mgreen27 · March 11, 2025 04:30
diff --git a/Honeyfiles.Manage.yaml b/Honeyfiles.Manage.yaml
 name: Windows.Detetion.Honeyfiles.Manage
 author: Matt Green - @mgreen27 from Zane Gittins honeyfile use case
 description: |
   This Artifact enables managing HoneyFiles that can be used to monitor for a 
   honeypot usecase.
   
   HoneyUserRegex is a regex for UserName to check or deploy HoneyFiles.
   DeployHoneyFiles - will deploy honeyfiles.
   RemoveHoneyFiles - will remove Velociraptor HoneyFiles.
   Honeyfiles is a CSV that has several parameters:
   
    * PathGlob - Where to generate the honeyfile.  
    * Enabled - Only generate the honeyfile if this is set to 'Y'. 
    * HexString - The starting magic bytes of the honeyfile. This might be useful for GUI access.   
    * MinSize,MaxSize - The size of the honeyfile will be a random value between MinSize and MaxSize.  

 # Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT or NOTEBOOK
 type: CLIENT

 parameters:
  - name: HoneyUserRegex
    description: User name regex that will be used to host honeyfiles.
    type: string
    default: yolo
  - name: DeployHoneyFiles
    description: Deploy honeyfiles - this will overwrite previously deployed honeyfiles
    type: bool
  - name: RemoveHoneyFiles
    description: Remove deployed honeyfiles
    type: bool
  - name: Honeyfiles
    description: The honeyfiles to generate and monitor.
    type: csv
    default: |
        TargetPath,Enabled,HexString,MinSize,MaxSize
        "%USERPROFILE%\Documents\KeePass\KeePass.kdbx",Y,03D9A29A67FB4BB5,10249,20899
        "%USERPROFILE%\AppData\Local\KeePass\KeePass.config.xml",Y,3C3F786D6C,512,1024
        "%USERPROFILE%\AppData\Local\LastPass\lastpass.conf",Y,3C3F786D6C,512,1024
        "%USERPROFILE%\AppData\Roaming\LastPass\loginState.xml",Y,3C3F786D6C,512,1024
        "%USERPROFILE%\AppData\Roaming\WinSCP\WinSCP.ini",Y,5B436F6E66696775726174696F6E5D,512,1024
        "%USERPROFILE%\.aws\credentials",Y,5B64656661756C745D,512,2048
        "%USERPROFILE%\.aws\config",Y,5B64656661756C745D,512,2048
        "%USERPROFILE%\.ssh\my_id_rsa",Y,2D2D2D2D2D424547494E205253412050524956415445204B45592D2D2D2D2D,1024,4096
        "%USERPROFILE%\.gcloud\credentials.db",Y,5343514C697465,512,2048
        "%USERPROFILE%\.azure\azureProfile.json",Y,7B0D0A,512,2048
    
    
 sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      LET RandomChars(size) = SELECT format(format="%02x", args=rand(range=256)) AS HexByte
        FROM range(end=size)
    
      LET check_exist(path) = SELECT OSPath,Size,IsDir,
            if(condition= read_file(filename=OSPath)[-7:]=~'VRHoney',
                then= True,
                else= False ) as IsHoneyFile
        FROM stat(filename=path)
      
      LET enumerate_path = SELECT regex_replace(source=TargetPath,re='''\%USERPROFILE\%''',replace=Directory) as TargetPath, *,
            check_exist(path=regex_replace(source=TargetPath,re='''\%USERPROFILE\%''',replace=Directory))[0] as Exists,
            MaxSize - rand(range=(MaxSize - MinSize)) - len(list=unhex(string=HexString)) - 7 as _PaddingSize
        FROM Honeyfiles
      
      LET target_users = SELECT Name,Directory,UUID 
        FROM Artifact.Windows.Sys.Users()
        WHERE NOT UUID =~ '''^(S-1-5-18|S-1-5-19|S-1-5-20)$'''
            AND Name =~ HoneyUserRegex
            
      LET show_honeyfiles = SELECT TargetPath,Enabled, HexString,MinSize,MaxSize,_PaddingSize,
            Exists.Size as Size, 
            Exists.IsHoneyFile as IsHoneyFile
        FROM foreach(row=target_users, query=enumerate_path)
        
      LET remove_honeyfiles = SELECT *,_PaddingSize,
            if(condition= IsHoneyFile, 
                then= rm(filename=TargetPath),
                else= "File does not exist") as RemoveHoneyFile
        FROM show_honeyfiles
        
      LET copy_honeyfiles = SELECT *,
            if(condition= Enabled =~ "^(Y|YES)$" AND ( NOT Size OR IsHoneyFile ), 
                then= copy(dest=TargetPath,create_directories='y',accessor='data',
                    filename=unhex(string=HexString + join(array=RandomChars(size=_PaddingSize).HexByte) + format(format='%x',args='VRHoney'))),
                else= "File does not exist") as CreateHoneyFile
        FROM show_honeyfiles
      
      LET add_honeyfiles = SELECT TargetPath,Enabled,HexString,MinSize,MaxSize,
            check_exist(path=TargetPath)[0].Size as Size,
            check_exist(path=TargetPath)[0].IsHoneyFile as IsHoneyFile
        FROM copy_honeyfiles
      
      SELECT * 
      FROM if(condition= DeployHoneyFiles,
                then = add_honeyfiles,
                else= if(condition= RemoveHoneyFiles,
                            then= remove_honeyfiles,
                            else= show_honeyfiles)
                )
	name: Windows.Detetion.Honeyfiles.Manage
	author: Matt Green - @mgreen27 from Zane Gittins honeyfile use case
	description: \|
	This Artifact enables managing HoneyFiles that can be used to monitor for a
	honeypot usecase.

	HoneyUserRegex is a regex for UserName to check or deploy HoneyFiles.
	DeployHoneyFiles - will deploy honeyfiles.
	RemoveHoneyFiles - will remove Velociraptor HoneyFiles.
	Honeyfiles is a CSV that has several parameters:

	* PathGlob - Where to generate the honeyfile.
	* Enabled - Only generate the honeyfile if this is set to 'Y'.
	* HexString - The starting magic bytes of the honeyfile. This might be useful for GUI access.
	* MinSize,MaxSize - The size of the honeyfile will be a random value between MinSize and MaxSize.

	# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT or NOTEBOOK
	type: CLIENT

	parameters:
	- name: HoneyUserRegex
	description: User name regex that will be used to host honeyfiles.
	type: string
	default: yolo
	- name: DeployHoneyFiles
	description: Deploy honeyfiles - this will overwrite previously deployed honeyfiles
	type: bool
	- name: RemoveHoneyFiles
	description: Remove deployed honeyfiles
	type: bool
	- name: Honeyfiles
	description: The honeyfiles to generate and monitor.
	type: csv
	default: \|
	TargetPath,Enabled,HexString,MinSize,MaxSize
	"%USERPROFILE%\Documents\KeePass\KeePass.kdbx",Y,03D9A29A67FB4BB5,10249,20899
	"%USERPROFILE%\AppData\Local\KeePass\KeePass.config.xml",Y,3C3F786D6C,512,1024
	"%USERPROFILE%\AppData\Local\LastPass\lastpass.conf",Y,3C3F786D6C,512,1024
	"%USERPROFILE%\AppData\Roaming\LastPass\loginState.xml",Y,3C3F786D6C,512,1024
	"%USERPROFILE%\AppData\Roaming\WinSCP\WinSCP.ini",Y,5B436F6E66696775726174696F6E5D,512,1024
	"%USERPROFILE%\.aws\credentials",Y,5B64656661756C745D,512,2048
	"%USERPROFILE%\.aws\config",Y,5B64656661756C745D,512,2048
	"%USERPROFILE%\.ssh\my_id_rsa",Y,2D2D2D2D2D424547494E205253412050524956415445204B45592D2D2D2D2D,1024,4096
	"%USERPROFILE%\.gcloud\credentials.db",Y,5343514C697465,512,2048
	"%USERPROFILE%\.azure\azureProfile.json",Y,7B0D0A,512,2048


	sources:
	- precondition:
	SELECT OS From info() where OS = 'windows'

	query: \|
	LET RandomChars(size) = SELECT format(format="%02x", args=rand(range=256)) AS HexByte
	FROM range(end=size)

	LET check_exist(path) = SELECT OSPath,Size,IsDir,
	if(condition= read_file(filename=OSPath)[-7:]=~'VRHoney',
	then= True,
	else= False ) as IsHoneyFile
	FROM stat(filename=path)

	LET enumerate_path = SELECT regex_replace(source=TargetPath,re='''\%USERPROFILE\%''',replace=Directory) as TargetPath, *,
	check_exist(path=regex_replace(source=TargetPath,re='''\%USERPROFILE\%''',replace=Directory))[0] as Exists,
	MaxSize - rand(range=(MaxSize - MinSize)) - len(list=unhex(string=HexString)) - 7 as _PaddingSize
	FROM Honeyfiles

	LET target_users = SELECT Name,Directory,UUID
	FROM Artifact.Windows.Sys.Users()
	WHERE NOT UUID =~ '''^(S-1-5-18\|S-1-5-19\|S-1-5-20)$'''
	AND Name =~ HoneyUserRegex

	LET show_honeyfiles = SELECT TargetPath,Enabled, HexString,MinSize,MaxSize,_PaddingSize,
	Exists.Size as Size,
	Exists.IsHoneyFile as IsHoneyFile
	FROM foreach(row=target_users, query=enumerate_path)

	LET remove_honeyfiles = SELECT *,_PaddingSize,
	if(condition= IsHoneyFile,
	then= rm(filename=TargetPath),
	else= "File does not exist") as RemoveHoneyFile
	FROM show_honeyfiles

	LET copy_honeyfiles = SELECT *,
	if(condition= Enabled =~ "^(Y\|YES)$" AND ( NOT Size OR IsHoneyFile ),
	then= copy(dest=TargetPath,create_directories='y',accessor='data',
	filename=unhex(string=HexString + join(array=RandomChars(size=_PaddingSize).HexByte) + format(format='%x',args='VRHoney'))),
	else= "File does not exist") as CreateHoneyFile
	FROM show_honeyfiles

	LET add_honeyfiles = SELECT TargetPath,Enabled,HexString,MinSize,MaxSize,
	check_exist(path=TargetPath)[0].Size as Size,
	check_exist(path=TargetPath)[0].IsHoneyFile as IsHoneyFile
	FROM copy_honeyfiles

	SELECT *
	FROM if(condition= DeployHoneyFiles,
	then = add_honeyfiles,
	else= if(condition= RemoveHoneyFiles,
	then= remove_honeyfiles,
	else= show_honeyfiles)
	)