Discover and read the best of Twitter Threads about #artifactsofautumn
Most recents (9)
🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage
Link: docs.velociraptor.app/exchange/artif…
Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage
Link: docs.velociraptor.app/exchange/artif…
If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.
Similarly, deviations from normal patterns of communication from typical network-connected programs can also be considered suspicious.
🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Linux[.]Sys[.]JournalCtl
Link: docs.velociraptor.app/exchange/artif…
Artifact: Linux[.]Sys[.]JournalCtl
Link: docs.velociraptor.app/exchange/artif…
This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.
These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.
These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.
Information provided by this artifact includes:
- Timestamp
- Message
- Boot ID
- Machine ID (h)
- Cursor
- Syslog facility/priority (h)
- Monotonic timestamp (h)
- Transport (h)
*h -> column is hidden from the output by default, and can be viewed with the column selector.
- Timestamp
- Message
- Boot ID
- Machine ID (h)
- Cursor
- Syslog facility/priority (h)
- Monotonic timestamp (h)
- Transport (h)
*h -> column is hidden from the output by default, and can be viewed with the column selector.
🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Windows[.]Forensics[.]RecycleBin
Author: @svch0st
Link: docs.velociraptor.app/artifact_refer…
Artifact: Windows[.]Forensics[.]RecycleBin
Author: @svch0st
Link: docs.velociraptor.app/artifact_refer…
This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.
This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)
This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)
The contents of the Recycle Bin directory are organized by SID ('C:\$Recycle.Bin\%SID%\').
It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.
It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.
🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Server[.]Orgs[.]NewOrg
Link: docs.velociraptor.app/artifact_refer…
Artifact: Server[.]Orgs[.]NewOrg
Link: docs.velociraptor.app/artifact_refer…
With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment!
This artifact creates a new organization in a deployment. Upon doing so, the 'OrgId' is used to track information about the new organization.
The current user will be the administrator for this organization.
The current user will be the administrator for this organization.
🦖Day 38 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Linux[.]Sys[.]Pslist
Link: docs.velociraptor.app/artifact_refer…
Artifact: Linux[.]Sys[.]Pslist
Link: docs.velociraptor.app/artifact_refer…
This artifact enumerates the running processes on a Linux system. This can be useful to check for proper configuration or misalignment across a fleet of hosts, or for identifying suspicious processes generated by, or leveraged by malware.
Some of the Information provided by the artifact:
- Process ID
- Parent process ID
- Command line
- Executable
- Hash
- Username
- Created time
- RSS (how much memory allocated to the process)
- Process ID
- Parent process ID
- Command line
- Executable
- Hash
- Username
- Created time
- RSS (how much memory allocated to the process)
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: Exchange[.]Windows[.]Detection[.]ISOMount
Author: @ConorQuinn92
Link: docs.velociraptor.app/exchange/artif…
Artifact: Exchange[.]Windows[.]Detection[.]ISOMount
Author: @ConorQuinn92
Link: docs.velociraptor.app/exchange/artif…
After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.
This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: MacOS[.]System[.]QuarantineEvents
Link: docs.velociraptor.app/artifact_refer…
Artifact: MacOS[.]System[.]QuarantineEvents
Link: docs.velociraptor.app/artifact_refer…
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.
Information includes:
- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
Information includes:
- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.
This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt).
This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt).
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: 'Windows[.]Detection[.]BinaryRename'
Author: @mgreen27
Link: docs.velociraptor.app/exchange/artif…
Artifact: 'Windows[.]Detection[.]BinaryRename'
Author: @mgreen27
Link: docs.velociraptor.app/exchange/artif…
This artifact will detect renamed binaries commonly abused by adversaries.
Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe':
🦖Day 4 of the @velocidex #velociraptor #ArtifactsOfAutumn series
Artifact: 'Windows.System.Services'
Link: docs.velociraptor.app/artifact_refer…
Artifact: 'Windows.System.Services'
Link: docs.velociraptor.app/artifact_refer…
One might use this artifact to generate a baseline of normal Windows services, and look for services out of the ordinary. We can filter on display/service name, as well as DLL, path, etc. We can also calculate hashes and provide signing info for associated executables/DLLs.
Sorting on the 'Created' column shows the most recently created services (assuming no other manipulation, etc.). Here, we see a service named 'win32times', similar to the native Windows Time Service. We also see 'evilscript.ps1' being called by 'cmd', and no signing info.🦹🔍
