Discover and read the best of Twitter Threads about #Velociraptor

Most recents (20)

1/ I used #AutoRuns v14.09 (GUI) in my lab setup but noticed that it failed to find (or display) the malware in the Startup folder, although the file is there (screenshot below).

I checked back and forth, searched manually for the file, and restarted the OS and AutoRuns.

🧵 Image
2/ With #Velociraptor, I ran the hunt Sysinternals.Autoruns, and with the CLI version of AutoRuns, the malware is found in the Startup folder. Image
3/ The same for the #Velociraptor hunt Sys.StartupItems. Image
Read 4 tweets
1/ Do you monitor newly created services within your environment, and would you notice when a (vulnerable) driver is loaded?

The screenshot below (#Velociraptor 🤩) is from a recent #XMRig CoinMiner investigation ⤵️

🧵 #CyberSecurity
2/ We talked about vulnerable drivers before:

Read 4 tweets
1/ #Velociraptor has covered hunting for malicious WMI Event Consumers for some time. [1]

However, Velociraptor does not provide an eradication hunt for malicious WMI Event Consumers out of the box.

🧵 #CyberSecurity
2/ @threatpunter wrote a detailed blog about WMI persistences and how to remove them.

"The simplest method to remove the entry from the WMI database is to use Autoruns. Launch Autoruns as an administrator and select the WMI tab to review WMI-related persistence." ✂️ Image
3/ "Alternatively, you can remove the WMI event subscriptions from the command line." [2] Image
Read 4 tweets
17 herramientas GRATUITAS de #hacking #ciberseguridad #gratis:
Va hilo 🧵
1.Zeek: zeek.org : monitorea y analiza el tráfico de red en tiempo real, captura paquetes, registra eventos y genera alertas de actividad sospechosa. Ampliamente utilizado en la industria y en la investigación académica. #Zeek #seguridad #red
2.ClamAV: clamav.net :detectar y eliminar virus, malware y otras amenazas en archivos y mensajes de correo electrónico. Se utiliza a menudo en servidores de correo y sistemas de red para proteger contra amenazas de seguridad.#ClamAV #virus #seguridad #malware
Read 25 tweets
🦖Day 69 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]MacOS[.]Applications[.]NetworkUsage

Link: docs.velociraptor.app/exchange/artif…
If an unknown application, or an application that doesn't typically communicate over the network at all suddenly shows signs of large amount of inbound our outbound traffic, it can be considered suspicious.
Similarly, deviations from normal patterns of communication from typical network-connected programs can also be considered suspicious.
Read 7 tweets
🦖Day 68 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]JournalCtl

Link: docs.velociraptor.app/exchange/artif…
This artifact parses the output of the 'journalctl' command. It is used to view systemd logs on a Linux host.

These logs can contain valuable information to incident responders, such as hardware events, kernel messages, network connectivity, service status, and user events.
Information provided by this artifact includes:

- Timestamp
- Message
- Boot ID
- Machine ID (h)
- Cursor
- Syslog facility/priority (h)
- Monotonic timestamp (h)
- Transport (h)

*h -> column is hidden from the output by default, and can be viewed with the column selector.
Read 5 tweets
🦖Day 67 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Windows[.]Forensics[.]RecycleBin

Author: @svch0st

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the $I files found in the Windows Recycle Bin folder ($Recycle.Bin, as of Windows Vista) to obtain the time of deletion and the original path and file name.

This folder contains:
- $I files ("Recycled" file metadata)
- $R files (the original data)
The contents of the Recycle Bin directory are organized by SID ('C:\$Recycle.Bin\%SID%\').

It's important to note that this artifact uses the API to read available $I data. There may be additional unallocated but readable $I files referenced in the MFT that may be recoverable.
Read 6 tweets
🦖Day 66 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Server[.]Orgs[.]NewOrg

Link: docs.velociraptor.app/artifact_refer… Image
With support for multi-tenancy added to Velociraptor in version 0.6.6, we can now manage multiple organizations within a single Velociraptor deployment!
This artifact creates a new organization in a deployment. Upon doing so, the 'OrgId' is used to track information about the new organization.

The current user will be the administrator for this organization. ImageImage
Read 7 tweets
🦖Day 38 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Linux[.]Sys[.]Pslist

Link: docs.velociraptor.app/artifact_refer…
This artifact enumerates the running processes on a Linux system. This can be useful to check for proper configuration or misalignment across a fleet of hosts, or for identifying suspicious processes generated by, or leveraged by malware.
Some of the Information provided by the artifact:

- Process ID
- Parent process ID
- Command line
- Executable
- Hash
- Username
- Created time
- RSS (how much memory allocated to the process)
Read 5 tweets
🦖Day 37 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: Exchange[.]Windows[.]Detection[.]ISOMount

Author: @ConorQuinn92

Link: docs.velociraptor.app/exchange/artif…
After Microsoft decided to block Office macros by default, threat actors began pivoting to a usage of container files such as .iso, .rar, and .lnk files for malware distribution.

This is because TAs can then bypass the "Mark of the web" restrictions for downloaded files.
When downloaded, container files will have the MOTW attribute because they were downloaded from the internet. However, the document inside, such as a macro-enabled spreadsheet, will not.
Read 12 tweets
🦖Day 36 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: MacOS[.]System[.]QuarantineEvents

Link: docs.velociraptor.app/artifact_refer… Image
This artifact parses the 'com[.]apple.LaunchServices.QuarantineEventsV2' sqlite database to provide defenders with information around files that have been downloaded from the internet.

Information includes:

- DL Time
- DL URL
- Origin
- Agent Name/Bundle
- User
- Event UUID
On macOS, when a user downloads a file from the internet/third party source, the file will have an extended attribute associated with it called 'com[.]apple.quarantine'.

This asserts that the file will not be opened/executed, until explicitly allowed by the user (via prompt). Image
Read 9 tweets
🦖Day 14 of the @velocidex #velociraptor #ArtifactsOfAutumn series

Artifact: 'Windows[.]Detection[.]BinaryRename'

Author: @mgreen27

Link: docs.velociraptor.app/exchange/artif… Image
This artifact will detect renamed binaries commonly abused by adversaries.

Renaming binaries is a defense evasion technique used to bypass brittle process name and path-based detections. It is used by many actors/groups, including from commodity malware and nation states.
Here, we can see 'cmd.exe' was renamed in an attempt to appear as a legitimate instance of 'lsass.exe': Image
Read 6 tweets
One might use this artifact to generate a baseline of normal Windows services, and look for services out of the ordinary. We can filter on display/service name, as well as DLL, path, etc. We can also calculate hashes and provide signing info for associated executables/DLLs. ImageImage
Sorting on the 'Created' column shows the most recently created services (assuming no other manipulation, etc.). Here, we see a service named 'win32times', similar to the native Windows Time Service. We also see 'evilscript.ps1' being called by 'cmd', and no signing info.🦹🔍 Image
Read 5 tweets
1/ Windows Error Reporting (WER) can provide investigators with a wealth of data including:
• SHA1 hashes of crashed processes
• Snapshot of process trees at time of crash
• Loaded modules of crash
• Process minidumps
#DFIR #Threathunting
See 🧵 for new #Velociraptor artefact
2/ WER files are found in the following locations which include a range of information to typically address an application crash, however we can use it for investigation!

C:/Users/*/AppData/Local/Microsoft/Windows/WER
C:/ProgramData/Microsoft/Windows/WER
3/ The "Report.wer" file includes binary information and binary path. In Windows 10 and above the field "TaskAppId" contain the SHA1 hash of the process (similar to Amcache).
Read 9 tweets
Welcome to the 5th and final of my #PrehistoricPlanet threads in which I talk about the science and background to what we showed in this new @AppleTVPlus @bbcstudios production. This time we look at EP 5: FORESTS… #dinosaurs #Cretaceous
I was lead scientific consultant on #PrehistoricPlanet and was extensively involved in our many decisions, all of which were science-led or scientifically informed. I was, of course, merely one among many in a HUGE team that involved hundreds of very talented people!
Ep 5 focuses on the #dinosaurs and #pterosaurs that lived in forests during the Maastrichtian (the final part of the Late #Cretaceous). The Maastrichtian world was heavily forested, with temperate, subtropical & tropical woodland covering around 78% of the land surface…
Read 83 tweets
Ok, here we go on a thread relating to the science and decisions behind ep 3 (FRESHWATER) of #PrehistoricPlanet , our new @AppleTVPlus @bbcstudios series devoted to Late #Cretaceous life. Here we go... #dinosaurs #pterosaurs #plesiosaurs #frogs
Freshwater kicks off in north-east Asia (a location consistent with the geology, climate and animals we show) with a spectacular waterfall connected to canyons. Juvenile #pterosaurs - they're young #azhdarchids - have gathered here to roost... #PrehistoricPlanet
We know essentially nothing of the roosting or resting habits of #azhdarchids but see it as likely that they would have gathered in numbers (fossil evidence does show that they were social) in places that predators couldn't easily get to. Hat-tip to discussion with @MarkWitton ..
Read 36 tweets
Join me in this thread as I talk about the science and decisions behind what we show in ep 2 - DESERTS - of the new @AppleTVPlus @bbcstudios series #PrehistoricPlanet . Deserts aired on Tuesday, but better late than never. Here we go...
Deserts kicks off in western South America on an arid plain where a mass gathering of the giant #titanosaur #Dreadnoughtus have gathered to display and compete for mates. Dreadnoughtus, from Argentina, was named in 2014 by @kenlacovara [shown in photo!] and colleagues...
The idea that sauropods might have gathered and competed is based on behaviour seen in modern birds, mammals and other animals. Remember that events like this MUST have happened in the past, as they do today...
Read 34 tweets
El mononykus de #PrehistoricPlanet 😍
Es que no me fastidies.
Qué bonico eres.
¿Te molesta el sol, mi rey?
No sufras yo lo arreglo.
Read 6 tweets
Bonsoir ! 👋 Merci encore pour vos nombreux retours enthousiastes & partages, hier. 😊💚 Aujourd'hui, on va parler des #compétences requises, des #contraintes & #avantages du métier (d'où la photo ci-dessous, vous allez comprendre) !

🔽🔽🔽 #sciart #scicom
On a déjà vu ces derniers jours que certaines compétences techniques sont requises dans mon métier : maîtrise des outils de création, veille #naturaliste, entraînement régulier, etc. 🖌️
Mais le métier d'#illustrateur·rice #scientifique réclame bien d'autres compétences que ce qu'on appelle trivialement "savoir #dessiner".
Read 20 tweets
At this point, I've reconstructed about a million fossil birds (and other vertebrates) and it pains me that this stuff is sitting in my files, UNPUBLISHED. It's because I >>can't<< make time to finish my textbook, not yet anyway. Let's talk about Paleogene birds. So.... (thread)
How do you reconstruct Paleogene #birds? The good news is that some of the relevant taxa - eg, those from Messel - are known from articulated skeletons, sometimes with plumage preserved and even feather patterns and melanosomes revealing colour... [pic Gerald Mayr/Volker Wilde]
Based on the skeleton, you take a load of measurements and get a skeleton scaled about right. My drawings at this point are really sketchy and look pretty goofy... This is the tiny Gracilitarsus, a hummingbird-sized relative of hoopoes.
Read 9 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!