DetectRaptor is a collection of publicly availible Velociraptor detection content. Most content is managed by a series of csv files and artifacts are automatically updated.
This artifact will import the latest DetectRaptor bundle into the current server.
A SHA1 of the imported DetectRaptor collection is stored in server metadata
for versioning.
A SHA1 of each artifact is generated on import to enable versioning confirmation.
Last updated: 2023-09-09.
Current artifacts include:
name: Server.Import.DetectRaptor
author: Matt Green - @mgreen27
description: |
DetectRaptor is a collection of publicly availible Velociraptor detection content.
Most content is managed by a series of csv files and artifacts are automatically updated.
This artifact will import the latest DetectRaptor bundle into the current server.
A SHA1 of the imported DetectRaptor collection is stored in server metadata
for versioning.
A SHA1 of each artifact is generated on import to enable versioning confirmation.
Last updated: 2023-09-09.
Current artifacts include:
- Windows.Detection.Amcache
- Windows.Detection.Applications
- Windows.Detection.BinaryRename
- Windows.Detection.Evtx
- Windows.Detection.HijackLibsEnv
- Windows.Detection.HijackLibsMFT
- Windows.Detection.LolDrivers
- Windows.Detection.MFT
- Windows.Detection.NamedPipes
- Windows.Detection.Powershell.ISEAutoSave
- Windows.Detection.Powershell.PSReadline
- Windows.Detection.Webhistory
- Windows.Detection.ZoneIdentifier
- Server.StartHunts
reference:
- https://github.com/mgreen27/DetectRaptor
- https://github.com/svch0stz/velociraptor-detections
- https://github.com/SigmaHQ/sigma
type: SERVER
required_permissions:
- SERVER_ADMIN
parameters:
- name: ReleaseURL
default: https://api.github.com/repos/mgreen27/DetectRaptor/releases
- name: Prefix
default: DetectRaptor.
description: Prefix to append to all imported artifacts.
- name: UpdateAnyway
type: bool
description: Import all artifacts even if previous version matches
sources:
- query: |
-- first check for version timestamp and find zip url
LET content <= SELECT parse_json_array(data=Content)[0].assets[0] as Content
FROM http_client(url=ReleaseURL, headers=dict(`User-Agent`="Velociraptor - DetectRaptor"))
LET check_version = SELECT Content.browser_download_url as TargetUrl,
Content.updated_at as ZipTimestamp,
if(condition= server_metadata().DetectRaptor,
then= parse_json(data=server_metadata().DetectRaptor).Timestamp
) as InstalledTimestamp
FROM content
WHERE UpdateAnyway
OR NOT server_metadata().DetectRaptor
OR NOT InstalledTimestamp
OR InstalledTimestamp < ZipTimestamp
-- get content return a row if new content or UpdateAnyway
LET get_content = SELECT ZipPath,ZipTimestamp,ZipSHA1
FROM foreach(row= check_version,
query={
SELECT Content as ZipPath,
ZipTimestamp,
hash(path=Content,hashselect='SHA1').SHA1 as ZipSHA1 ,
if(condition= server_metadata().DetectRaptor,
then= parse_json(data=server_metadata().DetectRaptor).SHA1
) as InstalledZipSHA1
FROM http_client(remove_last=TRUE,
tempfile_extension=".zip", url=TargetUrl,
headers=dict(`User-Agent`="Velociraptor - DetectRaptor"))
WHERE NOT if(condition= UpdateAnyway,
then= False,
else= ZipSHA1 = InstalledZipSHA1 )
})
-- extract and set artifacts
LET set_artifacts <= SELECT
artifact_set(prefix=Prefix, definition=Definition) AS Definition,
SHA1,
ZipTimestamp,ZipSHA1
FROM foreach(row=get_content,
query={
SELECT read_file(accessor="zip", filename=OSPath) AS Definition,
hash(path=OSPath,accessor='zip',hashselect='SHA1').SHA1 as SHA1,
ZipTimestamp,ZipSHA1
FROM glob(
globs='/**/*.yaml',
root=pathspec(
DelegateAccessor="auto",
DelegatePath=ZipPath),
accessor="zip")
})
-- Add new sha1 if set_artifacts
LET add_new_metadata <= SELECT ZipSHA1,ZipTimestamp,
server_set_metadata(
metadata=dict(DetectRaptor=dict(
Timestamp=ZipTimestamp,
SHA1=ZipSHA1 ))) as SetMeta
FROM set_artifacts
WHERE log(level='INFO',
message='DetectRaptor Server MetaData added: Timestamp=%v,SHA1=%v',
args=[ZipTimestamp,ZipSHA1] )
GROUP BY ZipSHA1
SELECT Definition.name AS Name,
Definition.description AS Description,
Definition.author AS Author,
SHA1
FROM set_artifacts