Windows.Detection.PublicIP :: Velociraptor

Windows.Detection.PublicIP
This artifact queries for RDP and Authentication events with a Public IP source. The artifact uses Windows.EventLogs.RDPAuth and has several built in notebooks for analysis.

name: Windows.Detection.PublicIP
author: Matt Green - @mgreen27
description: |
    This artifact queries for RDP and Authentication events with a Public IP 
    source. The artifact uses Windows.EventLogs.RDPAuth and has several built in 
    notebooks for analysis.

type: CLIENT

parameters:
   - name: IncludeLocalhost
     description: include localhost and 127.0.0.1 events (may be noisy)
     type: bool
   - name: IncludeVSS
     description: include VSS in collection
     type: bool

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT * FROM Artifact.Windows.EventLogs.RDPAuth(
                    SourceIPRegex='''\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|localhost''',
                    SearchVSS=IncludeVSS )
      WHERE NOT SourceIP =~ '''^0\.''' -- Current network
        AND NOT SourceIP =~ '''^10\.''' -- Private network	
        AND NOT SourceIP =~ '''^100\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))\.''' -- Private network
        AND NOT if(condition= IncludeLocalhost,
            then= False,
            else= SourceIP =~ '''^127\.|localhost''' )-- Localhost
        AND NOT SourceIP =~ '''^169.254\.''' -- Link local
        AND NOT SourceIP =~ '''^172.(1[6-9]|2[0-9]|3[0-1])\.''' -- Private network	
        AND NOT SourceIP =~ '''^192\.0\.0''' -- Private network	
        AND NOT SourceIP =~ '''^192\.0\.2''' -- Documentation
        AND NOT SourceIP =~ '''^192\.88\.99\.''' -- Internet relay
        AND NOT SourceIP =~ '''^192\.168\.''' -- Private network
        AND NOT SourceIP =~ '''^198\.1[8-9]\.''' -- Private network
        AND NOT SourceIP =~ '''^198\.51\.100\.''' -- Documentation
        AND NOT SourceIP =~ '''^203\.0\.113\.''' -- Documentation
        AND NOT SourceIP =~ '''^2(2[4-9]|3[0-9])\.''' -- IP multicast
        AND NOT SourceIP =~ '''^233\.252\.''' -- Documentation
        AND NOT SourceIP =~ '''^2(4[0-9]|5[0-5])\.\d{1,3}\.\d{1,3}\.\d{1,2}[0-4]''' -- reserved
        AND NOT SourceIP =~ '''^255\.255\.255\.255$''' -- Broadcast

    notebook:
      - type: vql_suggestion
        name: Public IP
        template: |
            /*
            ### IPublic IP
            Triage view with suggested WHERE Lines
            
            */
            
            SELECT EventTime,Computer,Channel,
                EventID,LogonType,Description,
                DomainName +'/' + UserName as User,
                SourceIP,
                Message	
            FROM source(artifact="Windows.Detection.PublicIP")
            WHERE True
                --AND EventTime > '2022-10'
                --AND EventTime < '2022-12'
                --AND SourceIP =~ '^127\\.|localhost'
                --AND NOT SourceIP =~ '^127\\.|localhost'