Wes Lambert

@[email protected]
499 Followers
22 Following
75 Posts

Principal Engineer at Security Onion Solutions

Open source security advocate and platform integration.

Githubhttp://github.com/weslambert
Ghosthttp://glue.ghost.io
Mediumhttp://wlambertts.medium.com
Wes LambertDec 22, 2022

🦖Day 92 (THE LAST DAY!) of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange\.Windows.EventLogs.WonkaVision

Link: https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.wonkavision

----

WonkaVision is a proof of concept (POC) tool to analyze Kerberos tickets and attempt to determine if they are forged (ex. #GoldenTicket), created by @exploitph and @4ndr3w6S.

https://github.com/0xe7/WonkaVision

Presentation:
https://github.com/0xe7/Talks/blob/main/Andrew_Charlie_SANS_Hackfest_2022_revised.pdf

----

This artifact can run WonkaVision, then collect its generated Windows event logs. From the event logs, we can detect potentially forged Kerberos tickets.

----

This concludes the #ArtifactsOfAutumn. Hope you enjoyed it, and thanks for all of the support!

#DFIR
#Forensics
#GoldenTicket
#infosec
#ThreatHunting
#WonkaVision

Windows.EventLogs.WonkaVision :: Velociraptor - Digging deeper!

Wes LambertDec 21, 2022

🦖Day 91 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.IRIS.Sync.Asset

Author: @StephMikiss

Link: https://docs.velociraptor.app/exchange/artifacts/pages/iris.sync.asset

----

This artifact synchronizes clients from Velociraptor to DFIR-IRIS (https://dfir-iris.org/). It will parse available information of clients such as network interfaces, IP addresses, asset type and applied labels.

----

For those unfamiliar with DFIR-IRIS (@dfir_iris), it is a free, open source incident response platform that includes a host of useful and innovative features even many commercial platforms don't possess. Check it out here using the link below!

https://dfir-iris.org/

----

Once a client has been added to DFIR-IRIS, the asset ID from DFIR-IRIS will be added as client metadata and ‘IRIS’ will be added as label.

If a client already possesses an asset ID, it will be updated; in general, labels and the compromised status will by synchronized.

----

This artifact is very powerful due to the fact that we can quickly add clients to DFIR-IRIS from Velociraptor with very little effort.

This means that we can spend less time on managerial tasks, and more time on investigating and remediating the hosts we deem compromised.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#IRIS
#ThreatHunting

IRIS.Sync.Asset :: Velociraptor - Digging deeper!

Wes LambertDec 21, 2022

🦖Day 90 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.UnifiedLogHunter

Link:
https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedloghunter

----

With macOS 10.12 (Sierra) came a new way to log system events in a more centralized, unified fashion -- Unified Logs.

Read more here:

https://devstreaming-cdn.apple.com/videos/wwdc/2016/721wh2etddp4ghxhpcg/721/721_unified_logging_and_activity_tracing.pdf

These logs can be of great importance to investigators searching for artifacts of adversary activity.

----

@crowdstrike , @Mandiant, and others have done a great job covering the usefulness and technical details surrounding the Unified Logging system.

https://www.crowdstrike.com/blog/how-to-leverage-apple-unified-log-for-incident-response/

https://www.mandiant.com/resources/blog/reviewing-macos-unified-logs

----

This artifact is a wrapper around the 'log' command, allowing defenders to easily review events from the logs from the many subsystems of the Unified Logging infrastructure.

It provides the ability to search using a custom or pre-defined filter, and is great for live hunting.

----

If you are looking to collect only raw files and parse them later, or for a third party tool to process the data, check out the Exchange.MacOS.UnifiedLogParser artifact.

https://docs.velociraptor.app/exchange/artifacts/pages/macos.unifiedlogparser/

----

This information provided by this artifact includes:

- Event time/message/type
- Message type
- Category
- Subsystem
- PID
- Process image Path/UUID
- Sender image Path/UUID
- Sender program counter
- Activity ID
- Parent activity ID

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting
#UnifiedLogs

MacOS.UnifiedLogHunter :: Velociraptor - Digging deeper!

Wes LambertDec 20, 2022

🦖Day 89 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Server.Import.DetectRaptor

Author: @mgreen27, with content references to @svch0st and #Sigma.

Link: https://docs.velociraptor.app/exchange/artifacts/pages/detectraptor

----

DetectRaptor is a collection of publicly available Velociraptor detection content. Most content is managed by a series of CSV files and artifacts are automatically updated.

https://github.com/mgreen27/DetectRaptor

This artifact will import the latest DetectRaptor bundle into the current server.

----

DetectRaptor currently includes the following artifacts:

Windows.Detection.Applications Windows.Detection.BinaryRename
Windows.Detection.Evtx
Windows.Detection.MFT
Windows.Detection.NamedPipes
Windows.Detection.Webhistory
Windows.Detection.ZoneIdentifier
Server.StartHunts

----

Most of these artifacts contain content in CSV files that provide for bulk detection capability.

The CSVs can be updated as needed to add new detections.

The artifacts are generated from a VQL template, and the associated CSV via their own Python script.

----

The Server.StartHunts artifact is useful for kicking off hunts for the artifacts within the DetectRaptor hundle.

We can leverage the DetectRaptor bundle in a hunt or single client collection to cast a wide net, then review detection hits for items of interest.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#ThreatHunting

Server.Import.DetectRaptor :: Velociraptor - Digging deeper!

Wes LambertDec 18, 2022

🦖Day 88 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Linux.System.BashLogout

Link: https://docs.velociraptor.app/exchange/artifacts/pages/linux.system.bashlogout

----

This artifact captures information from about Bash logout files for examination of abnormal activity.

Bash logout files are used to run certain commands upon user logout, such as clearing the shell or terminal state.

----

An adversary could leverage this capability to cover their tracks by clearing logs, deleting files, etc.

Once example of this is running the following commands at logout to clear the user's Bash history:

'history -c'
'cat /dev/null > ~/.bash_history'

https://attack.mitre.org/techniques/T1070/003/

----

This artifact also includes a content filter ('ContentFilter') to allow for searching for various content within the file.

Additionally, in-scope Bash logout files can be uploaded to the Velociraptor server by checking the box for the 'UploadFiles' option.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#Linux
#T1070.003
#ThreatHunting

Linux.System.BashLogout :: Velociraptor - Digging deeper!

Wes LambertDec 17, 2022

🦖Day 87 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.Server.Enrichment.OpenAI

Link: https://docs.velociraptor.app/exchange/artifacts/pages/server.enrichment.openai

----

Have you been enamored with all of the talk of #ChatGPT and #OpenAI, and how it could potentially assist defenders during detection engineering, incident response, or threat hunting?

Now you can experiment with integration of this functionality into Velociraptor!

----

This artifact allows for enrichment of results by querying the OpenAI API.

It leverages the 'text-davinci-003' language model by default, although the model is configurable.

The maximum number of tokens is also configurable, which can affect the response provided by OpenAI.

----

The intention of this artifact is to enrich results from other artifacts, although, it can be used on its own as well.

In one example, we ask if a command line value ('nc -l 1337') is suspicious. 🔍

In another example, we ask about the best features of Velociraptor🦖😃

----

NOTE: You may want to be careful providing sensitive information to OpenAI. However, this artifact can still be used to experiment with potential analysis and investigation improvements. With great power comes great responsibility! 🕷️🕸️

READ:
https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#ChatGPT
#DFIR
#Forensics
#Infosec
#OpenAI
#ThreatHunting

Server.Enrichment.OpenAI :: Velociraptor - Digging deeper!

Wes LambertDec 16, 2022

🦖Day 86 of the
@velocidex
#velociraptor #ArtifactsOfAutumn series

Artifact: Windows.Memory.Acquisition

Link: https://docs.velociraptor.app/artifact_references/pages/windows.memory.acquisition

----

This artifact leverages Winpmem to acquire a full memory image of the endpoint.

While it is ideal to process and filter data as quickly as possible on the endpoint, in certain instances it may still be beneficial or necessary to obtain a copy of the endpoint's physical memory.

----

This artifact could also be used in conjunction with the offline collector to obtain a memory image with a triage binary as opposed to requiring a client to be connected to the Velociraptor server.

The image could then be processed with your favorite memory analysis framework.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#MemoryForensics

Windows.Memory.Acquisition :: Velociraptor - Digging deeper!

Wes LambertDec 16, 2022

🦖Day 85 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange.MacOS.Applications.Notes

Link: https://docs.velociraptor.app/exchange/artifacts/pages/macos.applications.notes

----

This artifact provides details about notes taken using the default Notes application on macOS.

These notes can be useful during an investigation, especially if tied to interesting files.

Deleted notes and attachments can also be recovered in some instances.

----

The information provided by this artifact includes:

- User that created the note
- Note ID/title/text
- Note creation time
- Note modification time
- Note last opened time
- Note folder ID/location
- Attachment name/size/UUID

Attachments can also be uploaded, if desired.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you want to learn more about the macOS Notes database, check out Yogesh Khatri's blog article using the link below!

http://www.swiftforensics.com/2018/02/reading-notes-database-on-macos.html

#DFIR
#Forensics
#Infosec
#macOS
#ThreatHunting

MacOS.Applications.Notes :: Velociraptor - Digging deeper!

Wes LambertDec 14, 2022

🦖Day 84 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows.NTFS.ADSHunter

Author: @mgreen27

Link:
https://docs.velociraptor.app/artifact_references/pages/windows.ntfs.adshunter

----

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every NTFS partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition.

Within MFT entries are file attributes, such as Extended Attributes (EA) and Alternate Data Streams or (ADSs) when more than one Data attribute is present. The stream can be used to store arbitrary data (and even complete files).

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

https://attack.mitre.org/techniques/T1564/004/

----

BitPaymer, a ransomware variant, has been known to leverage ADSs by copying itself to an ADS called ':bin', then creating a process from the stream.

https://attack.mitre.org/software/S0570/

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

----

This artifact hunts for alternate data streams using a variety of options for targeting, including:

- Directory
- ADS name (inclusion or exclusion)
- ADS Content
- Minimum content size
- Maximum content size

Once found, a stream can also be uploaded to the Velociraptor server.

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

If you would like to experiment with ADSs for yourself, check out the link to the associated Atomic Red Team tests below!

https://atomicredteam.io/defense-evasion/T1564.004/

#DFIR
#Forensics
#Infosec
#T1564.004
#ThreatHunting
#Windows

Windows.NTFS.ADSHunter :: Velociraptor - Digging deeper!

Wes LambertDec 13, 2022

🦖Day 83 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server.Utils.BackupGCS/S3

Link:
https://docs.velociraptor.app/artifact_references/pages/server.utils.backupgcs/

https://docs.velociraptor.app/artifact_references/pages/server.utils.backups3/

----

These artifacts are server monitoring artifacts that will watch for flow completions, then zip and send the results to Google Cloud, or an S3 bucket, using the 'upload_gcs()' and 'upload_s3()' functions.

https://docs.velociraptor.app/vql_reference/plugin/upload_gcs

https://docs.velociraptor.app/vql_reference/plugin/upload_s3

----

Once uploaded, the collections can be left alone and remain archived, or special post-processing can be applied using third-party tools, depending on defenders' needs.

@eric_capuano and @shortxstack (@recon_infosec) did an excellent job presenting about using these artifacts with Timesketch to generate a timeline of events.

If you haven't already, be sure to check out their presentation from @SANS #DFIR Summit 2021!

https://www.sans.org/presentations/breaches-be-crazy/

----

That's it for now! Stay tuned to learn about more artifacts! 🦖

#DFIR
#Forensics
#Infosec
#Plaso
#ThreatHunting
#Timesketch

Server.Utils.BackupGCS :: Velociraptor - Digging deeper!