Create Windows.Detection.Honeyfile.yaml (#1012)

Author: zaneGittins

content/exchange/artifacts/Windows.Detection.Honeyfile.yaml

@@ -0,0 +1,155 @@
+name: Windows.Detection.Honeyfiles
+author: Zane Gittins & Matt Green (@mgreen27).
+description: |
+    This artifact deploys honeyfiles according to the Honeyfiles CSV parameter. It then monitors access to these files using etw.  The process tracker must be enabled, we use this to enrich etw events. Honeyfiles created by this artifact are removed at exit.
+
+    * TargetPath - Location to create honeyfile.
+    * Enabled - Only generate the honeyfile if this is set to 'Y'
+    * MagicBytes - The starting magic bytes of the honeyfile.
+    * MinSize,MaxSize - The size of the honeyfile will be a random value between MinSize and MaxSize.
+
+type: CLIENT_EVENT
+
+parameters:
+  - name: Honeyfiles
+    description: The honeyfiles to generate and monitor.
+    type: csv
+    default: |
+        TargetPath,Enabled,MagicBytes,MinSize,MaxSize
+        "%USERPROFILE%\Documents\KeePass\KeePass.kdbx",Y,03D9A29A67FB4BB5,10249,20899
+        "%USERPROFILE%\AppData\Local\KeePass\KeePass.config.xml",Y,3C3F786D6C,512,1024
+        "%USERPROFILE%\AppData\Local\LastPass\lastpass.conf",Y,3C3F786D6C,512,1024
+        "%USERPROFILE%\AppData\Roaming\LastPass\loginState.xml",Y,3C3F786D6C,512,1024
+        "%USERPROFILE%\AppData\Roaming\WinSCP\WinSCP.ini",Y,5B436F6E66696775726174696F6E5D,512,1024
+        "%USERPROFILE%\.aws\credentials",Y,5B64656661756C745D,512,2048
+        "%USERPROFILE%\.aws\config",Y,5B64656661756C745D,512,2048
+        "%USERPROFILE%\.ssh\my_id_rsa",Y,2D2D2D2D2D424547494E205253412050524956415445204B45592D2D2D2D2D,1024,4096
+        "%USERPROFILE%\.gcloud\credentials.db",Y,53514c69746520666f726d6174203300,512,2048
+        "%USERPROFILE%\.azure\azureProfile.json",Y,7B0D0A,512,2048
+  - name: ProcessExceptionsRegex
+    description: Except these processes from detections when they access honeyfiles.
+    type: string
+    default: "SearchProtocolHost.exe|Explorer.exe"
+  - name: HoneyUserRegex
+    description: User name regex that will be used to host honeyfiles.
+    type: string
+    default: "."
+sources:
+  - precondition:
+      SELECT OS From info() where OS = 'windows'
+
+    query: |
+       LET RandomChars(size) = SELECT
+           format(format="%02x", args=rand(range=256)) AS HexByte
+         FROM range(end=size)
+       
+       LET check_exist(path) = SELECT
+           OSPath,
+           Size,
+           IsDir,
+           if(condition=read_file(filename=OSPath)[-7:] =~ 'VRHoney',
+              then=True,
+              else=False) AS IsHoneyFile
+         FROM stat(filename=path)
+       
+       LET enumerate_path = SELECT
+           regex_replace(source=TargetPath,
+                         re='''\%USERPROFILE\%''',
+                         replace=Directory) AS TargetPath,
+           *,
+           check_exist(path=regex_replace(source=TargetPath,
+                                          re='''\%USERPROFILE\%''',
+                                          replace=Directory))[0] AS Exists,
+           MaxSize - rand(range=(MaxSize - MinSize)) - len(
+             list=unhex(string=MagicBytes)) - 7 AS _PaddingSize
+         FROM Honeyfiles
+       
+       LET target_users = SELECT Name,
+                                 Directory,
+                                 UUID
+         FROM Artifact.Windows.Sys.Users()
+         WHERE NOT UUID =~ '''^(S-1-5-18|S-1-5-19|S-1-5-20)$'''
+          AND Name =~ HoneyUserRegex
+       
+       LET show_honeyfiles = SELECT TargetPath,
+                                    Enabled,
+                                    MagicBytes,
+                                    MinSize,
+                                    MaxSize,
+                                    _PaddingSize,
+                                    Exists.Size AS Size,
+                                    Exists.IsHoneyFile AS IsHoneyFile
+         FROM foreach(row=target_users, query=enumerate_path)
+       
+       LET copy_honeyfiles = SELECT
+           *, if(condition=Enabled =~ "^(Y|YES)$"
+                  AND (NOT Size OR IsHoneyFile),
+                 then=log(message="Creating file %v", dedup=-1, args=TargetPath)
+                  && copy(dest=TargetPath,
+                          create_directories='y',
+                          accessor='data',
+                          filename=unhex(
+                            string=MagicBytes + join(
+                              array=RandomChars(size=_PaddingSize).HexByte) +
+                              format(format='%x', args='VRHoney'))),
+                 else="File does not exist") AS CreateHoneyFile
+         FROM show_honeyfiles
+       
+       LET remove_honeyfiles = SELECT
+           *, _PaddingSize,
+           if(condition=IsHoneyFile,
+              then=log(message="Removing %v", args=TargetPath, dedup=-1)
+               && rm(filename=TargetPath),
+              else="File does not exist") AS RemoveHoneyFile
+         FROM show_honeyfiles
+       
+       LET add_honeyfiles = SELECT
+           TargetPath,
+           Enabled,
+           MagicBytes,
+           MinSize,
+           MaxSize,
+           check_exist(path=TargetPath)[0].Size AS Size,
+           check_exist(path=TargetPath)[0].IsHoneyFile AS IsHoneyFile
+         FROM copy_honeyfiles
+       
+       LET _ <= atexit(query={ SELECT * FROM remove_honeyfiles })
+       
+       LET WatchFiles <= to_dict(item={
+           SELECT TargetPath AS _key,
+                  IsHoneyFile AS _value
+           FROM add_honeyfiles
+           WHERE IsHoneyFile
+         })
+       
+       LET Keyword <= 5264
+       
+       LET CurrentPid <= getpid()
+       
+       LET TargetEvents = SELECT *
+         FROM watch_etw(guid='{edd08927-9cc4-4e65-b970-c2560fb5c289}',
+                        description="Microsoft-Windows-Kernel-File",
+                        any=Keyword)
+         WHERE System.ID = 12
+          AND System.ProcessID != CurrentPid
+       
+       LET AuditEvents = SELECT
+           timestamp(string=System.TimeStamp) AS Timestamp,
+           get(item=WatchFiles, field=EventData.FileName) AS IsHoneyFile,
+           *
+         FROM TargetEvents
+         WHERE IsHoneyFile != NULL
+       
+       LET Events = SELECT
+           Timestamp,
+           IsHoneyFile,
+           System.ProcessID AS Pid,
+           EventData.FileName AS TargetPath,
+           process_tracker_get(id=System.ProcessID).Data AS ProcInfo,
+           join(array=process_tracker_callchain(id=System.ProcessID).Data.Name,
+                sep="->") AS CallChain
+         FROM AuditEvents
+         WHERE NOT ProcInfo.Exe =~ ProcessExceptionsRegex
+       
+       SELECT *
+       FROM delay(query=Events, delay=5)

content/exchange/artifacts/Windows.KapeFiles.Remapping.yaml

@@ -26,7 +26,7 @@
 '''
 VELO_CONFIG_FILENAME = "/tmp/velo.config.yaml"
 VELO_FILENAME = "/tmp/velociraptor"
-VELO_URL = "https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-linux-amd64-musl"
+VELO_URL = "https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.4-linux-amd64-musl"
 EXCHANGE_PATH = os.path.abspath("./content/exchange/artifacts/")
 VELO_LOGFILE = "/tmp/velo.log"
 

scripts/exchange_verify.py

@@ -1,4 +1,24 @@
 [
+    {
+        "title": "Linux.Detection.Honeyfiles",
+        "author": "zaneGittins",
+        "description": "This artifact deploys honeyfiles according to the Honeyfiles CSV parameter. It then monitors access to these files using eBPF.  The process tracker must be enabled, we use this to enrich events. You also must be using Velociraptor >= 0.74 to support eBPF. Honeyfiles created by this artifact are removed at exit.",
+        "link": "/exchange/artifacts/pages/linux.detection.honeyfiles",
+        "tags": [],
+        "author_link": "https://github.com/zaneGittins",
+        "author_avatar": "https://avatars.githubusercontent.com/u/22203776?v=4",
+        "date": "2025-03-18"
+    },
+    {
+        "title": "MacOS.Forensics.ASL",
+        "author": "ydkhatri",
+        "description": "This artifact parses the ASL (Apple System Log) v2 files located at \n/private/var/log/asl/*.asl\n",
+        "link": "/exchange/artifacts/pages/macos.forensics.asl",
+        "tags": [],
+        "author_link": "https://github.com/ydkhatri",
+        "author_avatar": "https://avatars.githubusercontent.com/u/13247440?v=4",
+        "date": "2025-02-19"
+    },
     {
         "title": "Linux.Forensics.Targets",
         "author": "kidrek",
@@ -236,7 +256,7 @@
     {
         "title": "Windows.EventLogs.SysmonProcessEnriched.yaml",
         "author": "zaneGittins",
-        "description": "Gather sysmon process creation events from the sysmon operational event log. Enrich with authenticode signature of image and call chain.\nCaches authenticode signature by the hash of the image for ClearCacheSeconds (default, 1hr).\nPrerequisites: Sysmon, and the process tracker.\n",
+        "description": "Gather sysmon process creation events from the sysmon operational event log. Enrich with authenticode signature of image and call chain.\nCaches authenticode signature by the hash of the image for an hour to reduce number of times it fetches the authenticode signature.\nPrerequisites: Sysmon, and the process tracker artifact.\n",
         "link": "/exchange/artifacts/pages/windows.eventlogs.sysmonprocessenriched",
         "tags": [],
         "author_link": "https://github.com/zaneGittins",
@@ -1882,16 +1902,6 @@
         "author_avatar": "https://avatars.githubusercontent.com/u/13081800?v=4",
         "date": "2022-08-12"
     },
-    {
-        "title": "Windows.KapeFiles.Remapping",
-        "author": "scudette",
-        "description": "This artifact automates the rebuilding of remapping rules to be able to easily\npost process the results of the Windows.KapeFiles.Targets.",
-        "link": "/exchange/artifacts/pages/windows.kapefiles.remapping",
-        "tags": [],
-        "author_link": "https://github.com/scudette",
-        "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4",
-        "date": "2022-08-04"
-    },
     {
         "title": "Server.Enrichment.MalwareBazaar",
         "author": "weslambert",
@@ -2772,5 +2782,15 @@
         "author_link": "https://github.com/ffh571",
         "author_avatar": "https://avatars.githubusercontent.com/u/48983874?v=4",
         "date": "2021-06-23"
+    },
+    {
+        "title": "Windows.Detection.Honeyfiles",
+        "author": "",
+        "description": "This artifact deploys honeyfiles according to the Honeyfiles CSV parameter. It then monitors access to these files using etw.  The process tracker must be enabled, we use this to enrich etw events. Honeyfiles created by this artifact are removed at exit.",
+        "link": "/exchange/artifacts/pages/windows.detection.honeyfile",
+        "tags": [],
+        "author_link": "",
+        "author_avatar": "",
+        "date": ""
     }
 ]

static/exchange/data.json

@@ -1,4 +1,15 @@
 [
+    {
+        "title": "How to setup an SFTP server",
+        "link": "/knowledge_base/tips/setting_up_sftp",
+        "tags": [
+            "deployment"
+        ],
+        "author": "scudette",
+        "author_link": "https://github.com/scudette",
+        "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4",
+        "date": "2025-02-25"
+    },
     {
         "title": "How can I automatically add & update client metadata?",
         "link": "/knowledge_base/tips/automating_metadata",
@@ -424,16 +435,5 @@
         "author_avatar": "https://avatars.githubusercontent.com/u/3856546?v=4",
         "author_link": "https://github.com/scudette",
         "date": "2022-03-21"
-    },
-    {
-        "title": "How to setup an SFTP server",
-        "link": "/knowledge_base/tips/setting_up_sftp",
-        "tags": [
-            "deployment"
-        ],
-        "author": "",
-        "author_link": "",
-        "author_avatar": "",
-        "date": ""
     }
 ]