Skip to content

Custom Artifacts

Jump to bottom Edit New page
eduardomcm edited this page Jun 10, 2021 · 18 revisions

This is a collection of custom artifacts donated by the community. They are not as well tested as the officially maintained artifacts but might be useful.

Be sure to test these thoroughly prior to using them in real life.

Registry analysis

Hash Run Key Binaries

Process Creation Tracking EventID 4688

MUI Cache

JumpLists - via Eric Zimmerman's JLECmd

Hashes

Windows.Services.Hashes - Hash binaries of installed services

VSS

Query the available Volume Shadows

Query and then Upload a file from a Volume Shadow

Event logs

Yara scan for relevant event logs

Stand alone triage

In this configuration, Velociraptor can be made to automatically run and collect all needed files when double clicked.

Uploader with memory acquisition

Server Event Artifacts

Label clients containing a username

Send a Slack message when a username appears

Create an alert in TheHive when an artifact returns a result

Auto-load updated artifacts from disk

Server admin and management

These artifacts can be run from the "Server Artifacts" screen. Collecting them performs some kind of management task on the server itself.

Server.Hunts.CancelAndDelete - Cancel an inflight hunt and maybe delete all collected files

Add a custom footer
Add a custom sidebar
Clone this wiki locally