Velociraptor
This is a collection of rules used to monitor for events retrieved using Velociraptor integrated with InsightIDR.
Velociraptor - Alert.Windows.Events.EventLogModifications
Description
This detection rule and Velociraptor artifact identify the state of the event log system from the registry and attempt to detect when event logs were disabled. It is possible to disable Windows event logs on a per channel or per provider basis, and malicious actors might disable critical log sources to prevent detections.
Recommendation
Follow the View in Velociraptor link in the investigation to go to the associated artifact event timeline in Velociraptor.
Velociraptor - Alert.Windows.EVTX.PowerPickHostVersion
Description
This detection rule and Velociraptor artifact identify whether the PowerPick tool has been invoked on a client. To capture additional context, ensure that Powershell script block and module logging are enabled on the clients and deploy the Windows.ETW.Powershell artifact from the Velociraptor Artifact Exchange. This artifact is based on PowerPick research by CrowdStrike. As noted in the blog post, when PowerPick is run, the PowerShell logs on the target system might contain an EID 400 event where the HostVersion and EngineVersion fields in the message have different values. In recent purple team exercises, Rapid7 observed that the mismatched HostVersion value was always "1.0", providing a simple way to monitor for this activity as a backup to other PowerShell or CobaltStrike rules. If this artifact generates an event on a client, check the PowerShell Operational logs for suspicious 410x events (especially 4104). If the Windows.ETW.Powershell artifact is also enabled on the client and did not fire an event, update that artifact's IOC list with the new information and redeploy it.
Recommendation
Follow the View in Velociraptor link in the investigation to go to the associated artifact event timeline in Velociraptor.
Velociraptor - Alert.Windows.ETW.Powershell
Description
This detection rule and Velociraptor artifact enable Powershell scriptblock and commandlet load monitoring. The artifact uses the ETW provider, Microsoft-Windows-PowerShell. The detection logic is managed by several global ignore entries and an IOC CSV.
Recommendation
Follow the View in Velociraptor link in the investigation to go to the associated artifact event timeline in Velociraptor.
Velociraptor - Alert.Windows.Events.ServiceCreation
Description
This detection rule and Velociraptor artifact identify the creation of new services. New services are typically created by installing new software or kernel drivers. Malicious actors sometimes install a new service to either insert a malicious kernel driver or as a persistence mechanism. This event monitor extracts the service creation events from the event log and records them on the server.
Recommendation
Follow the View in Velociraptor link in the investigation to go to the associated artifact event timeline in Velociraptor.
Velociraptor - Catch All
Description
This detection rule identifies detections from Velociraptor artifacts that are not part of InsightIDR’s known set. These artifacts can be from user-created artifacts–which are specific to your organization–new artifacts imported from the Artifact Exchange, or customized artifacts from the built-in set.
Recommendation
Follow the View in Velociraptor link in the investigation to go to the associated artifact event timeline in Velociraptor.