Server.Import.DetectRaptor

DetectRaptor is a collection of publicly availible Velociraptor detection content. Most content is managed by a series of csv files and artifacts are automatically updated.

This artifact will import the latest DetectRaptor bundle into the current server.

A SHA1 of the imported DetectRaptor collection is stored in server metadata for versioning.
A SHA1 of each artifact is generated on import to enable versioning confirmation.

Last updated: 2023-09-09.

Current artifacts include:

  • Windows.Detection.Amcache
  • Windows.Detection.Applications
  • Windows.Detection.BinaryRename
  • Windows.Detection.Evtx
  • Windows.Detection.HijackLibsEnv
  • Windows.Detection.HijackLibsMFT
  • Windows.Detection.LolDrivers
  • Windows.Detection.MFT
  • Windows.Detection.NamedPipes
  • Windows.Detection.Powershell.ISEAutoSave
  • Windows.Detection.Powershell.PSReadline
  • Windows.Detection.Webhistory
  • Windows.Detection.ZoneIdentifier
  • Server.StartHunts

name: Server.Import.DetectRaptor
author: Matt Green - @mgreen27
description: |
   DetectRaptor is a collection of publicly availible Velociraptor detection content. 
   Most content is managed by a series of csv files and artifacts are automatically updated.
   
   This artifact will import the latest DetectRaptor bundle into the current server.
   
   A SHA1 of the imported DetectRaptor collection is stored in server metadata 
   for versioning.  
   A SHA1 of each artifact is generated on import to enable versioning confirmation.
   
   Last updated: 2023-09-09.   

   Current artifacts include:  
   
   - Windows.Detection.Amcache
   - Windows.Detection.Applications
   - Windows.Detection.BinaryRename
   - Windows.Detection.Evtx
   - Windows.Detection.HijackLibsEnv
   - Windows.Detection.HijackLibsMFT
   - Windows.Detection.LolDrivers
   - Windows.Detection.MFT
   - Windows.Detection.NamedPipes
   - Windows.Detection.Powershell.ISEAutoSave
   - Windows.Detection.Powershell.PSReadline
   - Windows.Detection.Webhistory
   - Windows.Detection.ZoneIdentifier
   - Server.StartHunts

reference:
  - https://github.com/mgreen27/DetectRaptor
  - https://github.com/svch0stz/velociraptor-detections
  - https://github.com/SigmaHQ/sigma

type: SERVER

required_permissions:
- SERVER_ADMIN

parameters:
   - name: ReleaseURL
     default: https://api.github.com/repos/mgreen27/DetectRaptor/releases
   - name: Prefix
     default: DetectRaptor.
     description: Prefix to append to all imported artifacts.
   - name: UpdateAnyway
     type: bool
     description: Import all artifacts even if previous version matches

sources:
  - query: |
      -- first check for version timestamp and find zip url
      LET content <= SELECT parse_json_array(data=Content)[0].assets[0] as Content 
        FROM http_client(url=ReleaseURL, headers=dict(`User-Agent`="Velociraptor - DetectRaptor"))
      LET check_version = SELECT Content.browser_download_url as TargetUrl,
            Content.updated_at as ZipTimestamp,
            if(condition= server_metadata().DetectRaptor,
                        then= parse_json(data=server_metadata().DetectRaptor).Timestamp
                            ) as InstalledTimestamp
        FROM content
        WHERE UpdateAnyway 
           OR NOT server_metadata().DetectRaptor
           OR NOT InstalledTimestamp 
           OR InstalledTimestamp < ZipTimestamp
                           
      -- get content return a row if new content or UpdateAnyway
      LET get_content = SELECT ZipPath,ZipTimestamp,ZipSHA1
        FROM foreach(row= check_version,
            query={ 
                SELECT Content as ZipPath, 
                    ZipTimestamp,
                    hash(path=Content,hashselect='SHA1').SHA1 as ZipSHA1 ,
                    if(condition= server_metadata().DetectRaptor,
                        then= parse_json(data=server_metadata().DetectRaptor).SHA1
                            ) as InstalledZipSHA1
                FROM http_client(remove_last=TRUE, 
                    tempfile_extension=".zip", url=TargetUrl,
                    headers=dict(`User-Agent`="Velociraptor - DetectRaptor"))
                WHERE NOT if(condition= UpdateAnyway,
                            then= False,
                            else= ZipSHA1 = InstalledZipSHA1 )
            })
                        
      -- extract and set artifacts
      LET set_artifacts <= SELECT 
            artifact_set(prefix=Prefix, definition=Definition) AS Definition,
            SHA1,
            ZipTimestamp,ZipSHA1
        FROM foreach(row=get_content, 
            query={
              SELECT read_file(accessor="zip", filename=OSPath) AS Definition,
                hash(path=OSPath,accessor='zip',hashselect='SHA1').SHA1 as SHA1,
                ZipTimestamp,ZipSHA1
              FROM glob(
                 globs='/**/*.yaml',
                 root=pathspec(
                    DelegateAccessor="auto",
                    DelegatePath=ZipPath),
                 accessor="zip")
            })
            
      -- Add new sha1 if set_artifacts
      LET add_new_metadata <= SELECT ZipSHA1,ZipTimestamp,
            server_set_metadata(
                metadata=dict(DetectRaptor=dict(
                    Timestamp=ZipTimestamp,
                    SHA1=ZipSHA1 ))) as SetMeta
        FROM set_artifacts
        WHERE log(level='INFO',
                message='DetectRaptor Server MetaData added: Timestamp=%v,SHA1=%v',
                args=[ZipTimestamp,ZipSHA1] )
        GROUP BY ZipSHA1

      SELECT Definition.name AS Name,
        Definition.description AS Description,
        Definition.author AS Author,
        SHA1
      FROM set_artifacts