Memory uplift (Velocidex#39) (Velocidex#2394)

* Add pid filter and rename to ProcessMemory dump * Add Windows.Detection.EnvironmentVariables filters and notebook template fix
mirwitch · Jan 24, 2023 · 554ce1b · 554ce1b
1 parent f56ffee
commit 554ce1b
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 20 deletions.
diff --git a/artifacts/definitions/Windows/Detection/EnvironmentVariables.yaml b/artifacts/definitions/Windows/Detection/EnvironmentVariables.yaml
@@ -6,15 +6,15 @@ parameters:
    - name: ProcessNameRegex
      default: .
      type: regex
-
+   - name: PidRegex
+     default: .
+     type: regex
    - name: EnvironmentVariableRegex
      default: COMSPEC|COR_PROFILER
      type: regex
-
    - name: FilterValueRegex
      default: .
      type: regex
-
    - name: WhitelistValueRegex
      description: Ignore these values
      default: ^C:\\Windows\\.+cmd.exe$
@@ -27,11 +27,11 @@ sources:
     query: |
       SELECT * FROM foreach(
       row={
-          SELECT * FROM Artifact.Windows.Forensics.ProcessInfo(
-             ProcessNameRegex=ProcessNameRegex)
+          SELECT * FROM Artifact.Windows.Memory.ProcessInfo(
+             ProcessNameRegex=ProcessNameRegex, PidRegex=PidRegex)
       },
       query={
-          SELECT Name, ImagePathName, CommandLine,
+          SELECT Pid, Name, ImagePathName, CommandLine,
              _key AS Var, _value AS Value
           FROM items(item=Env)
       })
@@ -62,7 +62,7 @@ sources:
           {{ end }}
 
           {{ $unusual = Query "SELECT * FROM source() WHERE \
-              Var =~ 'COMSPEC' AND NOT CommandLine =~ 'cmd.exe$'" | Expand }}
+              Var =~ 'COMSPEC' AND NOT Value =~ 'cmd.exe$'" | Expand }}
           {{ if $unusual }}
 
           ## Unusual COMSPEC setting.

diff --git a/...nitions/Windows/Triage/ProcessMemory.yaml → ...finitions/Windows/Memory/ProcessDump.yaml b/...nitions/Windows/Triage/ProcessMemory.yaml → ...finitions/Windows/Memory/ProcessDump.yaml
@@ -1,19 +1,25 @@
-name: Windows.Triage.ProcessMemory
+name: Windows.Memory.ProcessDump
 description: |
-  Dump process memory and upload to the server
+  Dump process memory and upload to the server.
+
+  Previously named Windows.Triage.ProcessMemory
 
 precondition: SELECT OS From info() where OS = 'windows'
 
 parameters:
-  - name: processRegex
+  - name: ProcessRegex
     default: notepad
     type: regex
+  - name: PidRegex
+    default: .
+    type: regex
 
 sources:
   - query: |
         LET processes = SELECT Name as ProcessName, CommandLine, Pid
             FROM pslist()
-            WHERE Name =~ processRegex
+            WHERE Name =~ ProcessRegex
+              AND str(str=Pid) =~ PidRegex
 
         SELECT * FROM foreach(
           row=processes,

diff --git a/...itions/Windows/Forensics/ProcessInfo.yaml → ...finitions/Windows/Memory/ProcessInfo.yaml b/...itions/Windows/Forensics/ProcessInfo.yaml → ...finitions/Windows/Memory/ProcessInfo.yaml
@@ -1,11 +1,22 @@
-name: Windows.Forensics.ProcessInfo
+name: Windows.Memory.ProcessInfo
 description: |
-   Extract information about processes.
+   This artifact returns process information obtained by parsing the PEB directly.
+
+   Renamed Windows.Forensics.ProcessInfo
 
 parameters:
   - name: ProcessNameRegex
     default: .
     type: regex
+  - name: PidRegex
+    default: .
+    type: regex
+  - name: ImagePathRegex
+    default: .
+    type: regex
+  - name: CommandLineRegex
+    default: .
+    type: regex
 
 sources:
 - query: |
@@ -75,8 +86,11 @@ sources:
         FROM ParsePeb(PID=PID)
 
         SELECT * FROM foreach(row={
-           SELECT Pid FROM pslist()
-           WHERE Name =~ ProcessNameRegex
+            SELECT Pid FROM pslist()
+            WHERE Name =~ ProcessNameRegex
+              AND str(str=Pid) =~ PidRegex
+              AND str(str=ImagePathName) =~ ImagePathRegex
+              AND str(str=CommandLine) =~ CommandLineRegex
         }, query={
-           SELECT * FROM Calculate(PID=Pid)
+            SELECT * FROM Calculate(PID=Pid)
         })
diff --git a/artifacts/testdata/windows/processes.in.yaml b/artifacts/testdata/windows/processes.in.yaml
@@ -1,5 +1,5 @@
 Queries:
   # Make sure we can parse the environment strings for the running process
-  - SELECT Name, Env.ComSpec
-    FROM Artifact.Windows.Forensics.ProcessInfo(ProcessNameRegex='velociraptor')
-    LIMIT 1
+  - SELECT Name, Env.ComSpec 
+    FROM Artifact.Windows.Memory.ProcessInfo(ProcessNameRegex='velociraptor')
+    LIMIT 1
diff --git a/artifacts/testdata/windows/processes.out.yaml b/artifacts/testdata/windows/processes.out.yaml
@@ -1,4 +1,4 @@
-SELECT Name, Env.ComSpec FROM Artifact.Windows.Forensics.ProcessInfo(ProcessNameRegex='velociraptor') LIMIT 1[
+SELECT Name, Env.ComSpec FROM Artifact.Windows.Memory.ProcessInfo(ProcessNameRegex='velociraptor') LIMIT 1[
  {
   "Name": "velociraptor.exe",
   "Env.ComSpec": "C:\\Windows\\system32\\cmd.exe"