15 KiB
15 KiB
MITRE ATT&CK Technique Detection with Velociraptor
Mapping of MITRE ATT&CK techniques to Velociraptor artifacts and VQL queries.
Table of Contents
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
- Command and Control
Initial Access
T1078: Valid Accounts
Artifacts:
Windows.EventLogs.EvtxHunter(EventID 4624, 4625)Windows.EventLogs.RDP
VQL Query:
-- Detect unusual logon patterns
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.LogonType AS LogonType,
EventData.WorkstationName AS Workstation
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND (
EventData.LogonType IN (3, 10) -- Network or RemoteInteractive
OR timestamp(epoch=System.TimeCreated.SystemTime).Hour NOT IN (8,9,10,11,12,13,14,15,16,17) -- Off-hours
)
ORDER BY LogonTime DESC
T1566: Phishing
Artifacts:
Windows.Forensics.LnkWindows.Applications.Office.Keywords
VQL Query:
-- Suspicious Office document execution
SELECT FullPath,
Mtime,
read_file(filename=FullPath, length=100000) AS Content
FROM glob(globs=[
"C:/Users/*/Downloads/**/*.doc*",
"C:/Users/*/Downloads/**/*.xls*"
])
WHERE Content =~ "(?i)(macro|vba|shell|exec|powershell)"
AND Mtime > timestamp(epoch=now() - 604800)
Execution
T1059.001: PowerShell
Artifacts:
Windows.EventLogs.PowershellScriptblockWindows.System.Powershell.PSReadline
VQL Query:
-- Malicious PowerShell execution
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ExecutionTime,
EventData.ScriptBlockText AS Command,
EventData.Path AS ScriptPath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-PowerShell%4Operational.evtx")
WHERE System.EventID.Value = 4104 -- Script Block Logging
AND EventData.ScriptBlockText =~ "(?i)(invoke-expression|iex|downloadstring|webclient|bypass|hidden|encodedcommand)"
ORDER BY ExecutionTime DESC
T1059.003: Windows Command Shell
Artifacts:
Windows.System.PslistWindows.EventLogs.ProcessCreation
VQL Query:
-- Suspicious cmd.exe usage
SELECT Pid, Ppid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE Name =~ "(?i)cmd.exe"
AND CommandLine =~ "(?i)(/c|/k|/r)"
AND Ppid IN (
SELECT Pid FROM pslist()
WHERE Name =~ "(?i)(winword|excel|powerpnt|acrobat|outlook)"
)
T1053.005: Scheduled Task
Artifacts:
Windows.System.TaskSchedulerWindows.EventLogs.ScheduledTasks
VQL Query:
-- Recently created scheduled tasks
SELECT FullPath AS TaskPath,
parse_xml(file=FullPath).Task.Actions.Exec.Command AS Command,
parse_xml(file=FullPath).Task.Principals.Principal.UserId AS RunAsUser,
timestamp(epoch=Mtime) AS Created
FROM glob(globs="C:/Windows/System32/Tasks/**")
WHERE NOT IsDir
AND Mtime > timestamp(epoch=now() - 86400)
AND Command != ""
ORDER BY Created DESC
Persistence
T1547.001: Registry Run Keys
Artifacts:
Windows.Persistence.PermanentRunsWindows.System.StartupItems
VQL Query:
-- Autorun registry entries
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS ExecutablePath,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/*",
"HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"HKEY_LOCAL_MACHINE/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run/*"
])
WHERE ValueData.value != ""
ORDER BY LastModified DESC
T1543.003: Windows Service
Artifacts:
Windows.System.ServicesWindows.EventLogs.ServiceCreation
VQL Query:
-- Suspicious services
SELECT Key.Name AS ServiceName,
ImagePath.value AS ExecutablePath,
DisplayName.value AS DisplayName,
Start.value AS StartType,
timestamp(epoch=Key.Mtime) AS LastModified
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*")
WHERE ImagePath.value != ""
AND (
ImagePath.value =~ "(?i)(temp|appdata|users)"
OR ImagePath.value =~ "(?i)(powershell|cmd|wscript)"
OR Key.Mtime > timestamp(epoch=now() - 604800)
)
T1546.003: WMI Event Subscription
Artifacts:
Windows.Persistence.PermanentWMIEvents
VQL Query:
-- Malicious WMI event subscriptions
SELECT Namespace,
FilterName,
Query,
ConsumerName,
ConsumerType,
ConsumerData
FROM wmi(
query="SELECT * FROM __FilterToConsumerBinding",
namespace="ROOT/Subscription"
)
WHERE ConsumerData =~ "(?i)(powershell|cmd|wscript|executable)"
Privilege Escalation
T1548.002: Bypass User Account Control
Artifacts:
Windows.EventLogs.EvtxHunter(EventID 4688 with elevated token)
VQL Query:
-- UAC bypass indicators
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.NewProcessName AS ProcessName,
EventData.CommandLine AS CommandLine,
EventData.ParentProcessName AS ParentProcess
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4688
AND EventData.TokenElevationType = "%%1937" -- Full token elevated
AND (
EventData.NewProcessName =~ "(?i)(fodhelper|computerdefaults|sdclt)"
OR EventData.CommandLine =~ "(?i)(eventvwr|ms-settings)"
)
T1134: Access Token Manipulation
Artifacts:
Windows.EventLogs.EvtxHunter(EventID 4672, 4673)
VQL Query:
-- Sensitive privilege use
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS EventTime,
EventData.SubjectUserName AS Username,
EventData.PrivilegeList AS Privileges
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4672
AND EventData.PrivilegeList =~ "(SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege)"
Defense Evasion
T1070.001: Clear Windows Event Logs
Artifacts:
Windows.EventLogs.Cleared
VQL Query:
-- Event log clearing
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS ClearedTime,
System.Channel AS LogName,
EventData.SubjectUserName AS Username
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value IN (1102, 104) -- Audit log cleared
ORDER BY ClearedTime DESC
T1562.001: Disable or Modify Tools
Artifacts:
Windows.Forensics.TimelineWindows.Registry.RecentDocs
VQL Query:
-- Security tool tampering
SELECT Key.FullPath AS RegistryKey,
ValueName,
ValueData.value AS Value,
timestamp(epoch=Key.Mtime) AS Modified
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows Defender/**",
"HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinDefend/**"
])
WHERE (
ValueName =~ "(?i)(DisableAntiSpyware|DisableRealtimeMonitoring|Start)"
AND (ValueData.value = 1 OR ValueData.value = 4)
)
T1055: Process Injection
Artifacts:
Windows.Detection.ProcessInjectionWindows.Memory.Acquisition
VQL Query:
-- Detect process injection via memory protections
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
Address,
Size,
Protection,
Type
FROM vad()
WHERE Protection =~ "EXECUTE.*WRITE" -- RWX memory
AND Type = "Private"
AND process_tracker_get(id=Pid).Name NOT IN ("chrome.exe", "firefox.exe") -- Exclude known JIT
Credential Access
T1003.001: LSASS Memory
Artifacts:
Windows.EventLogs.ProcessAccessWindows.Detection.Mimikatz
VQL Query:
-- LSASS access attempts
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SourceProcessId AS SourcePID,
EventData.SourceImage AS SourceImage,
EventData.TargetImage AS TargetImage,
EventData.GrantedAccess AS AccessRights
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Microsoft-Windows-Sysmon%4Operational.evtx")
WHERE System.EventID.Value = 10 -- ProcessAccess
AND EventData.TargetImage =~ "(?i)lsass.exe"
AND EventData.GrantedAccess =~ "(0x1010|0x1410|0x143A)" -- Suspicious access rights
T1003.002: Security Account Manager
Artifacts:
Windows.Forensics.SAMWindows.EventLogs.EvtxHunter
VQL Query:
-- SAM registry hive access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime,
timestamp(epoch=Mtime) AS ModifiedTime
FROM glob(globs=[
"C:/Windows/System32/config/SAM",
"C:/Windows/System32/config/SYSTEM",
"C:/Windows/System32/config/SECURITY"
])
WHERE Atime > timestamp(epoch=now() - 86400)
T1555: Credentials from Password Stores
Artifacts:
Windows.Forensics.DPAPIWindows.Browsers.ChromeHistory
VQL Query:
-- Browser credential access
SELECT FullPath,
timestamp(epoch=Atime) AS AccessTime
FROM glob(globs=[
"C:/Users/*/AppData/Local/Google/Chrome/User Data/*/Login Data",
"C:/Users/*/AppData/Roaming/Mozilla/Firefox/Profiles/*/logins.json"
])
WHERE Atime > timestamp(epoch=now() - 86400)
ORDER BY AccessTime DESC
Discovery
T1082: System Information Discovery
Artifacts:
Generic.Client.InfoWindows.System.SystemInfo
VQL Query:
-- System enumeration commands
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(systeminfo|whoami|ipconfig|hostname|ver)"
AND CreateTime > timestamp(epoch=now() - 3600)
ORDER BY CreateTime DESC
T1083: File and Directory Discovery
Artifacts:
Windows.EventLogs.ProcessCreation
VQL Query:
-- File system enumeration
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(dir|tree|findstr|where)"
AND CommandLine =~ "(?i)(\\*|recursive|/s|/b)"
ORDER BY CreateTime DESC
T1049: System Network Connections Discovery
Artifacts:
Windows.Network.Netstat
VQL Query:
-- Network enumeration commands
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(netstat|net use|net view|arp|route print|nslookup)"
ORDER BY CreateTime DESC
Lateral Movement
T1021.001: Remote Desktop Protocol
Artifacts:
Windows.EventLogs.RDPWindows.EventLogs.EvtxHunter
VQL Query:
-- RDP lateral movement
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS LogonTime,
EventData.TargetUserName AS Username,
EventData.IpAddress AS SourceIP,
System.Computer AS DestinationHost
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 4624
AND EventData.LogonType = 10 -- RemoteInteractive
AND EventData.IpAddress != "127.0.0.1"
ORDER BY LogonTime DESC
T1021.002: SMB/Windows Admin Shares
Artifacts:
Windows.EventLogs.EvtxHunter(EventID 5140, 5145)
VQL Query:
-- Admin share access
SELECT timestamp(epoch=System.TimeCreated.SystemTime) AS AccessTime,
EventData.SubjectUserName AS Username,
EventData.IpAddress AS SourceIP,
EventData.ShareName AS Share,
EventData.RelativeTargetName AS FilePath
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE System.EventID.Value = 5140
AND EventData.ShareName =~ "(?i)(ADMIN\\$|C\\$|IPC\\$)"
T1047: Windows Management Instrumentation
Artifacts:
Windows.EventLogs.WMIActivityWindows.System.Pslist
VQL Query:
-- WMI process creation
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE (
-- WMI spawned processes
Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "(?i)wmiprvse.exe")
-- Or WMIC usage
OR (Name =~ "(?i)wmic.exe" AND CommandLine =~ "(?i)(process call create|/node:)")
)
ORDER BY CreateTime DESC
Collection
T1005: Data from Local System
Artifacts:
Windows.Forensics.TimelineWindows.Detection.Yara
VQL Query:
-- Data staging detection
SELECT FullPath, Size,
timestamp(epoch=Ctime) AS Created,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=[
"C:/Users/*/AppData/**/*.zip",
"C:/Users/*/AppData/**/*.rar",
"C:/Users/*/AppData/**/*.7z",
"C:/Windows/Temp/**/*.zip"
])
WHERE Size > 10485760 -- > 10MB
AND Ctime > timestamp(epoch=now() - 86400)
ORDER BY Size DESC
T1119: Automated Collection
Artifacts:
Windows.System.PslistWindows.EventLogs.ProcessCreation
VQL Query:
-- Automated collection tools
SELECT Pid, Name, CommandLine, Username, CreateTime
FROM pslist()
WHERE CommandLine =~ "(?i)(robocopy|xcopy|tar|7z|winrar)"
AND CommandLine =~ "(?i)(/s|recursive|mirror)"
Exfiltration
T1041: Exfiltration Over C2 Channel
Artifacts:
Windows.Network.NetstatEnrichedWindows.Detection.NetworkAlerts
VQL Query:
-- Large outbound transfers
SELECT Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 22)
T1052: Exfiltration Over Physical Medium
Artifacts:
Windows.Forensics.USBDevicesWindows.EventLogs.USBActivity
VQL Query:
-- USB file transfers
SELECT FullPath, Size,
timestamp(epoch=Mtime) AS Modified
FROM glob(globs=["D:/**", "E:/**", "F:/**"]) -- Removable drives
WHERE Mtime > timestamp(epoch=now() - 86400)
AND Size > 1048576 -- > 1MB
ORDER BY Mtime DESC, Size DESC
Command and Control
T1071: Application Layer Protocol
Artifacts:
Windows.Network.NetstatEnrichedWindows.Detection.Sigma
VQL Query:
-- Unusual outbound connections
SELECT Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
COUNT(*) AS ConnectionCount,
GROUP_CONCAT(DISTINCT process_tracker_get(id=Pid).Name) AS Processes
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP !~ "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)"
AND Raddr.Port NOT IN (80, 443, 53, 22, 3389)
GROUP BY Raddr.IP, Raddr.Port
HAVING ConnectionCount > 10
T1095: Non-Application Layer Protocol
Artifacts:
Windows.Network.RawConnections
VQL Query:
-- Raw socket usage (ICMP tunneling, etc.)
SELECT Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine,
Protocol,
Laddr.IP AS LocalIP,
Raddr.IP AS RemoteIP
FROM netstat()
WHERE Protocol NOT IN ("TCP", "UDP")
AND Raddr.IP != ""
T1219: Remote Access Software
Artifacts:
Windows.System.PslistWindows.Persistence.PermanentRuns
VQL Query:
-- Remote access tools
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "(?i)(teamviewer|anydesk|logmein|ammyy|vnc|radmin|screenconnect)"
OR Exe =~ "(?i)(remote|rdp|desktop|viewer)"