From c1541397178cc20db1c8f696f528cc91a7747e66 Mon Sep 17 00:00:00 2001 From: Mike Cohen Date: Sun, 10 Nov 2024 18:02:43 +1000 Subject: [PATCH 1/2] Added eBPF networking plugins and events. --- artifacts/definitions/Linux/Events/DNS.yaml | 52 ++++++++++++++++++ artifacts/definitions/Linux/Events/EBPF.yaml | 1 - .../Linux/Events/HTTPConnections.yaml | 55 +++++++++++++++++++ .../Linux/Events/TrackProcesses.yaml | 2 +- docs/wix/velociraptor_amd64.xml | 2 +- docs/wix/velociraptor_x86.xml | 6 +- go.mod | 11 ++-- go.sum | 17 ++++-- services/notebook/initial.go | 2 +- 9 files changed, 132 insertions(+), 16 deletions(-) create mode 100644 artifacts/definitions/Linux/Events/DNS.yaml create mode 100644 artifacts/definitions/Linux/Events/HTTPConnections.yaml diff --git a/artifacts/definitions/Linux/Events/DNS.yaml b/artifacts/definitions/Linux/Events/DNS.yaml new file mode 100644 index 00000000000..013502f5a60 --- /dev/null +++ b/artifacts/definitions/Linux/Events/DNS.yaml @@ -0,0 +1,52 @@ +name: Linux.Events.DNS +description: | + This artifact uses eBPF to track DNS requests from various processes. + + NOTE: This event is generated from network traffic - it is unable to + view DoH traffic. + +type: CLIENT_EVENT + +precondition: | + SELECT OS From info() where OS = 'linux' + +parameters: + - name: ExcludeDestIP + description: Only show events with a different DestIP + type: regex + default: "Change this to your default DNS Server IP" + - name: Records + description: Only show events matching these DNS records + type: regex + default: . + - name: ProcessNameFilter + description: Filter Events by Process Name + type: regex + default: . + - name: IncludeDNSDetails + type: bool + description: If set we include more details like HTTP Headers + - name: IncludeProcessInfo + type: bool + description: If set we include more process information. + +sources: + - query: | + SELECT System.Timestamp AS Timestamp, + System.ProcessName AS ProcessName, + System.ProcessID AS Pid, + if(condition=IncludeProcessInfo, + then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo, + EventData.src AS src_ip, + EventData.src_port AS src_port, + EventData.dst AS dest_ip, + EventData.dst_port AS dest_port, + EventData.proto_dns.questions.name AS name, + EventData.proto_dns.questions.type AS type, + EventData.proto_dns.answers.IP AS IP, + if(condition=IncludeDNSDetails, + then=EventData) AS _DNSData + FROM watch_ebpf(events="net_packet_dns") + WHERE NOT dest_ip =~ ExcludeDestIP + AND if(condition=Records, then=EventData.proto_dns =~ Records, else=TRUE) + AND ProcessName =~ ProcessNameFilter diff --git a/artifacts/definitions/Linux/Events/EBPF.yaml b/artifacts/definitions/Linux/Events/EBPF.yaml index 2e2dd27a1f2..6bc47dba4f2 100644 --- a/artifacts/definitions/Linux/Events/EBPF.yaml +++ b/artifacts/definitions/Linux/Events/EBPF.yaml @@ -13,7 +13,6 @@ parameters: type: csv default: | Event,Desc,Enabled - accept4,A process accepted a connection from remote,Y bpf_attach,A bpf program is attached,Y chdir,Process changes directory,N fchownat,File ownership is changed,Y diff --git a/artifacts/definitions/Linux/Events/HTTPConnections.yaml b/artifacts/definitions/Linux/Events/HTTPConnections.yaml new file mode 100644 index 00000000000..cef9dd4901e --- /dev/null +++ b/artifacts/definitions/Linux/Events/HTTPConnections.yaml @@ -0,0 +1,55 @@ +name: Linux.Events.HTTPConnections +description: | + This artifact uses eBPF to track HTTP and parse connections from + various processes. + + NOTE: This event is generated from network traffic - it is unable to + view TLS encrypted data. + + If the process tracker is enabled we also show more information + about the process. + +type: CLIENT_EVENT + +precondition: | + SELECT OS From info() where OS = 'linux' + +parameters: + - name: HostFilter + description: Filter Events by Host header + type: regex + default: . + - name: URLFilter + description: Filter Events by URL + type: regex + default: . + - name: ProcessNameFilter + description: Filter Events by Process Name + type: regex + default: . + - name: IncludeHeaders + type: bool + description: If set we include more details like HTTP Headers + - name: IncludeProcessInfo + type: bool + description: If set we include more process information. + +sources: + - query: | + SELECT System.Timestamp AS Timestamp, + System.ProcessName AS ProcessName, + System.ProcessID AS Pid, + if(condition=IncludeProcessInfo, + then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo, + EventData.metadata.src_ip AS src_ip, + EventData.metadata.src_port AS src_port, + EventData.metadata.dst_ip AS dest_ip, + EventData.metadata.dst_port AS dest_port, + EventData.http_request.host AS host, + EventData.http_request.uri_path AS uri_path, + if(condition=IncludeHeaders, + then=EventData.http_request) AS _HTTPRequest + FROM watch_ebpf(events="net_packet_http_request") + WHERE host =~ HostFilter + AND uri_path =~ URLFilter + AND ProcessName =~ ProcessNameFilter diff --git a/artifacts/definitions/Linux/Events/TrackProcesses.yaml b/artifacts/definitions/Linux/Events/TrackProcesses.yaml index 845691d5921..405a1409c04 100644 --- a/artifacts/definitions/Linux/Events/TrackProcesses.yaml +++ b/artifacts/definitions/Linux/Events/TrackProcesses.yaml @@ -1,6 +1,6 @@ name: Linux.Events.TrackProcesses description: | - This artifact uses ebpfg and pslist to keep track of running + This artifact uses ebpf and pslist to keep track of running processes using the Velociraptor process tracker. The process tracker keeps track of exited processes, and resolves diff --git a/docs/wix/velociraptor_amd64.xml b/docs/wix/velociraptor_amd64.xml index 4ffe0909363..dfebffa7153 100644 --- a/docs/wix/velociraptor_amd64.xml +++ b/docs/wix/velociraptor_amd64.xml @@ -3,7 +3,7 @@ - + - + + ChangePermission="no"/> + ChangePermission="no"/> Date: Sun, 10 Nov 2024 19:05:18 +1000 Subject: [PATCH 2/2] Fix test --- artifacts/definitions/Windows/NTFS/MFT.yaml | 8 ++++---- artifacts/testdata/server/testcases/mft.out.yaml | 12 ++++++------ artifacts/testdata/server/testcases/ntfs.out.yaml | 2 +- .../testdata/server/testcases/remapping.out.yaml | 4 ++-- go.mod | 2 +- go.sum | 10 ++-------- vql/parsers/ntfs_protocols.go | 2 +- 7 files changed, 17 insertions(+), 23 deletions(-) diff --git a/artifacts/definitions/Windows/NTFS/MFT.yaml b/artifacts/definitions/Windows/NTFS/MFT.yaml index 23ce520655e..ed6d1aa9406 100644 --- a/artifacts/definitions/Windows/NTFS/MFT.yaml +++ b/artifacts/definitions/Windows/NTFS/MFT.yaml @@ -122,7 +122,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -140,7 +140,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -163,7 +163,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) @@ -187,7 +187,7 @@ sources: LastModified0x10, LastModified0x30, LastRecordChange0x10, LastRecordChange0x30, LastAccess0x10,LastAccess0x30, - HasADS, SI_Lt_FN, uSecZeros, Copied, + HasADS, SI_Lt_FN, USecZeros, Copied, FileNames, FileNameTypes FROM parse_mft_version(filename=MFTPath, accessor=Accessor, prefix=Drive) diff --git a/artifacts/testdata/server/testcases/mft.out.yaml b/artifacts/testdata/server/testcases/mft.out.yaml index f38d4243436..39559a09418 100644 --- a/artifacts/testdata/server/testcases/mft.out.yaml +++ b/artifacts/testdata/server/testcases/mft.out.yaml @@ -21,7 +21,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" @@ -52,7 +52,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2018-09-24T07:55:29.7664719Z", "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "Hello world text document.txt" @@ -82,7 +82,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2018-09-24T07:55:29.7664719Z", "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "Hello world text document.txt:goodbye.txt" @@ -113,7 +113,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:22:20.4341459Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "FileNames": [ "another_file.txt" @@ -143,7 +143,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" @@ -174,7 +174,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "LastAccess0x30": "2022-03-18T04:15:18.5166156Z", "HasADS": false, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": true, "FileNames": [ "just_a_file.txt" diff --git a/artifacts/testdata/server/testcases/ntfs.out.yaml b/artifacts/testdata/server/testcases/ntfs.out.yaml index 83f9ad8d2ae..ee59f74241b 100644 --- a/artifacts/testdata/server/testcases/ntfs.out.yaml +++ b/artifacts/testdata/server/testcases/ntfs.out.yaml @@ -24,7 +24,7 @@ LET NTFSInfoFromImage <= parse_ntfs( filename=srcDir+'/artifacts/testdata/files/ "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", diff --git a/artifacts/testdata/server/testcases/remapping.out.yaml b/artifacts/testdata/server/testcases/remapping.out.yaml index 3c225ed96a2..56b617df103 100644 --- a/artifacts/testdata/server/testcases/remapping.out.yaml +++ b/artifacts/testdata/server/testcases/remapping.out.yaml @@ -45,7 +45,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", @@ -78,7 +78,7 @@ LET _ <= remap(config=format(format=RemappingTemplate, args=[ srcDir+'/artifacts "IsDir": false, "HasADS": true, "SI_Lt_FN": false, - "uSecZeros": false, + "USecZeros": false, "Copied": false, "SIFlags": "2080 (ARCHIVE,COMPRESSED)", "Created0x10": "2018-09-24T07:55:29.7664719Z", diff --git a/go.mod b/go.mod index 930b87c8366..98d844dddca 100644 --- a/go.mod +++ b/go.mod @@ -90,7 +90,7 @@ require ( howett.net/plist v1.0.0 www.velocidex.com/golang/evtx v0.2.1-0.20240730174545-3e4ff3d96433 www.velocidex.com/golang/go-ese v0.2.1-0.20240919031214-2aa005106db2 - www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc + www.velocidex.com/golang/go-ntfs v0.2.1-0.20241110090212-80bdce4262fa www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3 www.velocidex.com/golang/go-prefetch v0.0.0-20240910051453-2385582c1c22 www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe diff --git a/go.sum b/go.sum index 8d16581a9dc..70720dd9fba 100644 --- a/go.sum +++ b/go.sum @@ -746,8 +746,6 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -805,8 +803,6 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.0.0-20170424234030-8be79e1e0910/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -926,8 +922,8 @@ www.velocidex.com/golang/evtx v0.2.1-0.20240730174545-3e4ff3d96433 h1:qrRlDit2WJ www.velocidex.com/golang/evtx v0.2.1-0.20240730174545-3e4ff3d96433/go.mod h1:z0QWgpVDct1l+cHNq64vrSWdFuY6/BgrW2f/Qrc6oK4= www.velocidex.com/golang/go-ese v0.2.1-0.20240919031214-2aa005106db2 h1:f7nj4NsyeMSrwiFd9XO/VfsZYt6o6FH1KJmmqlBZDgM= www.velocidex.com/golang/go-ese v0.2.1-0.20240919031214-2aa005106db2/go.mod h1:YKxCStqE15c6F/P81oCG0Y5oelDBah2hCdO6P+VPUIQ= -www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc h1:eeL+RUEGr6/lYL8hJEbvugrF88I6W4pBaVtFa1falj4= -www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= +www.velocidex.com/golang/go-ntfs v0.2.1-0.20241110090212-80bdce4262fa h1:mVb1otJoAbwPaawm4ZPaKvgz0s7nQeH6jchXVhMZDpk= +www.velocidex.com/golang/go-ntfs v0.2.1-0.20241110090212-80bdce4262fa/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc= www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3 h1:W394TEIFuHFxHY8mzTJPHI5v+M+NLKEHmHn7KY/VpEM= www.velocidex.com/golang/go-pe v0.1.1-0.20230228112150-ef2eadf34bc3/go.mod h1:agYwYzeeytVtdwkRrvxZAjgIA8SCeM/Tg7Ym2/jBwmA= www.velocidex.com/golang/go-prefetch v0.0.0-20240910051453-2385582c1c22 h1:Re+YlRCwkHESCIopk0WNLKXMnlnhALvoT4RiunT2qJE= @@ -936,8 +932,6 @@ www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe h1:o9jQWSwK www.velocidex.com/golang/oleparse v0.0.0-20230217092320-383a0121aafe/go.mod h1:R7IisRzDO7q5LVRJsCQf1xA50LrIavsPWzAjVE4THyY= www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09 h1:G1RWYBXP2lSzxKcrAU1YhiUlBetZ7hGIzIiWuuazvfo= www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09/go.mod h1:pxSECT5mWM3goJ4sxB4HCJNKnKqiAlpyT8XnvBwkLGU= -www.velocidex.com/golang/vfilter v0.0.0-20241009150353-76c3a28b1767 h1:XUBc9OV6JZuLjIuGSyRS5sZmkWWdfav8SazJBy3MNeI= -www.velocidex.com/golang/vfilter v0.0.0-20241009150353-76c3a28b1767/go.mod h1:P50KPQr2LpWVAu7ilGH8CBLBASGtOJ2971yA9YhR8rY= www.velocidex.com/golang/vfilter v0.0.0-20241110073117-207766c3922f h1:SmMCRRbHKEKiQlkOG70XilldpqFtwCkvT1fM/ZMiKTs= www.velocidex.com/golang/vfilter v0.0.0-20241110073117-207766c3922f/go.mod h1:P50KPQr2LpWVAu7ilGH8CBLBASGtOJ2971yA9YhR8rY= www.velocidex.com/golang/vtypes v0.0.0-20240123105603-069d4a7f435c h1:rL/It+Ig+mvIhmy9vl5gg5b6CX2J12x0v2SXIT2RoWE= diff --git a/vql/parsers/ntfs_protocols.go b/vql/parsers/ntfs_protocols.go index 818b971d5cf..a1594289cf5 100644 --- a/vql/parsers/ntfs_protocols.go +++ b/vql/parsers/ntfs_protocols.go @@ -87,7 +87,7 @@ func (self _MFTHighlightAssociative) GetMembers( "IsDir", "HasADS", "SI_Lt_FN", - "uSecZeros", + "USecZeros", "Copied", "SIFlags", "Created0x10",