-
-
Save eduardomcm/310304d9197df1a94bc8c0de082499f3 to your computer and use it in GitHub Desktop.
Velociraptor Artifact - Windows.Applications.JLECmd
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Windows.Applications.JLECmd | |
description: | | |
Execute Eric Zimmerman's JLECmd and return output for analysis | |
# Objective: | |
- The Windows 7 task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or | |
recently used quickly and easily. This functionality cannot only include recent media files; it must also include recent tasks. | |
- The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application. | |
# Interpretation: | |
First time of execution of application. | |
- Creation Time = First time item added to the AppID file. | |
Last time of execution of application w/file open. | |
- Modification Time = Last time item added to the AppID file. | |
author: Eduardo Mattos - @eduardfir | |
reference: | |
- https://github.com/EricZimmerman | |
- https://www.sans.org/security-resources/posters/windows-forensic-analysis | |
required_permissions: | |
- EXECVE | |
type: CLIENT | |
tools: | |
- name: JLECmd | |
precondition: SELECT OS From info() where OS = 'windows' | |
parameters: | |
- name: userRegex | |
default: . | |
- name: UploadFiles | |
description: "Select to Upload JLECmd Output files." | |
type: bool | |
- name: RemovePayload | |
description: "Select to Remove Payload after execution." | |
type: bool | |
sources: | |
- query: | | |
-- get context on target binary | |
LET payload <= SELECT * FROM Artifact.Generic.Utils.FetchBinary( | |
ToolName="JLECmd", IsExecutable=TRUE) | |
-- build tempfolder for output | |
LET tempfolder <= tempdir(remove_last=TRUE) | |
-- get users with profiles | |
LET UserProfiles = SELECT Uid, Name, Directory, UUID, Mtime | |
FROM Artifact.Windows.Sys.Users() | |
WHERE Name =~ userRegex and Directory =~ "Users" | |
-- execute payload | |
LET deploy <= SELECT * FROM foreach(row=UserProfiles, | |
query={ | |
SELECT *, Name | |
FROM execve(argv=[ | |
payload.FullPath[0], | |
"-d", Directory + "\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", | |
"--csv", tempfolder, | |
"--csvf", Name + ".csv", | |
"-q"]) | |
}) | |
-- parse AutomaticDestinations csvs | |
SELECT * FROM foreach(row=deploy, | |
query={ | |
SELECT *, Name as UserName | |
FROM parse_csv(filename=tempfolder + "\\" + Name + "_AutomaticDestinations.csv") | |
}) | |
- name: Uploads | |
queries: | |
- | | |
SELECT * FROM chain( | |
a={ | |
SELECT * FROM if(condition=UploadFiles, | |
then={ | |
SELECT Name, upload(file=FullPath, name=relpath(base=tempfile, path=FullPath)) as FileDetails | |
FROM glob(globs="/**", root=tempfolder)}) | |
}, | |
b={ | |
SELECT * FROM if(condition=RemovePayload, | |
then={ | |
SELECT * FROM execve(argv=['powershell','Remove-Item', | |
payload.FullPath[0],'-Force' ])}) | |
}) | |
WHERE Stdout =~ "JLECmd" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment