🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage

Link: docs.velociraptor.app/exchange/artif… If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.

🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]JournalCtl

Link: docs.velociraptor.app/exchange/artif… This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.

These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.

🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Forensics[.]RecycleBin

Author: @svch0st

Link: docs.velociraptor.app/artifact_refer… This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.

This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)

🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server[.]Orgs[.]NewOrg

Link: docs.velociraptor.app/artifact_refer… With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment!

🦖Day 38 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]Pslist

Link: docs.velociraptor.app/artifact_refer… This artifact enumerates the running processes on a Linux system. This can be useful to check for proper configuration or misalignment across a fleet of hosts, or for identifying suspicious processes generated by, or leveraged by malware.

🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

Link: docs.velociraptor.app/exchange/artif… After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.

🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID

🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link: docs.velociraptor.app/exchange/artif… This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.

🦖Day 4 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows.System.Services'

Link: docs.velociraptor.app/artifact_refer… One might use this artifact to generate a baseline of normal Windows services, and look for services out of the ordinary. We can filter on display/service name, as well as DLL, path, etc. We can also calculate hashes and provide signing info for associated executables/DLLs.