What am i doing wrong with artifacts here?
44 views
Skip to first unread message
Daniel D'Angeli
Jan 23, 2025, 3:20:46 PMJan 23
to velocirapt...@googlegroups.com
Hi,
i have been studying Velociraptor for the last couple of days and im trying to understand better the artifacts behaviour.
I have customized the Windows.ETW.FileCreation artifact with an additional column. The code is the following:
name: Custom.Windows.ETW.FileCreation
description: |
This artifact watches the Microsoft-Windows-Kernel-File provider
for new file creation events.
We also include the process that created the file, and a process
call chain.
NOTE: This artifact uses the process tracker so it works a lot
better when the process tracker is enabled.
type: CLIENT_EVENT
parameters:
- name: FilePathFilter
type: regex
default: .
description: Filter events by filename
- name: ProcessNameFilter
type: regex
default: .
- name: ProcessExecutableFilter
type: regex
default: .
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET Y = SELECT *
FROM watch_etw(
description="Microsoft-Windows-Kernel-File/Analytic",
guid="{EDD08927-9CC4-4E65-B970-C2560FB5C289}", any=4096)
WHERE EventData.FileName =~ FilePathFilter
-- Implement a delay to ensure we get the process event stream
-- from sysmon before we query for it.
LET X = SELECT timestamp(string=System.TimeStamp) AS Timestamp,
EventData.FileName AS FileName,
{ SELECT hash(path=FullPath) FROM glob(globs=EventData.FileName)} AS FileHash,
System.ProcessID AS ProcessID,
process_tracker_get(id=System.ProcessID).Data AS ProcessInfo
FROM delay(query=Y, delay=10)
SELECT Timestamp,
FileName,
FileHash,
ProcessID,
ProcessInfo.Name AS ProcessName,
ProcessInfo.Username AS Username,
ProcessInfo.Exe AS ProcessExecutable,
ProcessInfo.CreateTime AS ProcessCreation
FROM X
WHERE ProcessName =~ ProcessNameFilter
AND ProcessExecutable =~ ProcessExecutableFilter
The problem is that the FileHash column is always empty.
What am i doing wrong?
Regards,
Daniel D.
i have been studying Velociraptor for the last couple of days and im trying to understand better the artifacts behaviour.
I have customized the Windows.ETW.FileCreation artifact with an additional column. The code is the following:
name: Custom.Windows.ETW.FileCreation
description: |
This artifact watches the Microsoft-Windows-Kernel-File provider
for new file creation events.
We also include the process that created the file, and a process
call chain.
NOTE: This artifact uses the process tracker so it works a lot
better when the process tracker is enabled.
type: CLIENT_EVENT
parameters:
- name: FilePathFilter
type: regex
default: .
description: Filter events by filename
- name: ProcessNameFilter
type: regex
default: .
- name: ProcessExecutableFilter
type: regex
default: .
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET Y = SELECT *
FROM watch_etw(
description="Microsoft-Windows-Kernel-File/Analytic",
guid="{EDD08927-9CC4-4E65-B970-C2560FB5C289}", any=4096)
WHERE EventData.FileName =~ FilePathFilter
-- Implement a delay to ensure we get the process event stream
-- from sysmon before we query for it.
LET X = SELECT timestamp(string=System.TimeStamp) AS Timestamp,
EventData.FileName AS FileName,
{ SELECT hash(path=FullPath) FROM glob(globs=EventData.FileName)} AS FileHash,
System.ProcessID AS ProcessID,
process_tracker_get(id=System.ProcessID).Data AS ProcessInfo
FROM delay(query=Y, delay=10)
SELECT Timestamp,
FileName,
FileHash,
ProcessID,
ProcessInfo.Name AS ProcessName,
ProcessInfo.Username AS Username,
ProcessInfo.Exe AS ProcessExecutable,
ProcessInfo.CreateTime AS ProcessCreation
FROM X
WHERE ProcessName =~ ProcessNameFilter
AND ProcessExecutable =~ ProcessExecutableFilter
The problem is that the FileHash column is always empty.
What am i doing wrong?
Regards,
Daniel D.
--
 |
Daniel D'Angeli Mail: daniel....@syncsecurity.it ROMA - MILANO - NAPOLI - PADOVA - VERONA |
Daniel D'Angeli
Jan 24, 2025, 8:25:58 PMJan 24
to Mike Cohen, velocirapt...@googlegroups.com
Hi,
thanks for your response. My goal is to do a sort of file monitoring where for every new file added to the system we would calculate the hash, then with the Wazuh SIEM and some other integrations understand if that hash is an IoC and if so isolate the host with the quarantine option.
Is the load on the host to expensive to achieve this kind of monitoring?
Regards,
Daniel D.
thanks for your response. My goal is to do a sort of file monitoring where for every new file added to the system we would calculate the hash, then with the Wazuh SIEM and some other integrations understand if that hash is an IoC and if so isolate the host with the quarantine option.
Is the load on the host to expensive to achieve this kind of monitoring?
Regards,
Daniel D.
Il 23/01/2025 21:58, Mike Cohen ha
scritto:
You can see the type of events that it returns :
It does not have a column called FileHash - if you looked in the query logs it would also say "symbol not found".
If you wanted to calculate the file hash you would need to use the hash() function to also calculate the hash - note this is really not recommended because it can be super expensive and there are a lot of events. It might make sense if you have a very tight filter by filename/process first to ensure it is not done needlessly.
ThanksMike
Mike Cohen
Digital Paleontologist,
Velocidex Enterprises
E mi...@velocidex.com
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/velociraptor-discuss/bc42f06a-593a-43be-8916-9092b8adc938%40syncsecurity.it.
--
 |
Daniel D'Angeli |
System Engineer |
|
Mail: daniel....@syncsecurity.it |
Mike Cohen
Jan 24, 2025, 8:42:20 PMJan 24
to Daniel D'Angeli, velocirapt...@googlegroups.com
I am not sure about the load - i guess this is something that should be looked into in testing. Maybe caching with memoize() will make this reasonable
The main challenge is that the kernel provider gives filenames in terms of kernel devices like this
So you need to convert those to file names \\Device\\HarddiskVolume3\\ProgramData\\VMware\\VMware Tools\\tools-global.conf
The new kernel ETW provider support will do this automatically but maybe a search replace is needed for this provider
Reply all
Reply to author
Forward
0 new messages