Windows Base Vql

Windows Base VQL Sigma Model #

This model is designed for triage of dead disk, or file based live analysis using VQL rules. The rules that use this model will be evaluated once on all events.

After all relevant rules are evaluated, the collection is complete.

Rules that utilize this model may include a vql section which may contain a VQL lambda to dictates how the event is generated. This allows the rule itself to generate all relevant fields.

For example:

vql: |
x=>dict(
  Timestamp=timestamp(epoch=now()),
  EventData=dict(
    Files=SearchFiles(Glob='C:/Users/*/AppData/Roaming/rclone/rclone.conf')
  ))

The following utility functions are defined:

  • SearchFiles(Glob): Allows searching for files with a glob. Returns the file size as well as the first 100 bytes.

  • SearchRegistryKeys(Glob): Allows searching for registry keys - returns a dict with key/value pairs from the registry.

Log Sources #

Following is a list of recognized log sources.

Log SourceDesc
vql/windows/*This log source emits a single event. All rules using the log
filesystem/windows/globThis log source searches for all files on the drive - it takes a
*/windows/schtasksEnumerates All Scheduled tasks
*/windows/services
persistence/windows/services
process_creation/vql/execution
webserver/windows/*
process_creation/windows/pslist
image_load/vql/pslist
network_connection/windows/netstat
*/windows/wmiExposes permanent WMI subscriptions (Filter + Consumer) in a Sigma-friendly format.
forensics/windows/prefetchParse Windows Prefetch files (dead-disk or live). Emits one row per PF entry with useful triage fields for Sigma.
process_creation/windows/attack_prefetchLightweight Prefetch view used by Windows.Attack.Prefetch. Helpful for quick presence checks of executables that created PF entries.
forensics/windows/usnUSN Journal parser output normalized for Sigma. Emits filesystem change records with path, filename, reason flags and MFT identifiers.

Field Mappings #

The following field mappings can be used to access fields within the event. Note that it is also possible to access the fields directly (e.g. EventData.AccessMask)

View all Field Mappings

vql/windows/* #

This log source emits a single event. All rules using the log source will receive this event, where they can run arbitrary VQL queries to build the event themselves.

This is most useful for rules that want to generate their own event data.

Details

filesystem/windows/glob #

This log source searches for all files on the drive - it takes a long time but allows rules to check for presence of a particular filename.

Details

*/windows/schtasks #

Enumerates All Scheduled tasks

Details

*/windows/services #

Details

persistence/windows/services #

Details

process_creation/vql/execution #

Details

webserver/windows/* #

Details

process_creation/windows/pslist #

Details

image_load/vql/pslist #

Details

network_connection/windows/netstat #

Details

*/windows/wmi #

Exposes permanent WMI subscriptions (Filter + Consumer) in a Sigma-friendly format. Helps detect uptime-based persistence and consumers that launch processes.

Details

forensics/windows/prefetch #

Parse Windows Prefetch files (dead-disk or live). Emits one row per PF entry with useful triage fields for Sigma.

Details

process_creation/windows/attack_prefetch #

Lightweight Prefetch view used by Windows.Attack.Prefetch. Helpful for quick presence checks of executables that created PF entries.

Details

forensics/windows/usn #

USN Journal parser output normalized for Sigma. Emits filesystem change records with path, filename, reason flags and MFT identifiers.

Details