Velociraptor

Hunting Evil!

Dr. Michael Cohen

[email protected]
About me
In information security and digital forensics for over 18 years.

● Worked at DSD (now its called Australian Cyber Security Center)

● Worked at the Australian Federal Police (AFP)
● Worked at Google for 8 years:
○ Team lead for GRR (Google Rapid Response)
○ Team lead for Rekall (Memory forensics)
○ Worked in Google Cloud IAM
● Moved back to Australia this year to found Velocidex Innovations:
○ Focus on DFIR consulting and tool development

Lots of experience doing DFIR and tool development.

What is Velociraptor?
A new FOSS project heavily influenced by

● Google’s GRR
● Facebook’s OSQuery
● Google’s Rekall

Both a triaging tool and an endpoint monitoring and collection tool

Implements a powerful Velociraptor Query Language (VQL) engine.

https://docs.velociraptor.velocidex.com/

https://github.com/Velocidex/velociraptor
Velociraptor workshop
What will we do today?

● Work primarily on a Windows System.

○ If you do not have a windows machine you could use, you may work on Linux/OSX but not all
the exercises are applicable.
● Velociraptor is a new project so I would appreciate:
○ Feedback as to how to make it easier/better/more useful.
○ Contribute back the code developed in the workshop
○ Use it in anger in your environment and provide feedback.
Velociraptor workshop
What can I get from this workshop?

● You will learn how to write your own Velociraptor artifacts

○ Artifacts are a way to package highly technical queries in simple accessible names.
● You will learn how to use existing Velociraptor artifacts
○ Know how to run existing Velociraptor Artifacts by their name to reuse technical queries
written by others.
● You will learn about real attacks methodologies
○ We will be detecting real threats and real attacks with Velociraptor
● You will learn about the future and planned features of Velociraptor
● Give feedback to the developer about where Velociraptor might serve your
needs!
Velociraptor - Major goals
1. Open source community project.
a. Empower users to customize and update their own deployment.
2. Simple to use and to deploy.
a. Tends to use simple files rather than complex high performance databases.
b. Everything is in the same binary.
c. Very low resource usage - no need for large servers to deploy.
3. Flexible.
a. Being able to customize hunting and end point investigation on the fly WITHOUT writing and
deploying new code on the client or server.
4. Scalable
a. Can handle thousands of endpoints on the same server.
Architecture Overview Server

Send Chan
Client Front
Recv Chan End

GUI

File Data
Store store
Main components - all in one binary
Frontend GUI

● Receive connections ● Allow scheduling new

from Clients flows/hunts
● Queue messages to ● Inspect results from
clients flows/hunts
● Process Responses ● View the client’s Virtual
from Clients (Flows) File System.
Main components
Client VQL Engine (VFilter)

● A service running on the ● Velociraptor Query

end point. Language
● Receive VQL queries ● Allows specifying
from the server multiple complex queries
● Send back VQL ● Feed the results of
Responses queries to other queries.
Main components
Data store File Store

● Somewhere to store ● Velociraptor uses the

VQL results. filestore for long term
● Velociraptor does not storage of uploaded bulk
interpret the results, just data.
store them. ● Simplest option: File
● Simplest option: File backed filestore.
backed data store.
The Velociraptor
Query Language
Why a query language?
● Able to dynamically adapt to changing requirements - without needing to
rebuild clients or servers.
○ For example, a new IOC is released for detection of a specific threat
○ Immediately write a VQL artifact for the threat, upload the artifact and hunt everywhere for it.
○ Turn around from IOC to full hunt: A few minutes.
● Share artifacts with the community
○ VQL Artifacts are simply YAML files with VQL queries.
○ Can be easily shared and cross pollinate other Artifacts
○ Can be customized by callers.
● Public Artifact Reference here
Public Artifact reference
 What is VQL?

VQL Plugin with

Column Selectors Filter Condition
Args

SELECT X, Y, Z FROM plugin(arg=1) WHERE X = 1

How do I run a VQL Query
VQL underpins many of Velociraptor’s operations.

When Velociraptor acts as a client, it simply runs VQL queries and relays them to
the server.

You can also just run VQL queries directly - for the first part today we will do that
Basic concepts
Scope:

● A map of objects available by variable names.

● Scopes are recursive:
○ Outermost layer is populated by Velociraptor

SELECT config.WindowsInstaller.ServiceName from pslist()

○ Next layer is populated by the Query Environment (set by the user)

○ Column selectors create nested scopes that affect filter conditions.

SELECT FullPath, Size from glob(globs='c:/Windows/System32/*.exe') WHERE Size < 10000"

Create Scope Eval scope

Scopes
Looking up a symbol works from inner scope to
Environment
outer scope.

LET Expressions

Some VQL plugins construct special scope rules VQL Plugin

- we will discuss those separately.
Column Selectors

Understanding scope rules is important in order

to refer to columns emitted by different parts.
Scope Example

Column Selector Alias

Filter condition can populates Scope
see the Alias in Scope
The Query Environment
Use the variables from Define variables in
Environment Environment
VQL Plugins
● The main data source in VQL.
● Take named arguments (keyword args).
● Generate multiple objects (as rows)
○ Each row is a single object containing fields.
○ Each field is an object which may in turn contain additional fields

The main goal of VQL is to reuse generic plugins as much as possible.

parse_records_with_regex: Parses a file with a set of
regexp and yields matches as records.
Args:
file: list of type string (required)
regex: list of type string (required)
accessor: type string
VQL Plugins
Show all available VQL plugins:
$ velociraptor vql list
VQL Plugins:

split_records: Parses files by splitting lines into records.

Args:
columns: list of type string
first_row_is_headers: type bool
count: type int
filenames: list of type string (required)
accessor: type string
regex: type string (required)
Example split_records plugin
SELECT * from split_records(
filenames=”/proc/net/arp”,
regex=”\\s{3,20}”,
first_row_is_headers=true)

+--------------+---------+-------+-------------------+------+---------+
| IP_address | HW_type | Flags | HW_address | Mask | Device_ |
+--------------+---------+-------+-------------------+------+---------+
| 192.168.0.4 | 0x1 | 0x0 | 00:00:00:00:00:00 | * | enp6s0 |
| 192.168.0.16 | 0x1 | 0x2 | 6c:29:95:ca:c4:e8 | * | enp6s0 |
| 192.168.0.10 | 0x1 | 0x2 | 34:6b:46:96:f9:85 | * | enp6s0 |
+--------------+---------+-------+-------------------+------+---------+
Example: wmi() plugin.
VQL plugin wmi() takes two args - the query and the namespace
Developing WMI based Artifacts
WMI is very powerful - exposes so much host state.

Can be discovered via tools such as wmiexplorer

(https://github.com/vinaypamnani/wmie2)
Column Selectors
● Columns are specified after the SELECT statement and before the FROM
● A list of expressions - these can apply arbitrary transformations.
● Can invoke VQL functions.
● Use of the AS keyword can give the expression a name (Alias).
○ The alias is placed in the scope.
○ The scope can be referred to from the filter condition.

The result set is a sequence of maps:

● Keys are the column name

● Values are the column expression evaluated on each row returned from the
plugin.
Example Column Selectors and Result Sets
$ velociraptor query "select Name, Pid from pslist() LIMIT 4" --format text
+--------------------------------+-------+
| Name | Pid |
+--------------------------------+-------+
| systemd | 1 |
| kthreadd | 2 |
| rcu_gp | 3 |
| rcu_par_gp | 4 |
+--------------------------------+-------+
$ velociraptor query "select Name, Pid from pslist() LIMIT 2" --format json
[
{
"Name": "systemd",
"Pid": 1
},
{
"Name": "kthreadd",
"Pid": 2
}
]
Filter Conditions
● An optional expression after the WHERE clause.
● Evaluated within the row’s scope.
○ The scope includes all columns returned from the plugin as well as Aliases created with
column selectors.
● If the expression evaluates to true then the row is emitted into the result set.

select Name, Pid from pslist() where Cmdline =~ 'velociraptor'

Regex
operator
VQL Operators and protocols
1. VQL plugins return arbitrary objects - not just simple primitives.
2. Protocols are a way to define how operators interact with arbitrary objects.
3. For example does the following expression make sense?

SELECT Name, Pid FROM pslist() WHERE Cmdline =~ 5

Operator =~ (regex) defines a protocol:

LHS is string, RHS is int -> Does not make sense -> return a NULL object.

NULL evaluate to False in conditions - therefore no row will be selected.

VQL does not abort the query due to protocol mismatch

- just evaluate as NULL!
Main protocols
Associative: The “dereference” operator: +------------+
| Parent.Pid |
select Parent.Pid from pslist() +------------+
| 2 |
| 2 |

Invalid items just return NULL

+--------------------+
| Parent.NOSUCHFIELD |
select Parent.NOSUCHFIELD from pslist() +--------------------+
| null |
Output type discovery
In order to determine what data is available from a plugin:

1. Start with a * column selector

2. Output the result in JSON.
3. Inspect the fields you want and then add them to the column selector.
Exercise
1. Retrieve the Name, Commandline and Username for the 10 processes with
the most memory use (Resident memory size = RSS).
Solution
NOTE: Order By clause must use an identifier not an expression!
LET Expressions
● A LET expression is a way of storing a query in the scope by name:

$ velociraptor query "LET Query = SELECT * FROM pslist()" \

"SELECT Name FROM Query"

● Stored queries can be used within other expressions or queries:

LET Query = select * from glob(globs='/*')

NOTE: This will
SELECT FullPath FROM stat(filename=Query.FullPath) materialize the glob into
memory - use the
foreach() plugin to make
The Associative protocol of this more efficient if
query and string => array of needed!
cell values
LET Expressions
● There are two forms of LET expressions:
● Lazy evaluation - re-run the query for each evaluation

LET Query = select * from glob(globs='/*')

● Materialized - Expands the query into memory then each evaluation operates
on the same cached result set.

LET Query <= select * from glob(globs='/*')

Subqueries
VQL does not have join operators - instead we have subselects.

Example: Run a subquery for each row

$ velociraptor query "SELECT Exe, { SELECT timestamp(epoch=Mtime.Sec) FROM
stat(filename=Exe) } AS Mtime from pslist() WHERE Exe"
[{
"Exe": "/opt/google/chrome/chrome",
"Mtime": "2018-10-24T07:04:42+10:00"
},
{
"Exe": "/usr/bin/aspell",
"Mtime": "2018-05-09T20:29:22+10:00"
}
Subqueries
● Subqueries can also be used to provide arguments to plugins.
● The foreach() plugin runs a query on each row produced by the row query

SELECT * FROM foreach(

row={
SELECT Exe FROM pslist() The scope is
}, populated from
the row
query={
SELECT timestamp(epoch=Mtime.Sec) AS Mtime,
Exe FROM stat(filename=Exe)
})
Exercise:
List the command line of all the processes which have listening sockets

● Use the netstat() plugin to find all listening sockets.

● Use the pslist() plugin to map pids to processes.

Use the LET expression to define a subquery.

What is the difference between the two forms of LET expression?

 Materialize form of LET query
is faster in this case.
Solution
VQL for fun and profit
VQL is a very powerful language
How should we apply it in real life?

● Utilize re-usable VQL plugins and functions to perform different tasks.

● Try to think about what information we would like to automatically find.

glob() timestamp()
upload() now()
wmi() upload()
yarascan()
Exercise:
Archive all files in User’s home directory that were changed in the last day.

VQL Plugins:

Glob() - Finds all files matching a glob expression.

Upload() - Uploads (sends to the server) a file.

Filesystem Accessors
Velociraptor provides access to many things on the client:

● Files accessed through the OS APIs

● RAW NTFS parsing
○ Raw NTFS paritions
○ Volume Shadow Copies
● Registry keys and values

There are many VQL plugins that read files. Most also take an accessor
parameter. This allows all plugins to work on files as well as reg keys etc.
Filesystem Access
Ultimately everything is a VQL query, but since glob and upload are so useful,
there is direct command line access. This provides raw NTFS access:
It is also a good way to practice globbing

This is the VQL query that was

produced - you can copy that and
tweak it (e.g. add extra conditions).
Velociraptor Artifacts
Artifacts
● VQL is very powerful but it is hard to remember and type a query each time.
● An Artifact is a way to document VQL queries:
○ Artifacts are geared towards collection of a single type of information:
■ E.g. the Windows.Sys.Users artifact collects user accounts on windows.
○ Artifacts output a single Result Set (i.e. Set of rows with fixed columns), and may include bulk
files collected as part of the upload () plugin.
○ Artifacts define a set of parameters with default values. It is possible to override parameters
when collecting the artifacts in order to customize them to some extent.
○ Has a common name (Usually broken by categories)
○ Description gives more context around the purpose of the artifact.
○ Artifacts are exposed via VQL plugins so may be post processed or tuned.
Example Artifact
Name and description give human
readable context around the
artifact.

Parameters allow the artifact to be

customized

Preconditions test if the artifact is

supported.

A series of VQL queries is run

which produce a result set (table).
Collecting the artifact
$ velociraptor artifacts collect Windows.Sys.Users
Developing Artifacts
● Create a directory
● Create a yaml file inside it.
● Load the new artifact directory with the command line:

$ velociraptor --definitions my_artifacts/ artifacts list

Write a new Artifact
Artifacts are just YAML files.

Some YAML tricks:

● Ending a line with >- allows to end multi-line

● Starting a line with - means a list.
● Ending a word with : means an item
● Example Artifact - note the structure - it is best to copy/paste an existing
artifact at first.
Example Artifact
name: Windows.Sys.DiskInfo
description: Retrieve basic information about the physical disks of a system.
sources:
- precondition: Sources are a list of provider queries.
SELECT OS From info() where OS = 'windows'
queries:
- | Queries are a list of VQL statements. The last statement must
SELECT Partitions, be a SELECT and previous ones must be LET statements. You
Index as DiskIndex, can use | or >- YAML constructs to preserve line breaks and
InterfaceType as Type,
PNPDeviceID,
indentation. This looks better in the GUI but does not affect the
DeviceID, VQL itself.
Size,
Manufacturer,
Model,
Name,
SerialNumber,
Description
FROM wmi(
query="SELECT * from Win32_DiskDrive",
namespace="ROOT\\CIMV2")
Exercise
Write an artifact to collect files in users’ temp directory which have been created
within the last week.

Have the artifact accept parameters:

- The directory to search.

- The required age of the files.

Use the artifact to collect files in the windows temp directory which have been
changed in the last hour.
Chaining artifacts
● Artifacts encapsulate a VQL Query:
○ Ideally we don't need to understand how an artifact is collected, simply the columns which are
returned.
● This allows us to define artifacts as building blocks to other artifacts.
○ It is possible to run an artifact from within a VQL query. The “Artifact” plugin is an artifact
runner:

SELECT User FROM Artifact.Windows.Sys.Users() WHERE Type =~ 'local'

You can override an artifact’s parameters by providing args to the plugin:

SELECT * FROM Artifact.Linux.Sys.LastUserLogin(wtmpGlobs=”/tmp/wtmp*”)

Velociraptor endpoint
response
Endpoint response.
● So far we have seen how to write VQL statements to collect artifacts about a
machine interactively.
● It would be really nice to be able to collect artifacts across multiple machines.
● We need to install Velociraptor as an endpoint agent.
○ The agent is just the same as the stand alone tool, except that artifacts are collected centrally
using encrypted communications.
○ The Velociraptor server simply receives and collects the VQL result sets.
○ The server orchestrates and tasks the clients
○ The server also implements a GUI for the admin to control the clients.

Clients

Web GUI

Admin Server
Client-Server communications
● Full encrypted communications over HTTP
○ Each deployment creates a CA
○ Server key is signed by CA
● Keys are embedded in the client’s config file.
○ CA public key is embedded in the client’s
○ Client will only trust server certificate signed by the embedded CA
○ Server will only communicate with clients that present the deployment nonce (shared secret).
● Velociraptors comms is based on GRR’s protocol.
○ Main aim is to have zero registration clients - no a-priori knowledge of clients.
○ When clients are installed they generate private key then are enrolled by the server.
Deploying velociraptor
1. Creating an initial configuration:

$ velociraptor config generate > server.config.yaml

This will make new keys and make an initial configuration.

2. Open the file and edit to suit the deployment.

● Change the server_urls to point at the publicly accessible URL - in
practice do not use IP addresses (use DNS).
● Change the datastore location to a suitable path.

3. Create some GUI user - this is needed to connect to the GUI.

$ velociraptor user add mic

Starting the Velociraptor server
$ velociraptor --config server.config.yaml frontend
INFO:2018/11/06 10:12:55 Loaded 37 built in artifacts
INFO:2018/11/06 10:12:55 Launched gRPC API server on 127.0.0.1:8888
INFO:2018/11/06 10:12:55 Frontend is ready to handle client requests at 0.0.0.0:8000
INFO:2018/11/06 10:12:55 GUI is ready to handle requests at 127.0.0.1:8889

● Clients connect to the frontend over HTTP

● GUI connects to localhost over HTTP.
● Do not export GUI over a network without SSL! The easiest way to expose it
is over SSH Tunnel.
Connect to the server with a browser
Prepare the client
The velociraptor client configuration is derived from the server configuration.

$ export VELOCIRAPTOR_CONFIG=server.config.yaml
$ velociraptor config client > client.config.yaml

We can embed the client’s configuration in the binary - this makes it easier to
distribute - One file to rule them all!

$ velociraptor config repack --exe velociraptor.exe client.config.yaml

my_velociraptor.exe

1. Velociraptor.exe is the windows binary which will be repacked.

2. My_velociraptor.exe is the customized repacked binary.
Deploy the client.
Copy the repacked velociraptor client to the target machine.

There are two modes of running it:

1. Debug mode - can see debug messages on the console.

$ my_velociraptor.exe client

2. Deployed mode - Runs as service and autostarts on boot.

$ my_velociraptor.exe service install

NOTE: you can not run 2 clients on the same machine at the same time! If you try,
one will back off with a conflict message. Try to stop the service if this happens.
Installing the service
The binary is copied to its final location, and the service is created.

The writeback location stores client’s

state such as:
1. Cryptographic keys
2. Latest hunt we participated in.
Debugging the client

This is the client’s ID

Search for the client in the GUI
View client’s stats
Interrogation
● When the client first connects, the server collects information about it. This is
called client interrogation.
● The information is shown in the GUI under Host information.
● These are just VQL queries - you can add your own!
● This allows users to customize the interrogate screen for their own need -
show important information about the client right at the client’s host view.
● Note that interrogation results are captured at the time of interrogation so they
might change in the future. It is advisable to run a hunt to refresh the data
periodically if needed.
Exercise: Customize interrogation.
Our environment is fairly unique.

We would like to see:

● A list of all listening ports and their owning processes.

● A list of all current active connections.
● Which directories exist in “Program Files”

Develop the relevant VQL queries and then add to the server’s config file under
the Flows.interrogate_additional_queries section.
Solution
Flows:
interrogate_additional_queries:
- Name: Listening ports
VQL: SELECT * FROM Artifact.Windows.Network.ListeningPorts()
The Virtual File System (VFS)
● Contains information about the client
● Only reflects information already collected by the server.
● Top level is the VFS accessor:
○ File - access files on the client by file APIs
○ NTFS - access files on the client using raw NTFS parsing.
○ Registry - access the registry using the OS APIs
○ Monitoring - access the client’s monitoring subsystem (more on this later).
Exercise: Detect runkey persistence using PS
We are concerned about persistence through powershell run keys.

1. Write an artifact to detect runkeys in HKEY_USERS which run powershell.

2. Test this artifact by creating a new user, setting the key.
3. Test again but this time with the new user logged out. Why is your artifact not
working?

How can we detect such a backdoor?

Write an artifact which collects the user’s NTUSER.dat if they are likely to have
such a backdoor.
Velociraptor
Monitoring
VQL: Event Queries
● Normally a VQL query returns a result set and then terminates.
● However some VQL plugins can run indefinitely or for a long time.
○ These are called Event VQL plugins since they can be used to generate events.

An Event query does not complete on its own - it simply returns partial
results until cancelled.

Rows
Partial Result
Sets
● Wait time Query VQL plugin
● Max rows
Example: Monitor event logs for certain events.
● The Velociraptor wait_evtx() VQL plugin can wait on an event log for new
events.
● The log file is checked periodically for new events, which are emitted by the
plugin.
● The events can be filtered by the normal VQL filters.
● Result sets are emitted in accordance with wait_max and max_rows.
● Wait_max: The maximum length of time we wait before emitting partial
results.
● Max_rows: The max number of rows we allow in one result set.
Let’s detect service installation
systemLogFile = C:/Windows/System32/Winevt/Logs/System.evtx

SELECT System.TimeCreated.SystemTime as Timestamp,

System.EventID.Value as EventID,
EventData.ImagePath as ImagePath,
EventData.ServiceName as ServiceName,
EventData.ServiceType as Type,
EventData as _EventData
FROM watch_evtx(filename=systemLogFile) WHERE EventID = '7045'
Watch the log file for
new messages
Let's test this with winpmem

● Winpmem loads a kernel driver so it can image physical memory.

● This is done by installing a service.
● Download the binary and install the driver:

winpmem.exe -L
Winpmem loaded a kernel driver
from the temp directory … Very
suspicious!
Detect running a command using PsExec
● Sysinternals PsExec is a common way to run a command remotely
● It works by copying a service binary to the Admin$ share and then starting the
service.
● Try it locally - e.g. get a system shell:
○ PsExec.exe -s -i cmd.exe
● You should be able to see an event generated by the above artifact:
WMI Event sources: Process Execution
Another popular VQL event plugin is the wmi_events() plugin.

Registers a WMI event listener and passes the event data to VQL filters.
SELECT timestamp(epoch=atoi(string=Parse.TIME_CREATED) / 10000000 - 11644473600 ) as Timestamp,
Parse.ParentProcessID as PPID,
Parse.ProcessID as PID, Unfortunately the WMI
Parse.ProcessName as Name, { event does not provide
SELECT CommandLine the full cmdline so we
FROM wmi(
query="SELECT * FROM Win32_Process WHERE ProcessID = " +
need to run a second
format(format="%v", args=Parse.ProcessID), subquery for the PID on
namespace="ROOT/CIMV2") each emitted row.
} AS CommandLine
FROM wmi_events(
query="SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process'",
wait=5000000,
namespace="ROOT/CIMV2")
Event artifacts
● Just like regular artifacts, Event Artifacts are a way to encapsulate Event VQL
queries.
● Event Artifacts never terminate - they just continue to generate events.

Detecting events is very nice, but what do we do

with these events?
Velociraptor Event Monitoring
● While it is great to collect artifacts locally, it is much more useful to send the
events to the server ASAP
● The server can just keep running logs of client events
● If a client is compromised, critical events are safely archived on the server.
○ Especially helpful for Event logs - no need to use Event Log Forwarding.
● Process Execution logs may be retroactively searched in case of
compromise.
● Monitoring events are just stored in CSV files on the server - you can script
post processing analytics on them!
Client monitoring architecture
● The client maintains an Event Table
○ A set of VQL Event Queries
○ All run in parallel and never terminate. Event
Client
● When any of the queries in the event table Table
produces a result set, the client sends it to
the Monitoring Flow.
● The Server's Monitoring Flow writes the
events into log files in the client's VFS.
● The set of events the client should be
monitoring is defined as a set of Event
Monitoring Client's
Artifacts in the server's config file. Server
Flow VFS
● If the Event Table needs to be refreshed,
existing event queries are cancelled and a
new event table created.
Example Monitoring configuration
Events:
artifacts:
- Windows.Events.ServiceCreation
- Windows.Events.ProcessCreation
version: 1
Process Execution Logs
Exercise - Collect client statistics.
Our users are concerned about potential resource usage of the Velociraptor client.

Create an event Artifact which records the total amount of CPU used by the
Velociraptor client every minute. Also record the client’s memory footprint.

Add the artifact to the monitoring configuration.

We can now go back and see what was the load footprint of the client on the
endpoint at any time in the past.
Proactively detecting
attackers
The Mitre Att&ck framework
● Mitre maintains a valuable resource to collect information about attacks seen
in the wild. The Mitre Att&ck framework.
Enumerate all Scheduled tasks
Scheduled tasks
● Modern systems deprecated at.exe
● Create a new scheduled task to run
notepad.exe:
○ schtasks /create /S testcomputer /st 05:28
/tr notepad.exe /tn gaming /sc once

This should create an XML file under

c:\windows\system32\tasks\

Write an artifact to list all scheduled tasks.

BITS - An easy firewall bypass
BITS - Try it
● Reference:
https://mgreen27.github.io/posts/2018/02/18/Sharing_my_BITS.html
● Try to download a file using BITS:

bitsadmin /transfer mydownloadjob /download https://www.google.com/ f:\test.html

● Where would you find such an artifact?

○ Event logs?
■ %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.e
vtx
○ BITS jobs database
■ C:\ProgramData\Microsoft\Network\Downloader
Lateral Movement - WMI Win32_Process.Create
● WMI may be used to create processes remotely:

wmic process call create "notepad.exe"

● This works by invoking the Create method of the Win32_Process WMI class.
● This is very suspicious. Lets implement an Event Artifact to detect this.
○ SELECT * FROM MSFT_WmiProvider_ExecMethodAsyncEvent_Pre
WHERE ObjectPath="Win32_Process" AND MethodName="Create"

C:\> my_velociraptor.exe query "select Parse from wmi_events(query='SELECT * FROM

MSFT_WmiProvider_ExecMethodAsyncEvent_Pre WHERE ObjectPath=\"Win32_Process\" AND
MethodName=\"Create\"', namespace='ROOT/CIMV2', wait=50000000)" --max_wait=1 --format=json
Lateral Movement - Service Control Manager
Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
Service Control Manager
● Develop an Event Monitoring Artifact to check for new service creation.
● Check for services containing powershell - high value alerts.
● Install and test this as a Monitoring Event.
● Write a server side script to alert via email on such an event - this is expected
to be a very low volume but high value event.
Forensics: Background Activity Moderator (BAM)
● BAM is a Windows service that Controls activity of background applications.
This service exists in Windows 10 only after Fall Creators update – version
1709. Ref
Exercise:
● Ref:
https://www.andreafortuna.org/dfir/forensic-artifacts-evidences-of-program-ex
ecution-on-windows-systems/
● Write an Artifact which lists the executables each user ran.
● Hint:
○ Registry key for BAM is HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
○ You can use basename/dirname VQL functions.
○ You need to parse the binary data in the key value - it is a windows timestamp for the last
executed time.
Solution
name: Windows.Forensics.Bam
parameters:
- name: bamKeys
default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\*

sources:
- precondition:
SELECT OS from info() where OS = "windows"
queries:
- LET users <= SELECT Name, UUID FROM Artifact.Windows.Sys.Users()
- SELECT basename(path=dirname(path=FullPath)) as SID, {
SELECT Name FROM users WHERE UUID = basename(path=dirname(path=FullPath))
} As UserName,
Name as Binary,
timestamp(winfiletime=binary_parse(
string=Data.value, target="int64").AsInteger) as Bam_time
FROM glob(globs=bamKeys + "\\*", accessor="reg")
WHERE Data.type = "BINARY"
WMI Event consumer backdoor
Install WMI Event subscription
$instanceFilter = ([wmiclass]"\\.\root\subscription:__EventFilter").CreateInstance()
$instanceFilter.QueryLanguage = "WQL"
$instanceFilter.Query = "select * from __instanceModificationEvent within 5 where targetInstance isa
'win32_Service'"
$instanceFilter.Name = "ServiceFilter"
$instanceFilter.EventNamespace = 'root\cimv2'
$result = $instanceFilter.Put()
$newFilter = $result.Path
$instanceConsumer = ([wmiclass]"\\.\root\subscription:LogFileEventConsumer").CreateInstance()
$instanceConsumer.Name = 'ServiceConsumer'
$instanceConsumer.Filename = "C:\Users\Log.log"
$instanceConsumer.Text = 'A change has occurred on the service: %TargetInstance.DisplayName%'
$result = $instanceConsumer.Put()
$newConsumer = $result.Path
$instanceBinding = ([wmiclass]"\\.\root\subscription:__FilterToConsumerBinding").CreateInstance()
$instanceBinding.Filter = $newFilter
$instanceBinding.Consumer = $newConsumer
$result = $instanceBinding.Put()
$newBinding = $result.Path
Remove WMI Event Subscription
([wmi]$newFilter).Delete()
([wmi]$newConsumer).Delete()
([wmi]$newBinding).Delete()

Refs:
● https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/
● https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

What does this do?

Try this event subscription! It is similar to what we did earlier with Velociraptor :-).
Write a Velociraptor artifact to list all such bindings.
● The event subscription writes a log file when a service is started/stopped.
● Start off with listing the WMI filter to consumer binding.

SELECT * FROM wmi(

query="SELECT * FROM __FilterToConsumerBinding",
namespace=namespace)

● Extract the consumer name and event names and their types.
● Query the other WMI classes for these
Solution
LET FilterToConsumerBinding = SELECT parse_string_with_regex(
string=Consumer,
regex=['((?P<namespace>^[^:]+):)?(?P<Type>.+?)\\.Name="(?P<Name>.+)"']) as
Consumer,
parse_string_with_regex(
string=Filter,
regex=['((?P<namespace>^[^:]+):)?(?P<Type>.+?)\\.Name="(?P<Name>.+)"']) as Filter
FROM wmi(
query="SELECT * FROM __FilterToConsumerBinding",
namespace=namespace)
Solution
SELECT {
SELECT * FROM wmi(
query="SELECT * FROM " + Consumer.Type,
namespace=if(condition=Consumer.namespace,
then=Consumer.namespace,
else=namespace)) WHERE Name = Consumer.Name
} AS ConsumerDetails,
{
SELECT * FROM wmi(
query="SELECT * FROM " + Filter.Type,
namespace=if(condition=Filter.namespace,
then=Filter.namespace,
else=namespace)) WHERE Name = Filter.Name
} AS FilterDetails
FROM FilterToConsumerBinding
Conclusions
Velociraptor is an open source project
(Apache License)

Still early days but with your help it can be

super awesome!

https://docs.velociraptor.velocidex.com/
https://github.com/Velocidex/velociraptor

At Velocidex, we are using it for our DFIR

work - you can influence development too
by filing bugs and feature requests.