Velociraptor Hunt VQL's

Sigma.Windows.Hayabusa.Rules

SELECT * , count()
FROM source(artifact="Sigma.Windows.Hayabusa.Rules")
GROUP BY Title

Custom.Windows.EventLogs.SysmonProcessCreationID

SELECT * FROM source(artifact="Custom.Windows.EventLogs.SysmonProcessCreationID1")
WHERE image =~ "dllhost"

Custom.Windows.Sysinternals.Autoruns

#analysis to determine persistence

SELECT count() AS Count, Time, Signer, Entry,Category,Profile,Description,`Image Path` AS ImagePath,`Launch String` AS LaunchString, Enabled,MD5 
FROM source(artifact="Custom.Windows.Sysinternals.Autoruns")
WHERE Enabled 
AND NOT Signer OR Signer =~ "Not verified"
GROUP BY ImagePath,LaunchString

Windows.System.Netstat

#check for established connection to see if the process has networking capabilities

SELECT Timestamp,Pid,Name,Status,`Laddr.IP`,`Laddr.Port`,
geoip(ip=`Raddr.IP`,db='/velo/velo/public/GeoLite2-City.mmdb').country.names.en
AS Country,`Raddr.IP`,`Raddr.Port`,Fqdn
FROM source(artifact="Windows.Network.Netstat")
WHERE Status =~ "ESTAB"
AND NOT Country =~ "United States"

Windows.System.Pslist

#Process Stacking

SELECT Name,Exe,CommandLine,Hash.SHA256 AS SHA256, Authenticode.Trusted, Username, Fqdn, count() AS Count FROM source()
WHERE Authenticode.Trusted = "untrusted"
GROUP BY Exe
ORDER BY Count

Windows.Sys.AllUsers

#What users are logging into machines?

SELECT Name, UUID, Mtime, count()
FROM source(artifact="Windows.Sys.AllUsers")
WHERE Name
GROUP BY Name

Windows.Forensics.SAM

#Get users who logged in recently

SELECT ParsedF.LastLoginDate AS LastLoginDate, ParsedV, ClientId, Fqdn
FROM source(artifact="Windows.Forensics.SAM")
WHERE LastLoginDate > "2023-01-01

Windows.EventLogs.RDPAuth

#Collect RDP authentications from the event logs

SELECT EventTime, Computer, SourceIP, UserName, Description, ClientId , count() AS Count
FROM source(artifact="Windows.EventLogs.RDPAuth")
WHERE Description =~ "LOGON_SUCCESSFUL"
GROUP BY UserName, Description, ClientId

#RDP connections to the server. Look for 4624 LogonType 10
SELECT EventTime,EventID,LogonType,UserName,SourceIP,
geoip(ip=SourceIP,db='/velo/velo/public/GeoLite2-City.mmdb').country.names.en AS Country,Description
FROM source(artifact="Windows.EventLogs.RDPAuth")
WHERE EventID = 4624 
AND LogonType = 10

#Get earliest use of user
SELECT * FROM source(artifact="Windows.EventLogs.RDPAuth")
WHERE UserName =~ "winsupport" and Description =~ "SUCCESS"
ORDER BY EventTime

Windows.EventLogs.ServiceCreationComspec

#search for created services - update the service regex to .

Exchange.Windows.EventLogs.LogonSessions

Windows.Forensics.Usn

SELECT * FROM source(artifact="Windows.Forensics.Usn")
WHERE OSPath =~ "\\.exe$" AND Reason =~ "DELETE"

Windows.System.Services

#Closely inspect unsigned services.

SELECT Name, PathName, HashServiceExe, CertinfoServiceExe
FROM source(artifact="Windows.System.Services")
WHERE NOT CertinfoServiceExe.Trusted

#Services with low frequency

SELECT Name, PathName, HashServiceExe, CertinfoServiceExe, count() AS Count
FROM source(artifact="Windows.System.Services")
GROUP BY HashServiceExe

Windows.System.TaskScheduler/Analysis

SELECT *, count() AS Count
FROM source(artifact="Windows.System.TaskScheduler/Analysis")
GROUP BY Command

Windows.Events.Trackaccount

PreviousNetwork Forensics with FOSS NextPowerShell One-Liners

Last updated 2 years ago