Server.Alerts.TrackNetworkConnections :: Velociraptor

Server.Alerts.TrackNetworkConnections

This artifact alerts on network connections tracked by Velociraptor on clients. Requires the client_event artifact ‘Generic.Events.TrackNetworkConnections’ to be enabled.

You can filter alerts based on FQDN of the client, process name, remote ip and remote port. Only created network connections are alerted on (meaning you don’t get an alert when the system removes the connection). You should use those filters, else there be spam to be had :D


name: Server.Alerts.TrackNetworkConnections
author: Herbert Bärschneider @SEC Consult
description: |
   This artifact alerts on network connections tracked by Velociraptor on clients.
   Requires the client_event artifact 'Generic.Events.TrackNetworkConnections' to be enabled.
   
   You can filter alerts based on FQDN of the client, process name, remote ip and remote port.
   Only created network connections are alerted on (meaning you don't get an alert when the system removes the connection).
   You should use those filters, else there be spam to be had :D

type: SERVER_EVENT

parameters:
  - name: WebHook
    description: The token URL obtained from Slack/Teams/Discord (or basicly any communication-service that supports webhooks). Leave blank to use server metadata. e.g. https://hooks.slack.com/services/XXXX/YYYY/ZZZZ
  - name: ClientRegex
    type: regex
    description: Regex for filtering on the client fqdn name
  - name: ProcessNameRegex
    type: regex
    description: Regex for filtering on the process name - does not cover full path of the process image
  - name: RemoteIpRegex
    type: regex
    description: Regex for filtering on the remote ip connected to
  - name: RemotePortRegex
    type: regex
    description: Regex for filtering on the remote port connected to

sources:
    - query: |
        SELECT * FROM foreach(
          row={
            SELECT *, client_info(client_id=ClientId).os_info.fqdn AS Fqdn from watch_monitoring(artifact='Exchange.Generic.Events.TrackNetworkConnections')
            WHERE Fqdn =~ ClientRegex AND ProcInfo.Data.Name =~ ProcessNameRegex AND Raddr.IP =~ RemoteIpRegex AND format(format="%v", args=Raddr.Port) =~ RemotePortRegex
              AND Diff =~ "added"
          },
          query={
            SELECT * FROM http_client(
            data=serialize(item=dict(
                text=format(format="client %v has process %v communicate to remote ip %v on remote port %v",
                            args=[Fqdn, ProcInfo.Data.Name, Raddr.IP, Raddr.Port])),
                format="json"),
            headers=dict(`Content-Type`="application/json"),
            method="POST",
            url=WebHook)
        })