Windows.Forensics.Jumplists_JLECmd
- Execute Eric Zimmerman’s JLECmd to parse AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS files in C:\ drive recursively and return output for analysis. (jlecmd.exe -d C:/ –csvf -csv tmpdir results.csv).
- JLECmd.zip is downloaded from the URL to ‘C:\Program Files\Velociraptor\Tools’ folder.
- JLECmd.zip can be uploaded to Velociraptor Server in order to copy it to the clients in case there is no internet connection.
- Created using @carlos_cajigas LECmd VQL as a quide.
- JLECmd is a CLI tool for analyzing Custom Destinations jump list data. Learn more - https://github.com/EricZimmerman/JLECmd
name: Windows.Forensics.Jumplists_JLECmd
description: |
* Execute Eric Zimmerman's JLECmd to parse AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS files in C:\ drive recursively and return output for analysis. (jlecmd.exe -d C:/ --csvf -csv tmpdir results.csv).
* JLECmd.zip is downloaded from the URL to 'C:\Program Files\Velociraptor\Tools' folder.
* JLECmd.zip can be uploaded to Velociraptor Server in order to copy it to the clients in case there is no internet connection.
* Created using @carlos_cajigas LECmd VQL as a quide.
* JLECmd is a CLI tool for analyzing Custom Destinations jump list data. Learn more - https://github.com/EricZimmerman/JLECmd
author: Orhan Emre @orhan_emre
type: CLIENT
tools:
- name: JLECmd
url: https://download.mikestammer.com/net6/JLECmd.zip
version: 1.5.0
parameters:
- name: sourceFile
default: .
type: regex
description: "RegEx pattern for the name or path of the Automatic and Custom Destinations jump list files. Example 'recent' folder"
- name: localPath
default: .
type: regex
description: "RegEx pattern for the name or path of the target of the Automatic and Custom Destinations jump list files. Example 'powershell_ise.exe'"
- name: arguments
default: .
type: regex
description: "Arguments of the Automatic and Custom Destinations jump list files. Example '/c powershell Invoke-Command'"
- name: dateAfter
description: "search for Automatic and Custom Destinations jump list files with a SourceCreated after this date. YYYY-MM-DD"
- name: dateBefore
description: "search for Automatic and Custom Destinations jump list files with a SourceCreated before this date. YYYY-MM-DD"
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
-- get context on target binary
LET jlecmdpackage <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName="JLECmd", IsExecutable=FALSE)
-- build tempfolder for output
LET tmpdir <= tempdir()
-- decompress utility
LET payload = SELECT *
FROM unzip(filename=jlecmdpackage[0].FullPath,
output_directory=tmpdir) WHERE OriginalPath =~ "JLECmd.exe"
-- execute payload
LET deploy <= SELECT *
FROM execve(argv=[payload.NewPath[0],
"-d",
"c:/",
"--csv",
tmpdir,
"--csvf",
"results.csv"])
LET x = scope()
SELECT * FROM foreach(row={
SELECT OSPath, upload(file=OSPath)
FROM glob(globs="results_*.csv", root=tmpdir)
}, query={
SELECT x.SourceFile AS SourceFile,
x.SourceCreated AS SourceCreated,
x.SourceModified AS SourceModified,
x.LocalPath AS LocalPath,
x.Arguments AS Arguments,
x.TargetCreated AS TargetCreated,
x.TargetModified AS TargetModified,
x.VolumeLabel AS VolumeLabel,
x.DriveType AS DriveType,
x.AppIdDescription AS AppIdDescription,
x.CommonPath AS CommonPath,
x.VolumeSerialNumber AS VolumeSerialNumber,
x.MachineID AS MachineID,
x.MachineMACAddress AS MachineMACAddress,
x.TargetMFTEntryNumber AS TargetMFTEntryNumber,
x.TargetSequenceNumber AS TargetSequenceNumber,
x.TargetIDAbsolutePath AS TargetIDAbsolutePath,
x.TrackerCreatedOn AS TrackerCreatedOn,
x.ExtraBlocksPresent AS ExtraBlocksPresent,
x.HeaderFlags AS HeaderFlags,
x.FileAttributes AS FileAttributes,
x.FileSize AS FileSize
FROM parse_csv(filename=OSPath)
WHERE
(if(condition=dateAfter, then=SourceCreated > dateAfter,
else=TRUE) AND
if(condition=dateBefore, then=SourceCreated < dateBefore,
else=TRUE))
AND SourceFile =~ sourceFile
AND LocalPath =~ localPath
AND Arguments =~ arguments
})