

    ----

    The information provided by this artifact includes:

    - Timestamp
    - GMT offset
    - Day of week
    - Start of activity
    - End of activity
    - Usage (in seconds)
    - Stream name/value
    - Activity type/value
    - Expiration date

    This is all great information to have during an investigation.

    ----

    This artifact currently provides a limited set of information, but further analysis of the KnowledgeC DB columns/tables could improve the context made available from the current information, such as performing user correlation.

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the link below to learn more about the KnowledgeC DB!

    mac4n6.com/blog/2018/8/5/knowl

    #DFIR
    #Infosec
    #macOS

  31. 🦖Day 62 of the @velocidex #velociraptor #ArtifactsOfAutumn series

    Artifact: Exchange[.]Windows[.]System[.]VAD

    Author: @mgreen27

    Link: docs.velociraptor.app/exchange

    ----

    This artifact enables enumeration of process memory sections via the Virtual Address Descriptor (VAD). The VAD is used by the Windows memory manager to describe allocated process memory ranges.

    With this artifact, we can highlight suspicious process memory sections.

    ----

    This a useful tool to have when trying to detect C2/process injection/hollowing, such as that performed by Cobalt Strike or other platforms/tools, especially where sections are unmapped and/or have certain permissions.

    ----

    We might first use something like Windows[.]Detection[.]YARA[.]Process in a hunt to cast a wide net.

    docs.velociraptor.app/artifact

    ----

    From the results, we can see the MSBuild process is listed as a match for a Cobalt Strike YARA rule.

    Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility, compile inline, and bypass application control defenses.

    attack.mitre.org/techniques/T1

    ----

    We can go a step further and dig into memory sections by leveraging the 'Windows[.]System[.]VAD' artifact.

    If we specify a process regex of 'msbuild', and choose to highlight unmapped sections with RWX permissions, again using the Cobalt Strike YARA rule, we have a match.

    ----

    The following information is included in the results:

    - Process create time
    - PID
    - Name
    - Mapping name
    - Address range
    - Protection
    - SectionSize
    - YARA match
    - Process chain 🦾
    - Section dump information

    ----

    If we were confident we are looking at Cobalt Strike, we can use the 'Windows[.]Carving[.]CobaltStrike' artifact to extract its configuration.

    docs.velociraptor.app/artifact

    ----

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the links below!

    Cobalt Strike and MSBuild:
    blog.talosintelligence.com/bui

    Matt Green's #DEATHCON 2022 Velociraptor Workshop:
    mgreen27.github.io/projects/DE

    #CobaltStrike
    #DFIR
    #IncidentResponse
    #Infosec
    #ThreatHunting
    #YARA

  32. 🦖Day 57 of the
    @velocidex
    #velociraptor #ArtifactsOfAutumn series

    Artifact: Windows[.]Forensics[.]CertUtil

    Link: docs.velociraptor.app/artifact

    CertUtil is a built-in tool used to manage certificates on Windows systems.

    It can be used to for living off of the land through (base64) decoding/encoding data, calculating file hashes, and downloading files from the internet.

    attack.mitre.org/techniques/T1
    attack.mitre.org/techniques/T1

    This can be useful for an attacker trying to hide their intentions and/or faciliate tool transfer for lateral movement and persistence. Last, certutil can also be used for installing browser root certificates to allow for AiTM/MiTM attacks.

    #T1105
    #T1140

    In the past, certutil has been used maliciously by the following groups:

    - APT28
    - APT41
    - Rancor
    - Turla
    - and others

    #S0160
    attack.mitre.org/software/S016

    Certutil maintains a cache of downloaded files. This cache can contain valuable metadata.

    This artifact parses the metadata within the certutil cache to establish what was downloaded, and when it was downloaded.

    In this instance (shown in the image), a file called 'evil.ps1' was downloaded. 👀

    The following command was run to generate this output:

    'certutil -urlcache -split -f raw.githubusercontent.com/Exam legit.ps1'

    You can use the following ART test (maybe with other options, such as 'verifyctl') if you would like to test this artifact yourself:

    github.com/redcanaryco/atomic-

    As mentioned previously, certutil can be also used for other operations such as decoding/encoding data.

    You can also try the following ART test to experiment with this functionality:

    github.com/redcanaryco/atomic-

    That's it for now! Stay tuned to learn about more artifacts! 🦖

    Also, check out the link below for a blog that analyzes the various artifacts left from certutil usage!

    u0041.co/blog/post/3