Custom.Windows.Nirsoft.LastActivityView :: Velociraptor

Custom.Windows.Nirsoft.LastActivityView

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more…


name: Custom.Windows.Nirsoft.LastActivityView
description: |
        LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...
        

author: Yaniv Radunsky @ 10rootCyberSecurity

tools:
 - name: lastactivityview
   url: https://www.nirsoft.net/utils/lastactivityview.zip
   
precondition: SELECT OS From info() where OS = 'windows'

sources:
 - name: Upload
   query: |
   
        LET Hostname <= SELECT Hostname as Host FROM info()
        
        -- Fetch the binary
        LET Toolzip <= SELECT FullPath
        FROM Artifact.Generic.Utils.FetchBinary(ToolName="lastactivityview", IsExecutable=FALSE)

        LET TmpDir <= tempdir()

        -- Unzip the binary
        LET _ <= SELECT * FROM unzip(filename=Toolzip.FullPath, output_directory=TmpDir)

        -- Set EXE
        LET LastActivityViewExe <= TmpDir + '\\LastActivityView.exe'
        
        -- Build the exec command
        LET LastActivityViewCmd <= filter(list=(LastActivityViewExe, "/scomma", TmpDir + "\\" + Hostname.Host[0] + "-LastActivityView.csv" )
        ,  regex=".+")
        
        -- Run the tool.
        LET ExecLastActivityView <= SELECT *
        FROM execve(argv=LastActivityViewCmd,sep="\n", length=10000)
        
        -- Upload CSV to the hunt
        LET Upload <= SELECT Name, upload(file=FullPath,name=relpath(base=TmpDir + Hostname.Host[0] + "-LastActivityView.csv", path=FullPath)) as FileDetails
        FROM glob(globs="/**", root=TmpDir)
        WHERE Name =~ "(csv)$"
        
        -- Parse CSV to Notebook
        SELECT * FROM parse_csv(filename= TmpDir + "\\" + Hostname.Host[0] + "-LastActivityView.csv")