Bugfix: Fixed bug in MacOS.System.Wifi (#3505)

Also improved column names of Windows.Network.NetstatEnriched and increased default NTFS cache time
Velocidex · May 21, 2024 · 3a14fd9 · 3a14fd9
1 parent ea44269
commit 3a14fd9
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 35 deletions.
diff --git a/artifacts/definitions/MacOS/System/Wifi.yaml b/artifacts/definitions/MacOS/System/Wifi.yaml
@@ -1,6 +1,9 @@
 name: MacOS.System.Wifi
 description: |
-   This artifact looks for all Wifi networks to which a host has joined.  This can be useful in determining where a machine has been, or if a user has joined an illegitimate or unauthorized wireless network.
+   This artifact looks for all Wifi networks to which a host has
+   joined.  This can be useful in determining where a machine has
+   been, or if a user has joined an illegitimate or unauthorized
+   wireless network.
 
 type: CLIENT
 
@@ -16,9 +19,12 @@ precondition:
 sources:
   - query: |
       LET WifiPlist = SELECT OSPath from glob(globs=WifiGlob)
-      LET KnownNetworks = SELECT get(member="KnownNetworks") as KN from plist(file=WifiPlist.OSPath)
+      LET KnownNetworksQuery = SELECT get(member="KnownNetworks") as KN
+         FROM plist(file=WifiPlist.OSPath)
+         WHERE KN
+
       LET EachNetwork = SELECT * from foreach(
-         row=KnownNetworks,
+         row=KnownNetworksQuery,
          query={
             SELECT _key AS Network, _value AS Value
             FROM items(item=KN)

diff --git a/artifacts/definitions/Server/Internal/ToolDependencies.yaml b/artifacts/definitions/Server/Internal/ToolDependencies.yaml
@@ -7,19 +7,19 @@ description: |
 
 tools:
   - name: VelociraptorWindows
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.1-windows-amd64.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-amd64.exe
     serve_locally: true
-    version: 0.72.1
+    version: 0.72.3
 
   - name: VelociraptorWindows_x86
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.1-windows-386.exe
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-386.exe
     serve_locally: true
-    version: 0.72.1
+    version: 0.72.3
 
   - name: VelociraptorLinux
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.1-linux-amd64-musl
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-linux-amd64-musl
     serve_locally: true
-    version: 0.72.1
+    version: 0.72.3
 
   # On MacOS we can not embed the config in the binary so we use a
   # shell script stub instead. See
@@ -31,11 +31,11 @@ tools:
     serve_locally: true
 
   - name: VelociraptorWindowsMSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.1-windows-amd64.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-amd64.msi
     serve_locally: true
-    version: 0.72.1
+    version: 0.72.3
 
   - name: VelociraptorWindows_x86MSI
-    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.1-windows-386.msi
+    url: https://github.com/Velocidex/velociraptor/releases/download/v0.72/velociraptor-v0.72.3-windows-386.msi
     serve_locally: true
-    version: 0.72.1
+    version: 0.72.3
diff --git a/artifacts/definitions/Windows/Network/NetstatEnriched.yaml b/artifacts/definitions/Windows/Network/NetstatEnriched.yaml
@@ -176,10 +176,10 @@ sources:
                 FamilyString as Family,
                 TypeString as Type,
                 Status,
-                Laddr.IP as SrcIP,
-                Laddr.Port as SrcPort,
-                Raddr.IP as DestIP,
-                Raddr.Port as DestPort,
+                Laddr.IP as Laddr,
+                Laddr.Port as Lport,
+                Raddr.IP as Raddr,
+                Raddr.Port as Rport,
                 Timestamp
             FROM netstat()
             WHERE
@@ -197,10 +197,10 @@ sources:
                 and Status =~ StatusRegex.Regex[0]
                 and Family =~ FamilyRegex.Regex[0]
                 and Type =~ TypeRegex.Regex[0]
-                and ( format(format="%v", args=SrcIP) =~ IPRegex
-                    or format(format="%v", args=DestIP) =~ IPRegex )
-                and ( format(format="%v", args=SrcPort) =~ PortRegex
-                    or format(format="%v", args=DestPort) =~ PortRegex )
+                and ( format(format="%v", args=Laddr) =~ IPRegex
+                    or format(format="%v", args=Raddr) =~ IPRegex )
+                and ( format(format="%v", args=Lport) =~ PortRegex
+                    or format(format="%v", args=Rport) =~ PortRegex )
 
       LET Regions(Pid) = SELECT dict(Offset=Address, Length=Size) AS Sparse
         FROM vad(pid=Pid)

diff --git a/artifacts/testdata/server/testcases/mock.out.yaml b/artifacts/testdata/server/testcases/mock.out.yaml
@@ -76,10 +76,10 @@ LET X <= SELECT mock(plugin='info', results=[dict(OS='windows', foo='bar'), dict
   "Family": "IPv6",
   "Type": "TCP",
   "Status": "LISTEN",
-  "SrcIP": "::",
-  "SrcPort": 3889,
-  "DestIP": "::",
-  "DestPort": 0,
+  "Laddr": "::",
+  "Lport": 3889,
+  "Raddr": "::",
+  "Rport": 0,
   "Timestamp": "2019-11-27T01:18:15Z",
   "_Source": "Windows.Network.NetstatEnriched/Netstat"
  }
@@ -112,10 +112,10 @@ LET X <= SELECT mock(plugin='info', results=[dict(OS='windows', foo='bar'), dict
   "Family": "IPv6",
   "Type": "TCP",
   "Status": "LISTEN",
-  "SrcIP": "::",
-  "SrcPort": 3889,
-  "DestIP": "::",
-  "DestPort": 0,
+  "Laddr": "::",
+  "Lport": 3889,
+  "Raddr": "::",
+  "Rport": 0,
   "Timestamp": "2019-11-27T01:18:15Z",
   "_Source": "Windows.Network.NetstatEnriched/Netstat"
  }
@@ -148,10 +148,10 @@ LET X <= SELECT mock(plugin='info', results=[dict(OS='windows', foo='bar'), dict
   "Family": "IPv4",
   "Type": "TCP",
   "Status": "ESTAB",
-  "SrcIP": "172.168.101.128",
-  "SrcPort": 64371,
-  "DestIP": "10.179.67.176",
-  "DestPort": 443,
+  "Laddr": "172.168.101.128",
+  "Lport": 64371,
+  "Raddr": "10.179.67.176",
+  "Rport": 443,
   "Timestamp": "2019-12-07T03:30:58Z",
   "_Source": "Windows.Network.NetstatEnriched/Netstat"
  }

diff --git a/constants/constants.go b/constants/constants.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION = "0.72.1"
+	VERSION = "0.72.3"
 
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"

diff --git a/vql/constants/ntfs.go b/vql/constants/ntfs.go
@@ -25,7 +25,7 @@ func GetNTFSCacheTime(ctx context.Context, scope vfilter.Scope) time.Duration {
 		cache_life, _ = utils.ToInt64(cache_life_any)
 	}
 	if cache_life == 0 {
-		cache_life = 60
+		cache_life = 600
 	}
 
 	res := time.Duration(cache_life) * time.Second