Created
July 13, 2020 00:29
-
-
Save scudette/0f5d5102b6e3b1580b4feccdf7d59b53 to your computer and use it in GitHub Desktop.
Velociraptor Artifact to apply Hollows Hunter on the endpoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Windows.Detection.ProcessHollowing | |
| description: | | |
| Use hollows_hunter to detect suspicious process injections. | |
| Upload any findings to the server, including process dumps. | |
| tools: | |
| - name: hollows_hunter | |
| url: https://github.com/hasherezade/hollows_hunter/releases/download/v0.2.7.1/hollows_hunter64.exe | |
| sources: | |
| - precondition: | |
| SELECT OS From info() where OS = 'windows' | |
| query: | | |
| -- Get the path to the hollows_hunter tool and a fresh temp directory. | |
| LET binaries <= SELECT FullPath, tempdir() AS TempDir | |
| FROM Artifact.Generic.Utils.FetchBinary( | |
| ToolName="hollows_hunter") | |
| -- Run the tool and relay back the output, as well as upload all the files from the tempdir. | |
| SELECT * FROM chain( | |
| a={SELECT Stdout, NULL AS Upload | |
| FROM execve(argv=[binaries[0].FullPath, | |
| "/json", "/dir", binaries[0].TempDir], length=100000)}, | |
| b={ | |
| SELECT upload(file=FullPath) AS Upload | |
| FROM glob(globs="*", root=binaries[0].TempDir) | |
| }) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment