Windows.Bulk.File :: Velociraptor

Windows.Bulk.File

Search for some simple bulk File IOCs and upload if desired. Typical upload workflow may be to firstly search, then if returned rows match expectations rerun query with upload tickbox selected.

NOTE: strings with comma “,” requre quotes.

IocLookupTable csv details:

Glob - “Quote” items with { glob } barckets. Whitelist - Velociraptor regex to whitelist FullPath field. Description - Free text


name: Windows.Bulk.File
author: Matt Green - @mgreen27
description: |
    Search for some simple bulk File IOCs and upload if desired.
    Typical upload workflow may be to firstly search, then if returned
    rows match expectations rerun query with upload tickbox selected.

    NOTE: strings with comma "," requre quotes.

    IocLookupTable csv details:

    Glob - "Quote" items with { glob } barckets.
    Whitelist - Velociraptor regex to whitelist FullPath field.
    Description - Free text

parameters:
  - name: UploadHits
    description: Upload hits to server.
    type: bool
  - name: Accessor
    type: choices
    default: auto
    choices:
      - auto
      - ntfs
      - file
  - name: IocLookupTable
    type: csv
    default: |
        TargetGlob,IgnoreRegex,Description
        "C:\intel\Logs\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Carbanak staging location
        "C:\users\public\temp\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Carbanak staging location
        "C:\Windows\SystemApps\*\*.{ps1,vbs,js,bat,cpl}",,Carbanak staging location
        "C:\windows\temp\temp1\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Carbanak staging location
        "C:\Windows\System32\spool*\*.{ps1,vbs,js,bat,cpl}",,Common staging location
        "C:\Perflogs\**\*.{lnk,ps1,vbs,js,exe,dll,bat,cpl,zip,7z,rar}",\.(ini|txt|zip|etl|html|xml|xsl|log|blg)$,Staging location
        "C:\ProgramData\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Staging location
        "C:\ProgramData\.*\*.{bin,dat,txt,log,ps1,vbs,js,exe,dll,bat,cpl}",,Copy-Paste staging location
        "C:\Users\Public\**\*.{lnk,ps1,vbs,js,exe,dll,bat,cpl,zip,7z,rar}",C:\\Users\\Public\\Desktop\\[\\]+\.lnk,Staging location
        "C:\Users\*\Sounds\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Investigation staging
        "C:\Windows\Temp\winsyslog\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Current investigation X1002
        "C:\Windows\Help\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Staging location
        "C:\Windows\twain_32\*.{ps1,vbs,js,exe,dll,bat,cpl}",,Staging location

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      -- extract IOCs from lookupTable
      LET hits = SELECT * FROM foreach(
            row=IocLookupTable,
            query={
                SELECT
                    OSPath,
                    Name,
                    dict(
                        TargetGlob=TargetGlob,
                        IgnoreRegex=IgnoreRegex,
                        Description=Description
                            ) as IocDetails,
                    timestamp(epoch=Mtime) as Mtime,
                    timestamp(epoch=Atime) as Atime,
                    timestamp(epoch=Ctime) as Ctime,
                    timestamp(epoch=Btime) as Btime,
                    Size,
                    IsLink
                FROM glob(globs=TargetGlob,accessor=Accessor)
                WHERE NOT IsDir
                    AND NOT if(condition=IgnoreRegex,
                        then=OSPath =~ IgnoreRegex,
                        else=FALSE)
            })

      -- upload hits
      LET upload_hits = SELECT *, upload(file=OSPath) FROM hits

      -- output rows
      SELECT *,
        hash(path=OSPath) as Hash
      FROM if(condition=UploadHits,
            then= upload_hits,
            else= hits)