forked from Velocidex/velociraptor-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create Windows.Forensics.Jumplists_JLECmd (Velocidex#792)
- Loading branch information
1 parent
fccb82d
commit 8cd339a
Showing
1 changed file
with
95 additions
and
0 deletions.
There are no files selected for viewing
95 changes: 95 additions & 0 deletions
95
content/exchange/artifacts/Windows.Forensics.Jumplists_JLECmd.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| name: Windows.Forensics.Jumplists_JLECmd | ||
| description: | | ||
| * Execute Eric Zimmerman's JLECmd to parse AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS files in C:\ drive recursively and return output for analysis. (jlecmd.exe -d C:/ --csvf -csv tmpdir results.csv). | ||
| * JLECmd.zip is downloaded from the URL to 'C:\Program Files\Velociraptor\Tools' folder. | ||
| * JLECmd.zip can be uploaded to Velociraptor Server in order to copy it to the clients in case there is no internet connection. | ||
| * Created using @carlos_cajigas LECmd VQL as a quide. | ||
| * JLECmd is a CLI tool for analyzing Custom Destinations jump list data. Learn more - https://github.com/EricZimmerman/JLECmd | ||
| author: Orhan Emre @orhan_emre | ||
|
|
||
| type: CLIENT | ||
|
|
||
| tools: | ||
| - name: JLECmd | ||
| url: https://f001.backblazeb2.com/file/EricZimmermanTools/JLECmd.zip | ||
| expected_hash: 10bc3698867be7c707500afc01c45c44b6a0439d14e04477e08b76d95c87255c | ||
| version: 1.5.0 | ||
|
|
||
|
|
||
| parameters: | ||
| - name: sourceFile | ||
| default: . | ||
| type: regex | ||
| description: "RegEx pattern for the name or path of the Automatic and Custom Destinations jump list files. Example 'recent' folder" | ||
| - name: localPath | ||
| default: . | ||
| type: regex | ||
| description: "RegEx pattern for the name or path of the target of the Automatic and Custom Destinations jump list files. Example 'powershell_ise.exe'" | ||
| - name: arguments | ||
| default: . | ||
| type: regex | ||
| description: "Arguments of the Automatic and Custom Destinations jump list files. Example '/c powershell Invoke-Command'" | ||
| - name: dateAfter | ||
| description: "search for Automatic and Custom Destinations jump list files with a SourceCreated after this date. YYYY-MM-DD" | ||
| - name: dateBefore | ||
| description: "search for Automatic and Custom Destinations jump list files with a SourceCreated before this date. YYYY-MM-DD" | ||
|
|
||
| precondition: SELECT OS From info() where OS = 'windows' | ||
|
|
||
| sources: | ||
| - query: | | ||
| -- get context on target binary | ||
| LET jlecmdpackage <= SELECT * FROM Artifact.Generic.Utils.FetchBinary( | ||
| ToolName="JLECmd", IsExecutable=FALSE) | ||
| -- build tempfolder for output | ||
| LET tmpdir <= tempdir() | ||
| -- decompress utility | ||
| LET payload = SELECT * | ||
| FROM unzip(filename=jlecmdpackage[0].FullPath, | ||
| output_directory=tmpdir) | ||
| -- execute payload | ||
| LET deploy <= SELECT * | ||
| FROM execve(argv=[payload.NewPath[0], | ||
| "-d", | ||
| "c:/", | ||
| "--csv", | ||
| tmpdir + "jlecmd", | ||
| "--csvf", | ||
| "results.csv"]) | ||
| -- parse csv | ||
| SELECT SourceFile, SourceCreated, SourceModified, LocalPath, Arguments, | ||
| TargetCreated, TargetModified, VolumeLabel, DriveType, AppIdDescription, CommonPath, | ||
| VolumeSerialNumber, MachineID, MachineMACAddress, TargetMFTEntryNumber, TargetSequenceNumber, | ||
| TargetIDAbsolutePath, TrackerCreatedOn, ExtraBlocksPresent, HeaderFlags,FileAttributes, FileSize | ||
| FROM parse_csv(filename=tmpdir + "jlecmd" + "\\results_AutomaticDestinations.csv") | ||
| WHERE | ||
| (if(condition=dateAfter, then=SourceCreated > dateAfter, | ||
| else=TRUE) AND | ||
| if(condition=dateBefore, then=SourceCreated < dateBefore, | ||
| else=TRUE)) | ||
| AND SourceFile =~ sourceFile | ||
| AND LocalPath =~ localPath | ||
| AND Arguments =~ arguments | ||
| - query: | | ||
| -- parse csv | ||
| SELECT SourceFile, SourceCreated, SourceModified, LocalPath, Arguments, | ||
| TargetCreated, TargetModified, VolumeLabel, DriveType, AppIdDescription, CommonPath, | ||
| VolumeSerialNumber, MachineID, MachineMACAddress, TargetMFTEntryNumber, TargetSequenceNumber, | ||
| TargetIDAbsolutePath, TrackerCreatedOn, ExtraBlocksPresent, HeaderFlags,FileAttributes, FileSize | ||
| FROM parse_csv(filename=tmpdir + "jlecmd" + "\\results_CustomDestinations.csv") | ||
| WHERE | ||
| (if(condition=dateAfter, then=SourceCreated > dateAfter, | ||
| else=TRUE) AND | ||
| if(condition=dateBefore, then=SourceCreated < dateBefore, | ||
| else=TRUE)) | ||
| AND SourceFile =~ sourceFile | ||
| AND LocalPath =~ localPath | ||
| AND Arguments =~ arguments |