Wes Lambert Profile picture
Oct 27, 2022 9 tweets 4 min read Read on X
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
If we look a little closer ('xattr -l'), we can actually see where the file came from, and a unique identifier assigned to it for the quarantine attribute.

This is excellent information to have as an incident responder, as it provides greater context during an investigation. Image
We can interpret the value of the quarantine attribute as such:

'0083;6359d263;Safari;88E8F4A7-C78B-45B6-B31A-68E8C68DCC60'

0083 - Flags
6359d263 - DL time (Unix, in hex)
Safari - Name of DLing application
88E8F4A7-C78B-45B6-B31A-68E8C68DCC60 - UUID to tie in w/ QEvents DB
In recent versions of macOS file downloads are recorded in the QuarantineEventsV2 sqlite database stored in '/Users/*/Library/Preferences/com[.]apple.LaunchServices.QuarantineEventsV2', regardless of whether the quarantine attribute gets removed from the file (approval/etc). Image
As mentioned previously, we can see the associated UUID ('88E8F4A7-C78B-45B6-B31A-68E8C68DCC60') used for tracking the download in the database, as evidenced in the extended 'quarantine' attribute for the file (image). Image
To recap, this is a great way to confirm a particular file was downloaded, or to gather insight into what files have been downloaded by a user, in general.

Using this artifact across a fleet of many hosts, we can identity outliers and commonalities at scale.
That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the article below by @0xmachos for more information about macOS quarantine functionality!
0xmachos.com/2019-02-01-Qua…

#DFIR
#Infosec
#ThreatHunting

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wes Lambert

Wes Lambert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @therealwlambert

Nov 29, 2022
🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage

Link: docs.velociraptor.app/exchange/artif…
If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.
Similarly, deviations from normal patterns of communication from typical network-connected programs can also be considered suspicious.
Read 7 tweets
Nov 28, 2022
🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]JournalCtl

Link: docs.velociraptor.app/exchange/artif…
This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.

These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.
Information provided by this artifact includes:

- Timestamp
- Message
- Boot ID
- Machine ID (h)
- Cursor
- Syslog facility/priority (h)
- Monotonic timestamp (h)
- Transport (h)

*h -> column is hidden from the output by default, and can be viewed with the column selector.
Read 5 tweets
Nov 27, 2022
🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Forensics[.]RecycleBin

Author: @svch0st

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.

This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)
The contents of the Recycle Bin directory are organized by SID ('C:\$Recycle.Bin\%SID%\').

It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.
Read 6 tweets
Nov 26, 2022
🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server[.]Orgs[.]NewOrg

Link: docs.velociraptor.app/artifact_refer… Image
With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment!
This artifact creates a new organization in a deployment. Upon doing so, the 'OrgId' is used to track information about the new organization.

The current user will be the administrator for this organization. ImageImage
Read 7 tweets
Oct 29, 2022
🦖Day 38 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]Pslist

Link: docs.velociraptor.app/artifact_refer…
This artifact enumerates the running processes on a Linux system. This can be useful to check for proper configuration or misalignment across a fleet of hosts, or for identifying suspicious processes generated by, or leveraged by malware.
Some of the Information provided by the artifact:

- Process ID
- Parent process ID
- Command line
- Executable
- Hash
- Username
- Created time
- RSS (how much memory allocated to the process)
Read 5 tweets
Oct 28, 2022
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

Link: docs.velociraptor.app/exchange/artif…
After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(