zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

597
skills/incident-response/ir-velociraptor/references/mitre-attack-mapping.md Normal file
View File

@@ -0,0 +1,597 @@
# MITRE ATT&CK Technique Detection with Velociraptor
Mapping of MITRE ATT&CK techniques to Velociraptor artifacts and VQL queries.
## Table of Contents
- [Initial Access](#initial-access)
- [Execution](#execution)
- [Persistence](#persistence)
- [Privilege Escalation](#privilege-escalation)
- [Defense Evasion](#defense-evasion)
- [Credential Access](#credential-access)
- [Discovery](#discovery)
- [Lateral Movement](#lateral-movement)
- [Collection](#collection)
- [Exfiltration](#exfiltration)
- [Command and Control](#command-and-control)
## Initial Access
### T1078: Valid Accounts
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4624, 4625)
- `Windows.EventLogs.RDP`
**VQL Query**:
```sql
-- Detect unusual logon patterns
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.LogonType AS LogonType,
EventData.WorkstationName AS Workstation
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND (
EventData.LogonType IN (3, 10) -- Network or RemoteInteractive
OR timestamp(epoch=System.TimeCreated.SystemTime).Hour NOT IN (8,9,10,11,12,13,14,15,16,17) -- Off-hours
)
ORDER BY LogonTime DESC
```
### T1566: Phishing
**Artifacts**:
- `Windows.Forensics.Lnk`
- `Windows.Applications.Office.Keywords`
**VQL Query**:
```sql
-- Suspicious Office document execution
SELECT FullPath,
Mtime,
read_file(filename=FullPath, length=100000) AS Content
FROM glob(globs=[
"C:/Users/*/Downloads/**/*.doc*",
"C:/Users/*/Downloads/**/*.xls*"
])
WHERE Content =~ "(?i)(macro|vba|shell|exec|powershell)"
AND Mtime > timestamp(epoch=now() - 604800)
```
## Execution
### T1059.001: PowerShell
**Artifacts**:
- `Windows.EventLogs.PowershellScriptblock`
- `Windows.System.Powershell.PSReadline`
**VQL Query**:
```sql
-- Malicious PowerShell execution
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ExecutionTime,
EventData.ScriptBlockText AS Command,
EventData.Path AS ScriptPath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx")
WHERE System.EventID.Value = 4104 -- Script Block Logging
AND EventData.ScriptBlockText =~ "(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)"
ORDER BY ExecutionTime DESC
```
### T1059.003: Windows Command Shell
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- Suspicious cmd.exe usage
SELECT Pid, Ppid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE Name =~ "(?i)cmd.exe"
AND CommandLine =~ "(?i)(/c|/k|/r)"
AND Ppid IN (
SELECT Pid FROM pslist()
WHERE Name =~ "(?i)(winword|excel|powerpnt|acrobat|outlook)"
)
```
### T1053.005: Scheduled Task
**Artifacts**:
- `Windows.System.TaskScheduler`
- `Windows.EventLogs.ScheduledTasks`
**VQL Query**:
```sql
-- Recently created scheduled tasks
SELECT FullPath AS TaskPath,
parse_xml(file=FullPath).Task.Actions.Exec.Command AS Command,
parse_xml(file=FullPath).Task.Principals.Principal.UserId AS RunAsUser,
timestamp(epoch=Mtime) AS Created
FROM glob(globs="C:/Windows/System32/Tasks/**")
WHERE NOT IsDir
AND Mtime > timestamp(epoch=now() - 86400)
AND Command != ""
ORDER BY Created DESC
```
## Persistence
### T1547.001: Registry Run Keys
**Artifacts**:
- `Windows.Persistence.PermanentRuns`
- `Windows.System.StartupItems`
**VQL Query**:
```sql
-- Autorun registry entries
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS ExecutablePath,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*",
"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*"
])
WHERE ValueData.value != ""
ORDER BY LastModified DESC
```
### T1543.003: Windows Service
**Artifacts**:
- `Windows.System.Services`
- `Windows.EventLogs.ServiceCreation`
**VQL Query**:
```sql
-- Suspicious services
SELECT Key.Name AS ServiceName,
ImagePath.value AS ExecutablePath,
DisplayName.value AS DisplayName,
Start.value AS StartType,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*")
WHERE ImagePath.value != ""
AND (
ImagePath.value =~ "(?i)(temp|appdata|users)"
OR ImagePath.value =~ "(?i)(powershell|cmd|wscript)"
OR Key.Mtime > timestamp(epoch=now() - 604800)
)
```
### T1546.003: WMI Event Subscription
**Artifacts**:
- `Windows.Persistence.PermanentWMIEvents`
**VQL Query**:
```sql
-- Malicious WMI event subscriptions
SELECT Namespace,
FilterName,
Query,
ConsumerName,
ConsumerType,
ConsumerData
FROM wmi(
query="SELECT * FROM __FilterToConsumerBinding",
namespace="ROOT/Subscription"
)
WHERE ConsumerData =~ "(?i)(powershell|cmd|wscript|executable)"
```
## Privilege Escalation
### T1548.002: Bypass User Account Control
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4688 with elevated token)
**VQL Query**:
```sql
-- UAC bypass indicators
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.NewProcessName AS ProcessName,
EventData.CommandLine AS CommandLine,
EventData.ParentProcessName AS ParentProcess
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4688
AND EventData.TokenElevationType = "%%1937" -- Full token elevated
AND (
EventData.NewProcessName =~ "(?i)(fodhelper|computerdefaults|sdclt)"
OR EventData.CommandLine =~ "(?i)(eventvwr|ms-settings)"
)
```
### T1134: Access Token Manipulation
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 4672, 4673)
**VQL Query**:
```sql
-- Sensitive privilege use
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.SubjectUserName AS Username,
EventData.PrivilegeList AS Privileges
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4672
AND EventData.PrivilegeList =~ "(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)"
```
## Defense Evasion
### T1070.001: Clear Windows Event Logs
**Artifacts**:
- `Windows.EventLogs.Cleared`
**VQL Query**:
```sql
-- Event log clearing
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ClearedTime,
System.Channel AS LogName,
EventData.SubjectUserName AS Username
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value IN (1102, 104) -- Audit log cleared
ORDER BY ClearedTime DESC
```
### T1562.001: Disable or Modify Tools
**Artifacts**:
- `Windows.Forensics.Timeline`
- `Windows.Registry.RecentDocs`
**VQL Query**:
```sql
-- Security tool tampering
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS Value,
timestamp(epoch=Key.Mtime) AS Modified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinDefend/**"
])
WHERE (
ValueName =~ "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|Start)"
AND (ValueData.value = 1 OR ValueData.value = 4)
)
```
### T1055: Process Injection
**Artifacts**:
- `Windows.Detection.ProcessInjection`
- `Windows.Memory.Acquisition`
**VQL Query**:
```sql
-- Detect process injection via memory protections
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
Address,
Size,
Protection,
Type
FROM vad()
WHERE Protection =~ "EXECUTE.*WRITE" -- RWX memory
AND Type = "Private"
AND process_tracker_get(id=Pid).Name NOT IN ("chrome.exe", "firefox.exe") -- Exclude known JIT
```
## Credential Access
### T1003.001: LSASS Memory
**Artifacts**:
- `Windows.EventLogs.ProcessAccess`
- `Windows.Detection.Mimikatz`
**VQL Query**:
```sql
-- LSASS access attempts
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SourceProcessId AS SourcePID,
EventData.SourceImage AS SourceImage,
EventData.TargetImage AS TargetImage,
EventData.GrantedAccess AS AccessRights
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx")
WHERE System.EventID.Value = 10 -- ProcessAccess
AND EventData.TargetImage =~ "(?i)lsass.exe"
AND EventData.GrantedAccess =~ "(0x1010|0x1410|0x143A)" -- Suspicious access rights
```
### T1003.002: Security Account Manager
**Artifacts**:
- `Windows.Forensics.SAM`
- `Windows.EventLogs.EvtxHunter`
**VQL Query**:
```sql
-- SAM registry hive access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime,
timestamp(epoch=Mtime) AS ModifiedTime
FROM glob(globs=[
"C:/Windows/System32/config/SAM",
"C:/Windows/System32/config/SYSTEM",
"C:/Windows/System32/config/SECURITY"
])
WHERE Atime > timestamp(epoch=now() - 86400)
```
### T1555: Credentials from Password Stores
**Artifacts**:
- `Windows.Forensics.DPAPI`
- `Windows.Browsers.ChromeHistory`
**VQL Query**:
```sql
-- Browser credential access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime
FROM glob(globs=[
"C:/Users/*/AppData/Local/Google/Chrome/User Data/*/Login Data",
"C:/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/*/logins.json"
])
WHERE Atime > timestamp(epoch=now() - 86400)
ORDER BY AccessTime DESC
```
## Discovery
### T1082: System Information Discovery
**Artifacts**:
- `Generic.Client.Info`
- `Windows.System.SystemInfo`
**VQL Query**:
```sql
-- System enumeration commands
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(systeminfo|whoami|ipconfig|hostname|ver)"
AND CreateTime > timestamp(epoch=now() - 3600)
ORDER BY CreateTime DESC
```
### T1083: File and Directory Discovery
**Artifacts**:
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- File system enumeration
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(dir|tree|findstr|where)"
AND CommandLine =~ "(?i)(\\*|recursive|/s|/b)"
ORDER BY CreateTime DESC
```
### T1049: System Network Connections Discovery
**Artifacts**:
- `Windows.Network.Netstat`
**VQL Query**:
```sql
-- Network enumeration commands
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(netstat|net use|net view|arp|route print|nslookup)"
ORDER BY CreateTime DESC
```
## Lateral Movement
### T1021.001: Remote Desktop Protocol
**Artifacts**:
- `Windows.EventLogs.RDP`
- `Windows.EventLogs.EvtxHunter`
**VQL Query**:
```sql
-- RDP lateral movement
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
System.Computer AS DestinationHost
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND EventData.LogonType = 10 -- RemoteInteractive
AND EventData.IpAddress != "127.0.0.1"
ORDER BY LogonTime DESC
```
### T1021.002: SMB/Windows Admin Shares
**Artifacts**:
- `Windows.EventLogs.EvtxHunter` (EventID 5140, 5145)
**VQL Query**:
```sql
-- Admin share access
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SubjectUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.ShareName AS Share,
EventData.RelativeTargetName AS FilePath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 5140
AND EventData.ShareName =~ "(?i)(ADMIN\\$|C\\$|IPC\\$)"
```
### T1047: Windows Management Instrumentation
**Artifacts**:
- `Windows.EventLogs.WMIActivity`
- `Windows.System.Pslist`
**VQL Query**:
```sql
-- WMI process creation
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE (
-- WMI spawned processes
Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "(?i)wmiprvse.exe")
-- Or WMIC usage
OR (Name =~ "(?i)wmic.exe" AND CommandLine =~ "(?i)(process call create|/node:)")
)
ORDER BY CreateTime DESC
```
## Collection
### T1005: Data from Local System
**Artifacts**:
- `Windows.Forensics.Timeline`
- `Windows.Detection.Yara`
**VQL Query**:
```sql
-- Data staging detection
SELECT FullPath, Size,
timestamp(epoch=Ctime) AS Created,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=[
"C:/Users/*/AppData/**/*.zip",
"C:/Users/*/AppData/**/*.rar",
"C:/Users/*/AppData/**/*.7z",
"C:/Windows/Temp/**/*.zip"
])
WHERE Size > 10485760 -- > 10MB
AND Ctime > timestamp(epoch=now() - 86400)
ORDER BY Size DESC
```
### T1119: Automated Collection
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.EventLogs.ProcessCreation`
**VQL Query**:
```sql
-- Automated collection tools
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(robocopy|xcopy|tar|7z|winrar)"
AND CommandLine =~ "(?i)(/s|recursive|mirror)"
```
## Exfiltration
### T1041: Exfiltration Over C2 Channel
**Artifacts**:
- `Windows.Network.NetstatEnriched`
- `Windows.Detection.NetworkAlerts`
**VQL Query**:
```sql
-- Large outbound transfers
SELECT Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 22)
```
### T1052: Exfiltration Over Physical Medium
**Artifacts**:
- `Windows.Forensics.USBDevices`
- `Windows.EventLogs.USBActivity`
**VQL Query**:
```sql
-- USB file transfers
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=["D:/**", "E:/**", "F:/**"]) -- Removable drives
WHERE Mtime > timestamp(epoch=now() - 86400)
AND Size > 1048576 -- > 1MB
ORDER BY Mtime DESC, Size DESC
```
## Command and Control
### T1071: Application Layer Protocol
**Artifacts**:
- `Windows.Network.NetstatEnriched`
- `Windows.Detection.Sigma`
**VQL Query**:
```sql
-- Unusual outbound connections
SELECT Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
COUNT(*) AS ConnectionCount,
GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 53, 22, 3389)
GROUP BY Raddr.IP, Raddr.Port
HAVING ConnectionCount > 10
```
### T1095: Non-Application Layer Protocol
**Artifacts**:
- `Windows.Network.RawConnections`
**VQL Query**:
```sql
-- Raw socket usage (ICMP tunneling, etc.)
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine,
Protocol,
Laddr.IP AS LocalIP,
Raddr.IP AS RemoteIP
FROM netstat()
WHERE Protocol NOT IN ("TCP", "UDP")
AND Raddr.IP != ""
```
### T1219: Remote Access Software
**Artifacts**:
- `Windows.System.Pslist`
- `Windows.Persistence.PermanentRuns`
**VQL Query**:
```sql
-- Remote access tools
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "(?i)(teamviewer|anydesk|logmein|ammyy|vnc|radmin|screenconnect)"
OR Exe =~ "(?i)(remote|rdp|desktop|viewer)"
```