Velociraptor Evidence of Download error - DEBUG

[Frank-Victory]

Running the Threat Hunt module with default options. From the 21 clients scanned, I am only coming up with one result. On one of the clients, I added a text file (testfile.txt) and it did not pick it up. In the Notebook I am seeing

"DEBUG: Query Stats: {"RowsScanned":1,"PluginsCalled":1,"FunctionsCalled":0,"ProtocolSearch":0,"ScopeCopy":3}

I see a similar issue. I am not sure where to look for the logs

[scudette]

Can you explain what artifact you collected, what parameters you used and what results you expect.

What is the threat hunting module?

[Frank-Victory]

Oh shoot, I had it in my head and never typed it out......apologies.

I am using the Threat Hunt module "Windows.Analysis.EvidenceoOfDownload" and the default configure artifact permissions is c:/users/*/Downloads/ with ZoneId=[34]. I left the defaults in there.

I did not touch the resources, therefore it is at 100%/Unlimited/etc.

I ran this before, in a similar but different virtual environment and it was able to show me the download directory of all the Windows Clients. I am trying to figure out how to troubleshoot the issue. The Velociraptor server is Windows and I have administrator access. When I Google, I come up with a lot of Windows Event Logs, but do not see where the Velociraptor logs are kept.

This is a test environment, so many of the 21 clients do not have anything in the Download folder. That is why I created newfile.txt which is basically a 1k file. In the Clients tab, it does say "Finished" for state. For the one server that finished successfully, it shows a PDF with three hashes, which is AWESOME.

FYI @scudette you have been a subject of discussion. We have been diving into this tool and it is one of the best! Once I am done with this engagement, I could contribute the documentation or create videos

[Frank-Victory]

BTW, the other modules, I have written documentation on the following modules, basic but will build more Windows Carving CobaltStrike KAPE Windows System PowerShell )along with the eradication script) Generic Detection Hashhunter FileFinder (Windows so far, Linux on radar)

In the plans are Generic Forensic Caving URL's and the Chrome and Firefox history. I will be putting this into a context so new Threathunters can understand the why along with the tool

[predictiple]

The descriptions in the artifacts are intentionally brief because most of the time the VQL is self-explanatory. But for some artifacts it is maybe too brief and there's always room for improvement. Contributions are always welcomed.

If you want to provide more in-depth explanations then the best place for that is probably the knowledge base: https://docs.velociraptor.app/knowledge_base/

[scudette]

The artifact is looking for an alternate data stream named zone identifier that indicated the file is downloaded from an external url

https://docs.velociraptor.app/artifact_references/pages/windows.analysis.evidenceofdownload/

When you added the file manually, did you also add the zone identifier ads?

You can also check the files manually by using the vfs with the ntfs accessor. This should show the ads as a separate file (with the same mft id) and contain the zone identifier meta data.

Can you please confirm your file that you created has those ads?

[Frank-Victory]

Thanks for the explanation, I did not add the zone identifiers. Is that error due because of the lack of zone identifiers?

[scudette]

Well this specific artifact is looking for the zone identifier which is normally added by chrome or edge when downloading from the internet. If you downloaded the test file using chrome from the internet it should automatically add the zone identifier ads to it

A good cross check is to view the file using the vfs with the ntfs accessor to see if any ads is attached to it.

[mgreen27]

You can test this with some the data generation script I created: https://gist.github.com/mgreen27/05f95f27f70234ea7242190c5c62a62a

It downloads some files to C:\PerfLogs\, then manually adds some interesting ADS. Test using: Windows.Analysis.EvidenceOfDownload, or Windows.NTFS.ADSHunter

[Frank-Victory]

Thanks @scudette and @mgreen27 The cyberrange I have is closed, therefore I have to put in a ticket to allow things through. However, your explanation makes sense.

Next week I am going to be rebuilding my home lab so I can test this without having to jump through so many hoops. I teach at some of the major Universities and would love to bring this tool to them too. We do have an ADS lab and this would be perfect to enhance the base lesson.

[scudette]

Feel free to reopen if there are more questions