scudette

-- Details are found here https://posts.specterops.io/utilizing-rpc-telemetry-7af9ea08a1d5

-- This comes from svcctl.idl
LET MethodLookup <= dict(
  `0x0`="CloseServiceHandle",
  `0x2`="DeleteService",
  `0x6`="QueryServiceStatus",
  `0x7`="SetServiceStatus",
  `0xC`="CreateServiceW",
 -- `0x37`="0x37",

scudette

LET Glob = '''C:\windows\**\*.dll'''

-- Apply the glob to search for matching DLLs.
LET DLLs = SELECT FullPath, Name, parse_pe(file=FullPath).Forwards AS Forwards,
     lowcase(string=parse_string_with_regex(regex="^(?P<BareName>[^.]+)", string=Name).BareName) AS DLLBareName
FROM glob(globs=Glob)
WHERE NOT FullPath =~ "(WinSXS|Servicing)"

-- For each DLL, extract the forward strings.
SELECT * FROM foreach(row=DLLs, workers=20,

scudette

name: Custom.OSQuery.BlackJack
description: |
   Get memory dumps of all processes with a named pipe called BlackJack

parameters:
   - name: NamedProcessRegex
     default: BlackJack
   - name: OSQuery_query
     default: "SELECT proc.parent AS process_parent, proc.path AS process_path, proc.pid AS process_id, proc.cwd AS process_directory, pipe.pid AS pipe_pid, pipe.name AS pipe_name FROM processes proc JOIN pipes pipe ON proc.pid=pipe.pid;"

scudette

$npipeClient = new-object System.IO.Pipes.NamedPipeClientStream(".", 'BlackJack', [System.IO.Pipes.PipeDirection]::InOut,
    [System.IO.Pipes.PipeOptions]::None,
	[System.Security.Principal.TokenImpersonationLevel]::Impersonation)
	
$npipeClient.Connect()
$script:pipeWriter = new-object System.IO.StreamWriter($npipeClient)
$pipeWriter.AutoFlush = $true
while (1) {
   $pipeWriter.WriteLine("hello")
   Sleep 1

scudette

while (1) {
  $npipeServer = new-object System.IO.Pipes.NamedPipeServerStream('BlackJack',
     [System.IO.Pipes.PipeDirection]::InOut)
  
  $npipeServer.WaitForConnection()
  $npipeServer.Close()
}

scudette

name: Windows.OSQuery.Generic
description: |
  OSQuery is an excellent tool for querying system state across the
  three supported Velociraptor platform (Windows/Linux/MacOS).

  You can read more about OSQuery on https://osquery.io/

reference:
  - https://osquery.io/
  - https://github.com/osquery/osquery

scudette

name: Custom.Admin.Client.Uninstall
description: |
  Uninstall Velociraptor from the endpoint.

  This artifact uninstalls a Velociraptor client (or any other MSI
  package) from the endpoint.

  Typically the client will be hard terminated during the uninstall
  process, so on the server it would appear that the collection is not
  completed. This is normal.

scudette

version:
  name: velociraptor
  version: 0.5.0
  commit: 6fc96b5f
  build_time: "2020-09-22T18:21:45+10:00"
Client:
  server_urls:
  - https://test.velocidex-training.com:8000/
  ca_certificate: |
    -----BEGIN CERTIFICATE-----

scudette

name: Custom.Server.Hunts.CancelAndDelete
description: |
   Velociraptor Hunts are a way of running the same flow on 
   many endpoints at once. Hunts issue very quickly and wait 
   until each endpoint returns results.
   
   Sometimes, the artifacts collected might take a long time and
   have unacceptable performance impact on the endpoint. 
   In some cases the artifacts end up retrieving too much data 
   that is not needed.

scudette

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2015, Francesco "dfirfpi" Picasso <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0