Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Windows.NTFS.MFT.JwrapperRemoteAccess #919

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Create Windows.NTFS.MFT.JwrapperRemoteAccess #919

wants to merge 1 commit into from

Conversation

dlydon-r7
Copy link

Proposing this artifact to identify IP addresses pertaining to Simple Help RMM tool usage. Note; This is a reopining of a pull request after some edits were made to the VQL query.

@dlydon-r7
Create Windows.NTFS.MFT.JwrapperRemoteAccess
028450f 
Proposing this artifact to identify IP addresses pertaining to Simple Help RMM tool usage.
@scudette
Copy link
Collaborator

Is it important to use the MFT artifact as a base? It's really a heavy artifact and it looks like you are just looking for files in known locations. Would a glob work just as well but much faster?

@dlydon-r7
Copy link
Author

Hey @scudette you are right, initially i was put off by the performance note on artifact "Windows.Search.FileFinder" but as we are not acquiring file contents it should be fine.

I tested it using glob and it is indeed much faster. The artifact is below, should i submit a new pull request?

name: Windows.Search.JwrapperRemoteAccessIPAddress
description: |
   This artifact discovers IP addresses pertaining to SimpleHelp RMM usage. SimpleHelp uses Jwrapper Remote Access under the hood and logs the destination address and port to a file within directory ".\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\hash.repository\urls\".
   
   Alternatively, the IP addresses can also be identified from the config file located within "C:\\ProgramData\\JWrapper-Remote Access\\JWAppsSharedConfig\\serviceconfig.xml". 

precondition:
  SELECT * FROM info() where OS = 'windows'

parameters:
  - name: SearchFilesGlob
    default: C:\ProgramData\JWrapper-Remote Access\JWAppsSharedConfig\hash.repository\urls\*
    description: Use a glob to define the files that will be searched.

  - name: Accessor
    default: auto
    description: The accessor to use
    type: choices
    choices:
      - auto
      - registry
      - file
      - ntfs
      

  - name: MoreRecentThan
    default: ""
    type: timestamp

  - name: ModifiedBefore
    default: ""
    type: timestamp


sources:
  - query: |
      SELECT * 
      FROM Artifact.Windows.Search.FileFinder(
            SearchFilesGlob=SearchFilesGlob
        )

@scudette
Copy link
Collaborator

I'm actually more interested in making this into a Sigma rule.

I think it's easier to just hit up the endpoint with all the rules and see what sticks than having to remember to collect district artifacts and then check each one separately.

There should be some examples in the Sigma repo for such rules

@scudette
Copy link
Collaborator

Example here
https://github.com/Velocidex/velociraptor-sigma-rules/blob/master/rules%2Fvql%2FOfficeAI.yaml

@dlydon-r7
Copy link
Author

dlydon-r7 commented Sep 24, 2024
edited
Loading

Yeah that's a good point, if i get the time i might be able to look into the Sigma aspect of it.

For the artifact itself, my thinking was more of along the lines of during alert triage, the Analyst responding to an alert involving SimpleHelp (Jwrapper), can simply run the artifact to get the IP address the RMM is talking to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dlydon-r7 @scudette