search

Velocidex / velociraptor-docs

Documentation site for Velociraptor
Other
35 stars 192 forks source link

Create Windows.Applications.Rclone #837

Closed BusterBaxter5 closed 4 months ago

BusterBaxter5 commented 4 months ago

Creating a new artifact to collect traces of Rclone in Windows OS

CLAassistant commented 4 months ago

CLA assistant check
All committers have signed the CLA.

scudette commented 4 months ago

We want to move all registry artifacts to https://registry-hunter.velocidex.com/ - do you think you can contribute it there?

BusterBaxter5 commented 4 months ago

We want to move all registry artifacts to https://registry-hunter.velocidex.com/ - do you think you can contribute it there?

Yeah sure. Add it under Rules? And should I copy just the part of the registry key or all of it?

scudette commented 4 months ago

Thanks for this PR - it is a good example of detections which we should be able to add to the Registry Hunter. I started a new file there for this detection:

https://github.com/Velocidex/registry_hunter/blob/master/Rules/Detections.yaml

So now we can just hunt for all the Threats at once.

The specific registry source used here AppCompatFlags is also already covered in the AppCompatFlags rule but I think it is useful to add it again under detection for specific high value signal.

As the registry hunter is evolved I expect it will also gain specific non-registry use cases like this detection but the main idea is to just have an uber artifact that one can throw at a system to see whats going on quickly

BusterBaxter5 commented 4 months ago

Hey, just to clarify, down the road, if we create new artifacts that combine hunting for registry keys and files, do they have to be pushed to registry hunter even though it includes hunting for files in File Explorer (or processes, etc.)? BTW thanks for the fast and detailed responses! :)

scudette commented 4 months ago

Its more about usability - for example - how would you like to use this artifact? if you expect to use it as part of a larger workflow then it should be refactored into the registry hunter. If you would use it on its own then it can be in its own artifact.

Checking for reg keys or files as part of a larger detection or compromise assessment workflow is better to be done in the registry hunter (or sigma rules).

We are just trying to streamline the workflow more - so people dont have to remember to collect many separate artifacts.