Skip to content

Instantly share code, notes, and snippets.

@eduardomcm
Created June 7, 2021 14:45
Show Gist options
  • Save eduardomcm/310304d9197df1a94bc8c0de082499f3 to your computer and use it in GitHub Desktop.
Save eduardomcm/310304d9197df1a94bc8c0de082499f3 to your computer and use it in GitHub Desktop.
Velociraptor Artifact - Windows.Applications.JLECmd
name: Custom.Windows.Applications.JLECmd
description: |
Execute Eric Zimmerman's JLECmd and return output for analysis
# Objective:
- The Windows 7 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or
recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks.
- The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.
# Interpretation:
First time of execution of application.
- Creation Time = First time item added to the AppID file.
Last time of execution of application w/file open.
- Modification Time = Last time item added to the AppID file.
author: Eduardo Mattos - @eduardfir
reference:
- https://github.com/EricZimmerman
- https://www.sans.org/security-resources/posters/windows-forensic-analysis
required_permissions:
- EXECVE
type: CLIENT
tools:
- name: JLECmd
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: userRegex
default: .
- name: UploadFiles
description: "Select to Upload JLECmd Output files."
type: bool
- name: RemovePayload
description: "Select to Remove Payload after execution."
type: bool
sources:
- query: |
-- get context on target binary
LET payload <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName="JLECmd", IsExecutable=TRUE)
-- build tempfolder for output
LET tempfolder <= tempdir(remove_last=TRUE)
-- get users with profiles
LET UserProfiles = SELECT Uid, Name, Directory, UUID, Mtime
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex and Directory =~ "Users"
-- execute payload
LET deploy <= SELECT * FROM foreach(row=UserProfiles,
query={
SELECT *, Name
FROM execve(argv=[
payload.FullPath[0],
"-d", Directory + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations",
"--csv", tempfolder,
"--csvf", Name + ".csv",
"-q"])
})
-- parse AutomaticDestinations csvs
SELECT * FROM foreach(row=deploy,
query={
SELECT *, Name as UserName
FROM parse_csv(filename=tempfolder + "\\" + Name + "_AutomaticDestinations.csv")
})
- name: Uploads
queries:
- |
SELECT * FROM chain(
a={
SELECT * FROM if(condition=UploadFiles,
then={
SELECT Name, upload(file=FullPath, name=relpath(base=tempfile, path=FullPath)) as FileDetails
FROM glob(globs="/**", root=tempfolder)})
},
b={
SELECT * FROM if(condition=RemovePayload,
then={
SELECT * FROM execve(argv=['powershell','Remove-Item',
payload.FullPath[0],'-Force' ])})
})
WHERE Stdout =~ "JLECmd"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment