Windows Base VQL Sigma Model
#
This model is designed for triage of dead disk, or file based live
analysis using VQL rules. The rules that use this model will be
evaluated once on all events.
After all relevant rules are evaluated, the collection is complete.
Rules that utilize this model may include a vql section which may
contain a VQL lambda to dictates how the event is generated. This
allows the rule itself to generate all relevant fields.
For example:
vql: |
x=>dict(
Timestamp=timestamp(epoch=now()),
EventData=dict(
Files=SearchFiles(Glob='C:/Users/*/AppData/Roaming/rclone/rclone.conf')
))
The following utility functions are defined:
SearchFiles(Glob): Allows searching for files with a
glob. Returns the file size as well as the first 100 bytes.
SearchRegistryKeys(Glob): Allows searching for registry keys -
returns a dict with key/value pairs from the registry.
Log Sources
#
Following is a list of recognized log sources.
Field Mappings
#
The following field mappings can be used to access fields within the
event. Note that it is also possible to access the fields directly
(e.g. EventData.AccessMask)
View all Field Mappings
| Name | Mapping |
|---|
| EventData | x=>x.EventData |
| Hash | x=>hash(path=x.EventData.Image) |
| Image | x=>x.EventData.Image |
| Mtime | x=>x.EventData.Mtime |
| Name | x=>x.EventData.Name |
| OSPath | x=>x.EventData.OSPath |
| Size | x=>x.EventData.Size |
| Timestamp | x=>timestamp(epoch=now()) |
vql/windows/*
#
This log source emits a single event. All rules using the log
source will receive this event, where they can run arbitrary VQL
queries to build the event themselves.
This is most useful for rules that want to generate their own
event data.
Details
VQL Query
#
SELECT timestamp(epoch=now()) AS Timestamp,
dict(
Computer=Hostname,
Channel="VQL Evaluation",
TimeCreated=dict(SystemTime=now())
) AS System,
dict() AS EventData
FROM scope()
Sample use in a sigma rule:
#
logsource:
category: vql
product: windows
filesystem/windows/glob
#
This log source searches for all files on the drive - it takes a
long time but allows rules to check for presence of a particular
filename.
Details
VQL Query
#
SELECT Mtime AS Timestamp,
dict(Computer=Hostname, Channel='Velociraptor') AS System,
dict(Name=Name,
OSPath=OSPath,
Size=Size,
Mtime=Mtime) AS EventData
FROM glob(globs='C:/**')
Sample use in a sigma rule:
#
logsource:
category: filesystem
product: windows
service: glob
*/windows/schtasks
#
Enumerates All Scheduled tasks
Details
VQL Query
#
SELECT dict(Computer=Hostname, Channel='Velociraptor') AS System, *
FROM Artifact.Windows.System.TaskScheduler()
Sample use in a sigma rule:
#
logsource:
product: windows
service: schtasks
*/windows/services
#
Details
VQL Query
#
SELECT dict(Computer=Hostname, Channel='Velociraptor') AS System, *,
PathName AS CommandLine, ServiceDll AS Image,
UserAccount AS User
FROM Artifact.Windows.System.Services()
Sample use in a sigma rule:
#
logsource:
product: windows
service: services
persistence/windows/services
#
Details
VQL Query
#
SELECT dict(Computer=Hostname, Channel='Velociraptor') AS System, *,
PathName AS CommandLine, ServiceDll AS Image,
UserAccount AS User
FROM Artifact.Windows.System.Services()
Sample use in a sigma rule:
#
logsource:
category: persistence
product: windows
service: services
process_creation/vql/execution
#
Details
VQL Query
#
SELECT dict(Computer=Hostname, Channel='Velociraptor') AS System, *
FROM Artifact.Windows.Analysis.EvidenceOfExecution()
Sample use in a sigma rule:
#
logsource:
category: process_creation
product: vql
service: execution
webserver/windows/*
#
Details
VQL Query
#
SELECT dict(Computer=Hostname, Channel='Velociraptor') AS System, *
FROM Artifact.Windows.Applications.IISLogs()
Sample use in a sigma rule:
#
logsource:
category: webserver
product: windows
process_creation/windows/pslist
#
Details
VQL Query
#
SELECT CreateTime AS Timestamp,
dict(Computer=Hostname, Channel='Velociraptor') AS System,
dict(CreateTime=CreateTime, CommandLine= CommandLine,
Image=Exe, MD5=H.MD5, SHA256=H.SHA256, SHA1=H.SHA1,
ParentCommandLine=P.CommandLine,
ParentImage=P.Exe,
ParentMD5=PH.MD5,
ParentSHA1=PH.SHA1,
ParentSHA256=PH.SHA256,
GrandParentCommandLine=GP.CommandLine,
GrandParentImage=GP.Exe,
User=Username
) AS EventData
FROM foreach(row={
SELECT StartTime AS CreateTime,
Pid, CommandLine, Exe,
process_tracker_get(id=Ppid).Data AS P,
if(condition=process_tracker_get(id=Ppid).Data.Exe,
then=hash(path=process_tracker_get(id=Ppid).Data.Exe)) AS PH,
process_tracker_get(id=process_tracker_get(id=Ppid).ParentId).Data AS GP,
if(condition=Exe, then=hash(path=Exe)) AS H,
Username
FROM process_tracker_pslist()
})
Sample use in a sigma rule:
#
logsource:
category: process_creation
product: windows
service: pslist
image_load/vql/pslist
#
Details
VQL Query
#
SELECT CreateTime AS Timestamp,
dict(Computer=Hostname, Channel='Velociraptor') AS System,
dict(CommandLine=CommandLine,
Image=Exe,
User=Username,
MD5=H.MD5,
SHA1=H.SHA1,
SHA256=H.SHA256,
ModuleName=ModuleName,
ModulePath=ModulePath,
ModuleMD5=MH.MD5,
ModuleSHA1=MH.SHA1,
ModuleSHA256=MH.SHA256,
GrandParentImage=GP.Exe,
GrandParentCommandLine=GP.CommandLine,
ParentCommandLine=P.CommandLine,
ParentImage=P.Exe,
ParentMD5=PH.MD5,
ParentSHA1=PH.SHA1,
ParentSHA256=PH.SHA256) AS EventData
FROM foreach(
row={
SELECT StartTime AS CreateTime,
Pid, CommandLine, Exe,
process_tracker_get(id=Ppid).Data AS P,
if(condition=Exe, then=hash(path=Exe)) AS H,
Username
FROM process_tracker_pslist()},
query={
SELECT CreateTime, Exe, CommandLine, P, H, Username,
if(condition=P.Exe, then=hash(path=P.Exe), else=P.Exe) AS PH,
ModuleName, ExePath AS ModulePath,
if(condition=ExePath, then=hash(path=ExePath), else=ExePath) AS MH,
process_tracker_get(id=P.Ppid).Data AS GP
FROM modules(pid=int(int=Pid))}
)
Sample use in a sigma rule:
#
logsource:
category: image_load
product: vql
service: pslist
network_connection/windows/netstat
#
Details
VQL Query
#
SELECT pt.CreateTime AS Timestamp,
dict(Computer=Hostname, Channel='Velociraptor') AS System,
dict(CommandLine=CommandLine,
Status= Status,
Image=Image,
LocalIP= LocalIP,
LocalPort= LocalPort,
RemoteIP= RemoteIP,
RemotePort = RemotePort,
ParentImage= ParentImage,
Protocol= Protocol) AS EventData
FROM foreach(
row={SELECT * , process_tracker_get(id=Pid) AS pt FROM netstat()},
query={
SELECT Timestamp,
Laddr.IP as LocalIP, Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP, Raddr.Port AS RemotePort,
Pid, TypeString AS Protocol, Status, pt.Data.Exe AS Image,
pt.Data.CommandLine as CommandLine,
process_tracker_get(id=pt.Data.Ppid).Data.Exe AS ParentImage,
pt
FROM scope()})
Sample use in a sigma rule:
#
logsource:
category: network_connection
product: windows
service: netstat