SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Velociraptor Intrusion Analysis

1. Initial Access

1.1. Phishing: Spearphishing Attachment (T1566.001)

Hunt Name: Detect_Malicious_Email_Attachments Query 1: Identify Malicious Executables in INetCache

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\%.exe'

Hunt Name: Find_Recent_Executables_In_User_Directories Query 2: Search for Recently Created Executables in User Directories

SELECT FullPath, CreationTime, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\*.exe' AND CreationTime > now() - 86400

Hunt Name: Identify_Dangerous_File_Extensions Query 3: Detect Suspicious Attachments with Dangerous Extensions

SELECT FullPath FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\%.exe'

Hunt Name: Monitor_Temp_Directory_For_PDFs Query 4: Search for PDF Files in Temp Directory

SELECT FullPath, Size, CreationTime FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.pdf'

Hunt Name: Check_Temp_Folder_For_Office_Docs Query 5: Detect Office Documents in Temp Folders

SELECT FullPath, CreationTime, Size FROM FileSystem  WHERE FullPath LIKE 'C:\\Users\\%\\AppData\\Local\\Temp\\%.docx'

2. Execution

2.1. Command and Scripting Interpreter: PowerShell (T1059.001)

Hunt Name: Detect_PowerShell_Execution Query 6: Identify PowerShell Executions

SELECT * FROM pslist()  WHERE name = 'powershell.exe' OR name = 'pwsh.exe'

Hunt Name: Find_Encoded_PowerShell_Commands Query 7: Detect PowerShell Commands with Encoded Scripts

Hunt Name: Monitor_PowerShell_Scripts_In_Temp Query 8: Monitor PowerShell Scripts in Temp Directory

Hunt Name: Search_For_Suspicious_PowerShell_Modules Query 9: Search for Suspicious PowerShell Modules

Hunt Name: Detect_Recent_PowerShell_Executions Query 10: Identify Recent PowerShell Executions

3. Persistence

3.1. Registry Run Keys / Startup Folder (T1547.001)

Hunt Name: Enumerate_Registry_Run_Keys Query 11: Enumerate Run Keys in Registry

Hunt Name: Detect_Suspicious_Startup_Items Query 12: Detect Startup Items in User Profiles

Hunt Name: Search_For_Unusual_RunOnce_Keys Query 13: Search for Unusual RunOnce Keys

Hunt Name: Monitor_Run_Key_Modifications Query 14: Monitor Run Key Modifications

Hunt Name: Identify_Suspicious_Startup_Folder_Entries Query 15: Identify Suspicious Startup Folder Entries

4. Privilege Escalation

4.1. Process Injection (T1055)

Hunt Name: Detect_Remote_Thread_Creation Query 16: Detect Remote Thread Creation

Hunt Name: Identify_Processes_With_Injected_Code Query 17: Identify Processes with Injected Code

Hunt Name: Monitor_Suspicious_Memory_Regions Query 18: Monitor Processes with Suspicious Memory Regions

Hunt Name: Detect_DLL_Injection_In_Processes Query 19: Search for Processes with DLL Injections

Hunt Name: Monitor_Process_Handle_Operations Query 20: Identify Suspicious Process Handle Operations

5. Defence Evasion

5.1. Obfuscated Files or Information (T1027)

Hunt Name: Detect_Base64_Encoded_PowerShell Query 21: Detect Base64 Encoded PowerShell Commands

Hunt Name: Identify_Obfuscated_Scripts_In_Temp Query 22: Identify Suspicious Scripts in Temp Directory

Hunt Name: Search_For_Encrypted_Scripts Query 23: Search for Encrypted Scripts

Hunt Name: Monitor_Batch_Files_In_Temp Query 24: Monitor Obfuscated Batch Files

Hunt Name: Identify_XOR_Encrypted_Files Query 25: Identify XOR Encrypted Files

6. Credential Access

6.1. Credential Dumping: LSASS Memory (T1003.001)

Hunt Name: Search_For_LSASS_Memory_Dumps Query 26: Search for LSASS Memory Dumps

Hunt Name: Monitor_LSASS_Process_Access Query 27: Monitor Access to LSASS Process

Hunt Name: Identify_LSASS_Handle_Operations Query 28: Identify Processes with LSASS Handles

Hunt Name: Detect_Tools_For_LSASS_Dumps Query 29: Detect Tools Known for LSASS Dumps

Hunt Name: Monitor_LSASS_Memory_Reads Query 30: Monitor Memory Reads from LSASS

7. Discovery

7.1. System Information Discovery (T1082)

Hunt Name: Identify_System_Info_Commands Query 31: Search for System Information Enumeration

Hunt Name: Monitor_Host_Information_Commands Query 32: Monitor Commands Gathering Host Information

Hunt Name: Identify_WMI_System_Info_Queries Query 33: Identify System Information Queries via WMI

Hunt Name: Detect_AD_Enumeration Query 34: Detect Active Directory Enumeration

Hunt Name: Monitor_WMIC_System_Commands Query 35: Monitor WMIC Commands for System Information

8. Lateral Movement

8.1. Remote Services: Remote Desktop Protocol (RDP) (T1021.001)

Hunt Name: Monitor_RDP_Logons Query 36: Monitor RDP Logons

Hunt Name: Identify_RDP_Network_Sessions Query 37: Identify RDP Sessions Established via Network

Hunt Name: Search_For_RDP_Config_Changes Query 38: Search for RDP Configuration Changes

Hunt Name: Detect_RDP_Client_Use Query 39: Detect Use of RDP Client

Hunt Name: Monitor_Suspicious_RDP_File_Transfers Query 40: Monitor Suspicious RDP File Transfers

9. Collection

9.1. Data from Local System (T1005)

Hunt Name: Identify_Access_To_Sensitive_Files Query 41: Identify Access to Sensitive Files

Hunt Name: Monitor_Copy_Operations_Of_Sensitive_Files Query 42: Monitor Copy Operations of Sensitive Files

Hunt Name: Detect_Archive_Files_With_Sensitive_Data Query 43: Detect Archive Files Containing Sensitive Data

Hunt Name: Search_For_Encrypted_Archives Query 44: Search for Encrypted Archives

Hunt Name: Identify_Unauthorized_Data_Access Query 45: Identify Unauthorized Data Access Attempts

10. Command and Control

10.1. Command and Control: Web Protocols (T1071.001)

Hunt Name: Monitor_DNS_Queries_For_C2_Domains Query 46: Monitor DNS Queries for Known Malicious Domains

Hunt Name: Search_For_HTTP_S_Connections_To_C2 Query 47: Search for HTTP/S Connections to C2 Servers

Hunt Name: Detect_Suspicious_HTTP_POST_Requests Query 48: Identify Suspicious HTTP POST Requests

Hunt Name: Identify_Non_Standard_HTTP_Methods Query 49: Detect Non-Standard HTTP Methods

Hunt Name: Monitor_DNS_For_Known_C2_Patterns Query 50: Monitor DNS Traffic for Known C2 Patterns

11. Exfiltration

11.1. Exfiltration Over C2 Channel (T1041)

Hunt Name: Monitor_Large_Data_Transfers_To_External_IPs Query 51: Monitor Large Data Transfers to External IPs

Hunt Name: Search_For_Encrypted_Data_Exfiltration Query 52: Search for Encrypted Data Exfiltration

Hunt Name: Detect_FTP_Uploads_To_External_Servers Query 53: Detect FTP Uploads to External Servers

Hunt Name: Identify_ICMP_Tunneling_Attempts Query 54: Identify ICMP Tunneling Attempts

Hunt Name: Monitor_SFTP_Transfers_To_Untrusted_Servers Query 55: Monitor SFTP Transfers to Untrusted Servers

12. Impact

12.1. Inhibit System Recovery: Disable or Modify Tools (T1490)

Hunt Name: Monitor_Volume_Shadow_Copy_Deletion Query 56: Monitor Volume Shadow Copy Deletion

Hunt Name: Search_For_Commands_Disabling_Recovery Query 57: Search for Commands Disabling System Recovery

Hunt Name: Detect_System_Restore_Point_Deletion Query 58: Detect System Restore Point Deletion

Hunt Name: Monitor_Registry_Changes_Disabling_Backups Query 59: Monitor Registry Changes Disabling Backup Features

Hunt Name: Search_For_Disabled_Windows_Recovery Query 60: Search for Disabling Windows Recovery Options

13. Execution (Continued)

13.1. User Execution: Malicious File (T1204.002)

Hunt Name: Identify_Unsigned_Executable_Execution Query 61: Identify Execution of Unsigned Executables

Hunt Name: Search_For_Execution_Of_Recent_Downloads Query 62: Search for Execution of Recently Downloaded Files

Hunt Name: Monitor_Script_Execution_From_User_Folders Query 63: Monitor Execution of Scripts from User Folders

Hunt Name: Detect_Execution_Of_Suspicious_Extensions Query 64: Detect Execution of Files with Suspicious Extensions

Hunt Name: Identify_Execution_From_Temp_Directories Query 65: Identify Execution of Files from Temp Directories

14. Persistence (Continued)

14.1. Boot or Logon Autostart Execution: Registry Run Keys (T1547.001)

Hunt Name: Identify_Registry_Autostart_Entries Query 66: Identify Autostart Entries in Registry

Hunt Name: Monitor_RunOnce_Key_Changes Query 67: Monitor Changes to RunOnce Keys

Hunt Name: Detect_New_Startup_Registry_Entries Query 68: Detect New Startup Items in Registry

Hunt Name: Search_For_Persistence_Via_Winlogon_Keys Query 69: Search for Persistence via Winlogon Keys

Hunt Name: Monitor_Registry_Entries_For_Suspicious_Executables Query 70: Monitor Registry Entries for Suspicious Executables

15. Defence Evasion (Continued)

15.1. Process Injection: Process Hollowing (T1055.012)

Hunt Name: Detect_Process_Hollowing_Indicators Query 71: Monitor for Suspicious Process Hollowing Indicators

Hunt Name: Search_For_Inconsistencies_In_Memory_Allocation Query 72: Search for Inconsistencies in Memory Allocation

Hunt Name: Detect_Unusual_Parent_Child_Process_Relationships Query 73: Detect Unusual Parent-Child Process Relationships

Hunt Name: Monitor_Process_Creation_With_Suspicious_Flags Query 74: Monitor for Process Creation with Suspicious Flags

Hunt Name: Search_For_Hollowed_Process_Memory_Regions Query 75: Search for Processes with Hollowed Memory Regions

16. Credential Access (Continued)

16.1. OS Credential Dumping: NTDS (T1003.003)

Hunt Name: Search_For_NTDS_dit_Access_Attempts Query 76: Search for NTDS.dit Access Attempts

Hunt Name: Monitor_NTDS_dit_Copy_Operations Query 77: Monitor for NTDS.dit Copy Operations

Hunt Name: Detect_NTDS_dit_Access_Via_VSSAdmin Query 78: Detect NTDS.dit Access via VSSAdmin

Hunt Name: Search_For_NTDS_dit_In_VSS_Snapshots Query 79: Search for NTDS.dit in VSS Snapshots

Hunt Name: Monitor_NTDS_dit_Access_By_Non_System_Processes Query 80: Monitor NTDS.dit Access by Non-System Processes

17. Discovery (Continued)

17.1. File and Directory Discovery (T1083)

Hunt Name: Identify_File_And_Directory_Enumeration_Commands Query 81: Identify Commands Enumerating Files or Directories

Hunt Name: Monitor_File_Listings_In_User_Folders Query 82: Monitor File Listing Commands in User Folders

Hunt Name: Search_For_Commands_Accessing_Hidden_Directories Query 83: Search for Commands Accessing Hidden Directories

Hunt Name: Detect_Listing_Of_System_Files Query 84: Detect Listing of System Files

Hunt Name: Monitor_Recursive_File_Listings Query 85: Monitor Recursive File Listings

18. Lateral Movement (Continued)

18.1. Pass the Hash (T1550.002)

Hunt Name: Monitor_LSASS_For_Credential_Extraction Query 86: Monitor LSASS for Credential Extraction

Hunt Name: Search_For_Suspicious_Logon_Attempts_Using_Hashes Query 87: Search for Suspicious Logon Attempts Using Hashes

Hunt Name: Detect_Abnormal_SMB_Logon_Attempts Query 88: Detect Abnormal SMB Logon Attempts

Hunt Name: Search_For_Lateral_Movement_Using_Cached_Credentials Query 89: Search for Lateral Movement Using Cached Credentials

Hunt Name: Monitor_Logon_Sessions_From_Unusual_Sources Query 90: Monitor Logon Sessions Originating from Unusual Sources

19. Collection (Continued)

19.1. Screen Capture (T1113)

Hunt Name: Search_For_Screen_Capture_Tools Query 91: Search for Screen Capture Tools

Hunt Name: Monitor_Output_Files_From_Screen_Capture_Tools Query 92: Monitor Output Files from Screen Capture Tools

Hunt Name: Detect_Use_Of_Built_In_Screenshot_Tools Query 93: Detect Use of Built-in Screenshot Tools

Hunt Name: Identify_Screen_Capture_Commands Query 94: Identify Screen Capture Commands

Hunt Name: Monitor_Image_Files_Created_In_Temp_Folders Query 95: Monitor Creation of Image Files in Temp Folders

20. Impact (Continued)

20.1. Data Encrypted for Impact (T1486)

Hunt Name: Monitor_Unusual_File_Modifications Query 96: Monitor Unusual File Modifications Indicating Encryption

Hunt Name: Search_For_Known_Ransomware_Signatures Query 97: Search for Known Ransomware Signatures

Hunt Name: Detect_Sudden_Increase_In_File_Modifications Query 98: Detect Sudden Increase in File Modifications

Hunt Name: Monitor_Creation_Of_Ransom_Notes Query 99: Monitor Creation of Ransom Notes

Hunt Name: Identify_Ransomware_Processes Query 100: Identify Ransomware Processes

PreviousVelociraptorNextWindows AD Attack Investigation – Velociraptor Cheatsheet

Last updated