🦖Day 89 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Server.Import.DetectRaptor

Author: @mgreen27, with content references to @svch0st and #Sigma.

Link: https://docs.velociraptor.app/exchange/artifacts/pages/detectraptor

----

DetectRaptor is a collection of publicly available Velociraptor detection content. Most content is managed by a series of CSV files and artifacts are automatically updated.

https://github.com/mgreen27/DetectRaptor

This artifact will import the latest DetectRaptor bundle into the current server.

----

DetectRaptor currently includes the following artifacts:

Windows.Detection.Applications Windows.Detection.BinaryRename
Windows.Detection.Evtx
Windows.Detection.MFT
Windows.Detection.NamedPipes
Windows.Detection.Webhistory
Windows.Detection.ZoneIdentifier
Server.StartHunts

----

Most of these artifacts contain content in CSV files that provide for bulk detection capability.

The CSVs can be updated as needed to add new detections.

The artifacts are generated from a VQL template, and the associated CSV via their own Python script.

----

The Server.StartHunts artifact is useful for kicking off hunts for the artifacts within the DetectRaptor hundle.

We can leverage the DetectRaptor bundle in a hunt or single client collection to cast a wide net, then review detection hits for items of interest.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#ThreatHunting

🦖Day 74 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Persistence[.]PowershellProfile

Author: @mgreen27

Link: https://docs.velociraptor.app/artifact_references/pages/windows.persistence.powershellprofile/

----

PowerShell supports several profiles depending on the user or host program. Adversaries may create or modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence.

----

When a backdoored PowerShell session is opened, the modified script will be executed unless the '-NoProfile' flag is used upon launch.

An adversary may also be able to escalate privileges if a script in a PS profile is loaded and executed by an account with higher privileges, for example, a domain administrator.

----

In the past, Turla has used PowerShell profiles to maintain persistence on an infected machine.

https://attack.mitre.org/groups/G0010
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

----

This artifact will search and parse PowerShell profile scripts.

By default, both user and system-wide profiles will be searched. The user can also use regex to target and exclude specific content.

----

Here (image), we can see that the PowerShell profile for the user 'wlambert' specifies that 'Start-Process' should call 'C:\User\Downloads\wlambert\malz.exe'. Again, this would be called every time a PowerShell session is initiated. 👀

----

In this instance, 'malz.exe' is simply a copy of good 'ol calc.exe 😀

----

This profile modification was simulated by running the following commands from a PS session:

- 'Add-Content $profile -Value ""'
- 'Add-Content $profile -value "Start-Process C:\Users\wlambert\Downloads\malz.exe"'

The profile content can be checked with 'Get-Content $profile'.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

Also, check out the links below for more information about Powershell Profiles!

Atomic Red Team Test:
https://atomicredteam.io/persistence/T1546.013/#atomic-test-1---append-malicious-start-process-cmdlet

MITRE ATT&CK Reference:
https://attack.mitre.org/techniques/T1546/013

#DFIR
#Forensics
#Infosec
#Persistence
#Windows
#T1546
#T1546.013
#ThreatHunting