diff --git a/artifacts/definitions/Linux/Events/DNS.yaml b/artifacts/definitions/Linux/Events/DNS.yaml new file mode 100644 index 00000000000..013502f5a60 --- /dev/null +++ b/artifacts/definitions/Linux/Events/DNS.yaml @@ -0,0 +1,52 @@ +name: Linux.Events.DNS +description: | + This artifact uses eBPF to track DNS requests from various processes. + + NOTE: This event is generated from network traffic - it is unable to + view DoH traffic. + +type: CLIENT_EVENT + +precondition: | + SELECT OS From info() where OS = 'linux' + +parameters: + - name: ExcludeDestIP + description: Only show events with a different DestIP + type: regex + default: "Change this to your default DNS Server IP" + - name: Records + description: Only show events matching these DNS records + type: regex + default: . + - name: ProcessNameFilter + description: Filter Events by Process Name + type: regex + default: . + - name: IncludeDNSDetails + type: bool + description: If set we include more details like HTTP Headers + - name: IncludeProcessInfo + type: bool + description: If set we include more process information. + +sources: + - query: | + SELECT System.Timestamp AS Timestamp, + System.ProcessName AS ProcessName, + System.ProcessID AS Pid, + if(condition=IncludeProcessInfo, + then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo, + EventData.src AS src_ip, + EventData.src_port AS src_port, + EventData.dst AS dest_ip, + EventData.dst_port AS dest_port, + EventData.proto_dns.questions.name AS name, + EventData.proto_dns.questions.type AS type, + EventData.proto_dns.answers.IP AS IP, + if(condition=IncludeDNSDetails, + then=EventData) AS _DNSData + FROM watch_ebpf(events="net_packet_dns") + WHERE NOT dest_ip =~ ExcludeDestIP + AND if(condition=Records, then=EventData.proto_dns =~ Records, else=TRUE) + AND ProcessName =~ ProcessNameFilter diff --git a/artifacts/definitions/Linux/Events/EBPF.yaml b/artifacts/definitions/Linux/Events/EBPF.yaml index 2e2dd27a1f2..6bc47dba4f2 100644 --- a/artifacts/definitions/Linux/Events/EBPF.yaml +++ b/artifacts/definitions/Linux/Events/EBPF.yaml @@ -13,7 +13,6 @@ parameters: type: csv default: | Event,Desc,Enabled - accept4,A process accepted a connection from remote,Y bpf_attach,A bpf program is attached,Y chdir,Process changes directory,N fchownat,File ownership is changed,Y diff --git a/artifacts/definitions/Linux/Events/HTTPConnections.yaml b/artifacts/definitions/Linux/Events/HTTPConnections.yaml new file mode 100644 index 00000000000..cef9dd4901e --- /dev/null +++ b/artifacts/definitions/Linux/Events/HTTPConnections.yaml @@ -0,0 +1,55 @@ +name: Linux.Events.HTTPConnections +description: | + This artifact uses eBPF to track HTTP and parse connections from + various processes. + + NOTE: This event is generated from network traffic - it is unable to + view TLS encrypted data. + + If the process tracker is enabled we also show more information + about the process. + +type: CLIENT_EVENT + +precondition: | + SELECT OS From info() where OS = 'linux' + +parameters: + - name: HostFilter + description: Filter Events by Host header + type: regex + default: . + - name: URLFilter + description: Filter Events by URL + type: regex + default: . + - name: ProcessNameFilter + description: Filter Events by Process Name + type: regex + default: . + - name: IncludeHeaders + type: bool + description: If set we include more details like HTTP Headers + - name: IncludeProcessInfo + type: bool + description: If set we include more process information. + +sources: + - query: | + SELECT System.Timestamp AS Timestamp, + System.ProcessName AS ProcessName, + System.ProcessID AS Pid, + if(condition=IncludeProcessInfo, + then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo, + EventData.metadata.src_ip AS src_ip, + EventData.metadata.src_port AS src_port, + EventData.metadata.dst_ip AS dest_ip, + EventData.metadata.dst_port AS dest_port, + EventData.http_request.host AS host, + EventData.http_request.uri_path AS uri_path, + if(condition=IncludeHeaders, + then=EventData.http_request) AS _HTTPRequest + FROM watch_ebpf(events="net_packet_http_request") + WHERE host =~ HostFilter + AND uri_path =~ URLFilter + AND ProcessName =~ ProcessNameFilter diff --git a/artifacts/definitions/Linux/Events/TrackProcesses.yaml b/artifacts/definitions/Linux/Events/TrackProcesses.yaml index 845691d5921..405a1409c04 100644 --- a/artifacts/definitions/Linux/Events/TrackProcesses.yaml +++ b/artifacts/definitions/Linux/Events/TrackProcesses.yaml @@ -1,6 +1,6 @@ name: Linux.Events.TrackProcesses description: | - This artifact uses ebpfg and pslist to keep track of running + This artifact uses ebpf and pslist to keep track of running processes using the Velociraptor process tracker. The process tracker keeps track of exited processes, and resolves diff --git a/artifacts/definitions/Windows/NTFS/MFT.yaml b/artifacts/definitions/Windows/NTFS/MFT.yaml index 23ce520655e..ed6d1aa9406 100644 --- a/artifacts/definitions/Windows/NTFS/MFT.yaml +++ b/artifacts/definitions/Windows/NTFS/MFT.yaml @@ -122,7 +122,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -140,7 +140,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -163,7 +163,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -187,7 +187,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) diff --git a/artifacts/testdata/server/testcases/mft.out.yaml b/artifacts/testdata/server/testcases/mft.out.yaml index f38d4243436..39559a09418 100644 --- a/artifacts/testdata/server/testcases/mft.out.yaml +++ b/artifacts/testdata/server/testcases/mft.out.yaml @@ -21,7 +21,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" @@ -52,7 +52,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2018-09-24T07:55:29.7664719Z", "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "Hello world text document.txt" @@ -82,7 +82,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2018-09-24T07:55:29.7664719Z", "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "Hello world text document.txt:goodbye.txt" @@ -113,7 +113,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:22:20.4341459Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "another_file.txt" @@ -143,7 +143,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" @@ -174,7 +174,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" diff --git a/artifacts/testdata/server/testcases/ntfs.out.yaml b/artifacts/testdata/server/testcases/ntfs.out.yaml index 83f9ad8d2ae..ee59f74241b 100644 --- a/artifacts/testdata/server/testcases/ntfs.out.yaml +++ b/artifacts/testdata/server/testcases/ntfs.out.yaml @@ -24,7 +24,7 @@ LET NTFSInfoFromImage <= parse_ntfs( filename=srcDir+'/artifacts/testdata/files/ "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", diff --git a/artifacts/testdata/server/testcases/remapping.out.yaml b/artifacts/testdata/server/testcases/remapping.out.yaml index 3c225ed96a2..56b617df103 100644 --- a/artifacts/testdata/server/testcases/remapping.out.yaml +++ b/artifacts/testdata/server/testcases/remapping.out.yaml @@ -45,7 +45,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", @@ -78,7 +78,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", diff --git a/docs/wix/velociraptor_amd64.xml b/docs/wix/velociraptor_amd64.xml index 4ffe0909363..dfebffa7153 100644 --- a/docs/wix/velociraptor_amd64.xml +++ b/docs/wix/velociraptor_amd64.xml @@ -3,7 +3,7 @@ - + - + + ChangePermission="no"/> + ChangePermission="no"/>