# Velociraptor collection analysis - iot-eng-wkst

## Findings

* From SIEM logs analysis:
  * iot-eng-wkst used to check some documents, download and run nmap (sysmon processes)

* Only 3 users: local Administrator, Domain MAGNUMTEMPUS Administrator, seth.morgan. Seth Morgan is the account used for the suspicious activities.
* Web browsing very limited
  * 10 entries in history
  * chrome history mixed as duplicate of msedge
  * only notable: "file://172.16.50.146/Users/seth.morgan/Downloads/NEWSHARE2023/2022-Backup/2022-Backup/Internal/Depts/Operations/are-you-ready-guide.pdf"
  * GAP: don't see nmap download
* From Windows_Forensics_Lnk, we have the list of documents accessed by user: org email list.txt, passwords.xls, are-you-ready-guide.pdf, copy-net-picture.png, admin.txt, Winger_11.jpg, Rig_Notes.xlsx
* From netstat, rdp connection from remote 172.16.10.93 to local 172.16.50.20. No other unexpected connection at collection time.
* From amcache and MFT, we can confirm the install of nmap. No execution time from amcache data?
* Missing local event logs for extra digging.

## Code

### Install
msticpy PR not merged for now - https://github.com/microsoft/msticpy/pull/668

In [None]:
# %pip install git+https://github.com/microsoft/msticpy.git@ianhelle/velociraptor-provider-2023-05-19

In [None]:
# %pip install jupyterlab

### Import

In [1]:
# Imports
import pandas as pd
import msticpy.nbtools as nbtools
from datetime import datetime, timedelta
import os

# path to config file
# os.environ['MSTICPYCONFIG'] = '/home/ubuntu/msticpyconfig.yaml'
from msticpy.nbtools import *
from msticpy.data.data_providers import QueryProvider
from msticpy.common.wsconfig import WorkspaceConfig
from msticpy.nbtools.data_viewer import DataViewer
from msticpy.vis.matrix_plot import plot_matrix
from msticpy.nbtools import process_tree as ptree

print("Imports Complete")

Imports Complete


### Configuration

In [2]:
# q_times = nbwidgets.QueryTime(units='hours', max_before=72, before=1, max_after=0)
q_times = nbwidgets.QueryTime(
    origin_time=datetime(2023, 4, 29), units="days", max_before=3, before=1, max_after=0
)
q_times.display()

VBox(children=(HTML(value='<h4>Set query time boundaries</h4>'), HBox(children=(DatePicker(value=datetime.date…

In [3]:
query_common_args = ""

In [4]:
# pandas
pd.set_option("display.max_colwidth", 500)

In [60]:
# ~ NOK
# qry_prov = QueryProvider("VelociraptorLogs", data_paths=["~/QubesIncoming/lab2/Collection-iot-eng-wkst_magnumtempus_financial-2023-06-19T01_15_07Z/results"])
qry_prov = QueryProvider(
    "VelociraptorLogs",
    data_paths=[
        "/home/user/QubesIncoming/lab2/Collection-iot-eng-wkst_magnumtempus_financial-2023-06-19T01_15_07Z/results"
    ],
)

In [61]:
qry_prov.connect()

### Queries

In [62]:
len(qry_prov.list_queries())

25

In [63]:
qry_prov.list_queries()

['velociraptor.Windows_Applications_Chrome_Cookies',
 'velociraptor.Windows_Applications_Chrome_Extensions',
 'velociraptor.Windows_Applications_Chrome_History',
 'velociraptor.Windows_Applications_Edge_History',
 'velociraptor.Windows_EventLogs_ScheduledTasks',
 'velociraptor.Windows_Forensics_Lnk',
 'velociraptor.Windows_Forensics_Usn',
 'velociraptor.Windows_KapeFiles_Targets_2FAll_File_Metadata',
 'velociraptor.Windows_KapeFiles_Targets_2FUploads',
 'velociraptor.Windows_Memory_Acquisition',
 'velociraptor.Windows_NTFS_MFT',
 'velociraptor.Windows_Network_ArpCache',
 'velociraptor.Windows_Network_InterfaceAddresses',
 'velociraptor.Windows_Network_ListeningPorts',
 'velociraptor.Windows_Network_Netstat',
 'velociraptor.Windows_Network_NetstatEnriched_2FNetstat',
 'velociraptor.Windows_Registry_EnabledMacro',
 'velociraptor.Windows_Sys_Users',
 'velociraptor.Windows_Sysinternals_Autoruns',
 'velociraptor.Windows_System_Amcache_2FFile',
 'velociraptor.Windows_System_Amcache_2FInvento

In [64]:
qry_prov.velociraptor.Windows_Applications_Chrome_Cookies()

  0%|          | 0/1 [00:00<?, ?it/s]

In [71]:
qry_prov.velociraptor.Windows_Applications_Chrome_Extensions()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Uid,User,Name,Description,Identifier,Version,Author,Persistent,Path,Scopes,Permissions,Key
0,1170,seth.morgan,Google Docs Offline,"Edit, create, and view your documents, spreadsheets, and presentations — all without internet access.",ghbmnnjooekpmoecnnnilnnbdlolhkhi,1.61.4_0,{'email': 'docs-hosted-app-own@google.com'},0.0,C:\Users\seth.morgan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.61.4_0\,,"[alarms, storage, unlimitedStorage, https://docs.google.com/*, https://drive.google.com/*]",MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnF7RGLAxIon0/XeNZ4MLdP3DMkoORzEAKVg0sb89JpA/W2osTHr91Wqwdc9lW0mFcSpCYS9Y3e7cUMFo/M2ETASIuZncMiUzX2/0rrWtGQ3UuEj3KSe5PdaVZfisyJw/FebvHwirEWrhqcgzVUj9fL9YjE0G45d1zMKcc1umKvLqPyTznNuKBZ9GJREdGLRJCBmUgCkI8iwtwC+QZTUppmaD50/ksnEUXv+QkgGN07/KoNA5oAgo49Jf1XBoMv4QXtVZQlBYZl84zAsI82hb63a6Gu29U/4qMWDdI7+3Ne5TRvo6Zi3EI4M2NQNplJhik105qrz+eTLJJxvf4slrWwIDAQAB
1,1170,seth.morgan,,,nmmhkkegccagdldgiimedpiccmgmieda,1.0.0.6_0,,,C:\Users\seth.morgan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\,"[https://www.googleapis.com/auth/sierra, https://www.googleapis.com/auth/sierrasandbox, https://www.googleapis.com/auth/chromewebstore, https://www.googleapis.com/auth/chromewebstore.readonly]","[identity, webview, https://www.google.com/, https://www.googleapis.com/*, https://payments.google.com/payments/v4/js/integrator.js, https://sandbox.google.com/payments/v4/js/integrator.js]",MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD+zO1MdjMWuqJFcKuSS4Suqkje6u+pMrTSGOSHq1bmBVh0kpToN8YoJs/P/yrRd7FEtAXTaFTGxQL4C385MeXSjaQfiRiQIDAQAB


In [73]:
df_chrome_history = qry_prov.velociraptor.Windows_Applications_Chrome_History()

In [74]:
df_chrome_history.shape

(10, 14)

In [77]:
df_chrome_history

Unnamed: 0,User,url_id,visit_time,visited_url,title,visit_count,typed_count,last_visit_time,hidden,from_url_id,visit_duration,transition,_SourceLastModificationTimestamp,OSPath
0,seth.morgan,1,2023-04-29 21:46:02+00:00,file://172.16.50.146/Users/seth.morgan/Downloads/NEWSHARE2023/2022-Backup/2022-Backup/Internal/Depts/Operations/are-you-ready-guide.pdf,,1,0,2023-04-29 21:46:02+00:00,0,0,00:00:36.330,805306374,2023-04-29T21:46:02Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
1,seth.morgan,2,2023-04-29 21:46:16+00:00,https://go.microsoft.com/fwlink/?linkid=2132465&form=MT004A&OCID=MT004A,Welcome to Microsoft Edge,2,1,2023-04-29 21:46:16+00:00,0,0,00:00:00.000,268435457,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
2,seth.morgan,3,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,2,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
3,seth.morgan,4,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,3,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
4,seth.morgan,2,2023-04-29 21:46:16+00:00,https://go.microsoft.com/fwlink/?linkid=2132465&form=MT004A&OCID=MT004A,Welcome to Microsoft Edge,2,1,2023-04-29 21:46:16+00:00,0,4,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
5,seth.morgan,3,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,5,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
6,seth.morgan,4,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,6,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
7,seth.morgan,5,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,7,00:00:01.116,-1610612735,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
8,seth.morgan,5,2023-04-29 21:46:17+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,0,00:00:00.007,805306368,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History
9,seth.morgan,5,2023-04-29 21:46:17+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,0,00:00:20.610,805306368,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History


In [78]:
qry_prov.velociraptor.Windows_Applications_Edge_History()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,User,url_id,visit_time,visited_url,title,visit_count,typed_count,last_visit_time,hidden,from_url_id,visit_duration,transition,_SourceLastModificationTimestamp,OSPath,_Source
0,seth.morgan,1,2023-04-29 21:46:02+00:00,file://172.16.50.146/Users/seth.morgan/Downloads/NEWSHARE2023/2022-Backup/2022-Backup/Internal/Depts/Operations/are-you-ready-guide.pdf,,1,0,2023-04-29 21:46:02+00:00,0,0,00:00:36.330,805306374,2023-04-29T21:46:02Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
1,seth.morgan,2,2023-04-29 21:46:16+00:00,https://go.microsoft.com/fwlink/?linkid=2132465&form=MT004A&OCID=MT004A,Welcome to Microsoft Edge,2,1,2023-04-29 21:46:16+00:00,0,0,00:00:00.000,268435457,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
2,seth.morgan,3,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,2,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
3,seth.morgan,4,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,3,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
4,seth.morgan,2,2023-04-29 21:46:16+00:00,https://go.microsoft.com/fwlink/?linkid=2132465&form=MT004A&OCID=MT004A,Welcome to Microsoft Edge,2,1,2023-04-29 21:46:16+00:00,0,4,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
5,seth.morgan,3,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,5,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
6,seth.morgan,4,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/,Welcome to Microsoft Edge,2,0,2023-04-29 21:46:16+00:00,0,6,00:00:00.000,-2147483647,2023-04-29T21:46:16Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
7,seth.morgan,5,2023-04-29 21:46:16+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,7,00:00:01.116,-1610612735,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
8,seth.morgan,5,2023-04-29 21:46:17+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,0,00:00:00.007,805306368,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History
9,seth.morgan,5,2023-04-29 21:46:17+00:00,https://microsoftedgewelcome.microsoft.com/en-us/welcome?form=MA13DW&exp=e00,Welcome to Microsoft Edge,3,0,2023-04-29 21:46:17+00:00,0,0,00:00:20.610,805306368,2023-04-29T21:46:17Z,C:\Users\seth.morgan\AppData\Local\Microsoft\Edge\User Data\Default\History,Windows.Applications.Chrome.History


In [101]:
df_scheduledtasks = qry_prov.velociraptor.Windows_EventLogs_ScheduledTasks()

In [102]:
df_scheduledtasks.shape

(100, 11)

In [104]:
df_scheduledtasks.columns

Index(['EventTime', 'Computer', 'Channel', 'EventID', 'EventRecordID',
       'UserName', 'TaskName', 'Message', 'TaskAction', 'EventData',
       'FullPath'],
      dtype='object')

In [105]:
df_scheduledtasks[["TaskName", "EventTime"]].groupby(["TaskName"]).count()

Unnamed: 0_level_0,EventTime
TaskName,Unnamed: 1_level_1
\CreateExplorerShellUnelevatedTask,1
\GoogleUpdateTaskMachineCore{2D73E118-D2BD-477A-916E-701FE6B49FBE},3
\GoogleUpdateTaskMachineUA{9497080B-5115-497E-8FDD-8CF382C268F8},3
\MicrosoftEdgeUpdateTaskMachineCore,1
\MicrosoftEdgeUpdateTaskMachineUA,1
\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319,4
\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64,4
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser,3
\Microsoft\Windows\Application Experience\PcaPatchDbTask,2
\Microsoft\Windows\Data Integrity Scan\Data Integrity Check And Scan,4


In [106]:
df_lnk = qry_prov.velociraptor.Windows_Forensics_Lnk()

In [107]:
df_lnk.shape

(17, 16)

In [108]:
df_lnk.columns

Index(['FullPath', '_Parsed', 'SourceCreated', 'SourceModified',
       '_TargetIDInfo', 'HeaderCreationTime', 'HeaderAccessTime',
       'HeaderWriteTime', 'FileSize', 'Target', 'Name', 'RelativePath',
       'WorkingDir', 'Arguments', 'Icons', 'Upload'],
      dtype='object')

In [111]:
df_lnk[["WorkingDir", "SourceCreated"]].groupby(["WorkingDir"]).count()

Unnamed: 0_level_0,SourceCreated
WorkingDir,Unnamed: 1_level_1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup,1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup\Internal\Depts\Operations,1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup\SethFolder,1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\Jason's Private Folder,1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\Tombstone-Copy\Software,1
\\172.16.50.146\Users\seth.morgan\Downloads\NEWSHARE2023\Tombstone-Copy\Tombstone-Copy,2


In [116]:
df_lnk[["Target", "SourceCreated"]]

Unnamed: 0,Target,SourceCreated
0,"{'path': 'C:\', 'volume_info': {'DriveType': 'DRIVE_FIXED', 'DriveSerialNumber': 1584750495, 'VolumeLabel': ''}}",2023-06-19T01:11:02.3579299Z
1,"{'path': 'C:\', 'volume_info': {'DriveType': 'DRIVE_FIXED', 'DriveSerialNumber': 1584750495, 'VolumeLabel': ''}}",2023-06-19T01:11:02.3266029Z
2,,2023-06-19T01:11:02.3579299Z
3,"{'path': 'C:\WinTriage', 'volume_info': {'DriveType': 'DRIVE_FIXED', 'DriveSerialNumber': 1584750495, 'VolumeLabel': ''}}",2023-06-19T01:11:02.3108337Z
4,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:36:25.6000892Z
5,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\Jason's Private Folder', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:37:09.9668928Z
6,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup\Internal\Depts\Operations', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:45:54.1042345Z
7,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\Tombstone-Copy\Tombstone-Copy\Rig_Notes.xlsx', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:37:35.8000499Z
8,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\2022-Backup\2022-Backup\SethFolder', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:36:14.455722Z
9,"{'path': '\\172.16.50.146\USERS\seth.morgan\Downloads\NEWSHARE2023\Tombstone-Copy\Software', 'relative_link': {'NetworkProviderType': '0x20000', 'NetName': '\\172.16.50.146\USERS', 'DeviceName': ''}}",2023-04-29T21:49:16.7098276Z


In [117]:
df_usn = qry_prov.velociraptor.Windows_Forensics_Usn()

In [118]:
df_usn.shape

(10827, 13)

In [119]:
df_usn.columns

Index(['Timestamp', 'Filename', 'Device', 'FullPath', '_Links', 'Reason',
       'MFTId', 'Sequence', 'ParentMFTId', 'ParentSequence', 'FileAttributes',
       'SourceInfo', 'Usn'],
      dtype='object')

In [120]:
df_usn.head()

Unnamed: 0,Timestamp,Filename,Device,FullPath,_Links,Reason,MFTId,Sequence,ParentMFTId,ParentSequence,FileAttributes,SourceInfo,Usn
0,2023-04-24 17:16:39.994765100+00:00,coml2.dll,C:\,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-com-coml2_31bf3856ad364e35_10.0.20348.1_none_a72c518446fe3f14\coml2.dll,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-com-coml2_31bf3856ad364e35_10.0.20348.1_none_a72c518446fe3f14\coml2.dll],[CLOSE],52739,1,9053,1,[ARCHIVE],[ARCHIVE],0
1,2023-04-24 17:16:40.041704500+00:00,SHCore.dll,C:\,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-shcore_31bf3856ad364e35_10.0.20348.740_none_af05fc25ab48f3cb\SHCore.dll,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-shcore_31bf3856ad364e35_10.0.20348.740_none_af05fc25ab48f3cb\SHCore.dll],[CLOSE],55460,1,15461,1,[ARCHIVE],[ARCHIVE],80
2,2023-04-24 17:16:40.072981600+00:00,oleaut32.dll,C:\,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.20348.143_none_a5953f29858ae3e8\oleaut32.dll,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.20348.143_none_a5953f29858ae3e8\oleaut32.dll],[CLOSE],54896,1,13501,1,[ARCHIVE],[ARCHIVE],160
3,2023-04-24 17:16:40.088530100+00:00,nsi.dll,C:\,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.20348.1_none_fbd12063907a771b\nsi.dll,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.20348.1_none_fbd12063907a771b\nsi.dll],[CLOSE],54852,1,16608,1,[ARCHIVE],[ARCHIVE],248
4,2023-04-24 17:16:40.088530100+00:00,psapi.dll,C:\,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.20348.1_none_8c10ef47f1d5feb9\psapi.dll,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.20348.1_none_8c10ef47f1d5feb9\psapi.dll],[CLOSE],55075,1,8583,1,[ARCHIVE],[ARCHIVE],328


In [142]:
df_usn[df_usn["FullPath"].str.contains("nmap")]

Unnamed: 0,Timestamp,Filename,Device,FullPath,_Links,Reason,MFTId,Sequence,ParentMFTId,ParentSequence,FileAttributes,SourceInfo,Usn


In [144]:
df_kapefiles_metadata = (
    qry_prov.velociraptor.Windows_KapeFiles_Targets_2FAll_File_Metadata()
)

In [145]:
df_kapefiles_metadata.shape

(941, 6)

In [146]:
df_kapefiles_metadata.head()

Unnamed: 0,Created,LastAccessed,Modified,Size,SourceFile,_Source
0,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11 06:03:41.787289100+00:00,8192,\\.\C:\$Boot,Generic.Collectors.File/All Matches Metadata
1,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11 06:03:41.787289100+00:00,43941888,\\.\C:\$LogFile,Generic.Collectors.File/All Matches Metadata
2,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11 06:03:41.787289100+00:00,130547712,\\.\C:\$MFT,Generic.Collectors.File/All Matches Metadata
3,2023-04-24T17:16:39.9947651Z,2023-04-24T17:16:39.9947651Z,2023-04-24 17:16:39.994765100+00:00,24236744,\\.\C:\$Extend\$UsnJrnl:$J,Generic.Collectors.File/All Matches Metadata
4,2023-04-24T17:16:39.9947651Z,2023-04-24T17:16:39.9947651Z,2023-04-24 17:16:39.994765100+00:00,32,\\.\C:\$Extend\$UsnJrnl:$Max,Generic.Collectors.File/All Matches Metadata


In [147]:
df_kapefiles_metadata[df_kapefiles_metadata["SourceFile"].str.contains("nmap")]

Unnamed: 0,Created,LastAccessed,Modified,Size,SourceFile,_Source


In [148]:
df_kapefiles_upload = qry_prov.velociraptor.Windows_KapeFiles_Targets_2FUploads()

In [149]:
df_kapefiles_upload.shape

(941, 9)

In [150]:
df_kapefiles_upload.head()

Unnamed: 0,CopiedOnTimestamp,SourceFile,DestinationFile,FileSize,SourceFileSha256,Created,Modified,LastAccessed,_Source
0,1687137372,\\.\C:\$Extend\$UsnJrnl:$Max,\\.\C:\$Extend\$UsnJrnl:$Max,32,24e51e5aca8bdd1cc436a2d10af9aacaf3dc8d4a795545cf53eaed579155e436,2023-04-24T17:16:39.9947651Z,2023-04-24 17:16:39.994765100+00:00,2023-04-24T17:16:39.9947651Z,Generic.Collectors.File/Uploads
1,1687137372,\\.\C:\$Boot,\\.\C:\$Boot,8192,ccb73169c092256f3bc1ae2aaf2686a0f87a8bb0742ebab825a9739dbe92bc86,2023-01-11T06:03:41.7872891Z,2023-01-11 06:03:41.787289100+00:00,2023-01-11T06:03:41.7872891Z,Generic.Collectors.File/Uploads
2,1687137398,\\.\C:\$Extend\$RmMetadata\$TxfLog\$Tops:$T,\\.\C:\$Extend\$RmMetadata\$TxfLog\$Tops:$T,1048576,30e14955ebf1352266dc2ff8067e68104607e750abb9d3b36582b8af909fcb58,2023-01-11T06:03:42.9776153Z,2023-01-11 06:03:42.977615300+00:00,2023-01-11T06:03:42.9776153Z,Generic.Collectors.File/Uploads
3,1687137442,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk,2247,0eda1691cc169b8d4ed994012f859702f66f2dc27623f37248eeabd9b366ef80,2023-04-28T08:08:17.515294Z,2023-04-28 08:08:17.515294+00:00,2023-04-28T08:08:17.515294Z,Generic.Collectors.File/Uploads
4,1687137442,C:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20230424-171700.log,C:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20230424-171700.log,2394,926609ffee3ad26b0038584b65bb795209ceaad2c6d61e8e5d3b63ac83c108db,2023-04-29T10:18:51.6700207Z,2023-04-29 10:18:51.670020700+00:00,2023-04-29T10:18:51.6700207Z,Generic.Collectors.File/Uploads


In [151]:
df_kapefiles_upload[df_kapefiles_upload["SourceFile"].str.contains("nmap")]

Unnamed: 0,CopiedOnTimestamp,SourceFile,DestinationFile,FileSize,SourceFileSha256,Created,Modified,LastAccessed,_Source


In [84]:
qry_prov.velociraptor.Windows_Memory_Acquisition()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Stdout,Stderr,Upload
0,WinPmem64,,
1,Extracting driver to C:\Users\ADMINI~1.MAG\AppData\Local\Temp\pme5FC6.tmp,,
2,Driver Unloaded.,,
3,Loaded Driver C:\Users\ADMINI~1.MAG\AppData\Local\Temp\pme5FC6.tmp.,,
4,Deleting C:\Users\ADMINI~1.MAG\AppData\Local\Temp\pme5FC6.tmp,,
5,The system time is: 01:15:11,,
6,Will generate a RAW image,,
7,- buffer_size_: 0x1000,,
8,CR3: 0x00001AA002,,
9,4 memory ranges:,,


In [152]:
df_mft = qry_prov.velociraptor.Windows_NTFS_MFT()

In [153]:
df_mft.shape

(125048, 23)

In [154]:
df_mft.head()

Unnamed: 0,EntryNumber,InUse,ParentEntryNumber,OSPath,_Links,FileName,FileSize,ReferenceCount,IsDir,Created0x10,...,LastRecordChange0x10,LastRecordChange0x30,LastAccess0x10,LastAccess0x30,HasADS,SI_Lt_FN,uSecZeros,Copied,FileNames,FileNameTypes
0,0,True,5,\\.\C:\$MFT,[\\.\C:\$MFT],$MFT,130547712,1,False,2023-01-11T06:03:41.7872891Z,...,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,False,False,False,False,[$MFT],DOS+Win32
1,1,True,5,\\.\C:\$MFTMirr,[\\.\C:\$MFTMirr],$MFTMirr,4096,1,False,2023-01-11T06:03:41.7872891Z,...,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,False,False,False,False,[$MFTMirr],DOS+Win32
2,2,True,5,\\.\C:\$LogFile,[\\.\C:\$LogFile],$LogFile,43941888,1,False,2023-01-11T06:03:41.7872891Z,...,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,False,False,False,False,[$LogFile],DOS+Win32
3,3,True,5,\\.\C:\$Volume,[\\.\C:\$Volume],$Volume,0,1,False,2023-01-11T06:03:41.7872891Z,...,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,False,False,False,False,[$Volume],DOS+Win32
4,4,True,5,\\.\C:\$AttrDef,[\\.\C:\$AttrDef],$AttrDef,2560,1,False,2023-01-11T06:03:41.7872891Z,...,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,2023-01-11T06:03:41.7872891Z,False,False,False,False,[$AttrDef],DOS+Win32


In [155]:
df_mft[df_mft["FileName"].str.contains("nmap")]

Unnamed: 0,EntryNumber,InUse,ParentEntryNumber,OSPath,_Links,FileName,FileSize,ReferenceCount,IsDir,Created0x10,...,LastRecordChange0x10,LastRecordChange0x30,LastAccess0x10,LastAccess0x30,HasADS,SI_Lt_FN,uSecZeros,Copied,FileNames,FileNameTypes
13830,13837,True,6435,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a,[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a],amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a,0,2,True,2021-05-08T08:14:59.6429489Z,...,2023-01-11T06:10:18.1776301Z,2023-01-11T06:03:47.8504885Z,2021-05-08T08:14:59.6429489Z,2023-01-11T06:03:47.8504885Z,False,True,False,False,"[AM3238~1.1_N, amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a]","DOS,Win32"
29624,29633,True,6435,\\.\C:\Windows\WinSxS\wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215,[\\.\C:\Windows\WinSxS\wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215],wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215,0,2,True,2021-05-08T08:15:16.2529591Z,...,2023-01-11T06:10:20.4243717Z,2023-01-11T06:03:51.5946879Z,2021-05-08T08:15:16.2529591Z,2023-01-11T06:03:51.5946879Z,False,True,False,False,"[WOC139~1.1_N, wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215]","DOS,Win32"
52597,54928,True,13837,\\.\C:\Windows\WinSxS\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a\panmap.dll,"[\\.\C:\Windows\WinSxS\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a\panmap.dll, \\.\C:\Windows\System32\panmap.dll]",panmap.dll,32768,2,False,2021-05-08T08:14:58.3773014Z,...,2023-01-11T06:06:14.1979038Z,2023-01-11T06:05:58.2921376Z,2021-05-08T08:14:58.3773014Z,2023-01-11T06:05:58.2921376Z,False,True,False,False,"[panmap.dll, panmap.dll]","DOS+Win32,POSIX"
66030,68397,True,6042,\\.\C:\Windows\SysWOW64\panmap.dll,"[\\.\C:\Windows\SysWOW64\panmap.dll, \\.\C:\Windows\WinSxS\wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215\panmap.dll]",panmap.dll,12800,2,False,2021-05-08T08:15:15.3154378Z,...,2023-01-11T06:08:01.0116981Z,2023-01-11T06:07:42.9416612Z,2021-05-08T08:15:15.3154378Z,2023-01-11T06:07:42.9416612Z,False,True,False,False,"[panmap.dll, panmap.dll]","POSIX,DOS+Win32"
94127,96494,True,19410,\\.\C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a.manifest,[\\.\C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a.manifest],amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a.manifest,461,2,False,2021-05-08T08:10:29.2471227Z,...,2023-01-11T06:09:48.4385836Z,2023-01-11T06:09:47.6643773Z,2021-05-08T08:10:28.1846321Z,2023-01-11T06:09:47.6643773Z,False,True,False,True,"[AM10D4~2.MAN, amd64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_f2cb51bfe82bc01a.manifest]","DOS,Win32"
103159,105527,True,19410,\\.\C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215.manifest,[\\.\C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215.manifest],wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215.manifest,463,2,False,2021-05-08T08:11:14.2166493Z,...,2023-01-11T06:09:55.0136056Z,2023-01-11T06:09:54.487284Z,2021-05-08T08:11:12.4354272Z,2023-01-11T06:09:54.487284Z,False,True,False,True,"[WO6594~1.MAN, wow64_microsoft-windows-panmap_31bf3856ad364e35_10.0.20348.1_none_fd1ffc121c8c8215.manifest]","DOS,Win32"
121682,124067,True,123977,\\.\C:\Program Files (x86)\Nmap\nmap-mac-prefixes,[\\.\C:\Program Files (x86)\Nmap\nmap-mac-prefixes],nmap-mac-prefixes,824437,2,False,2022-09-01T22:24:06Z,...,2023-04-29T21:39:33.7569566Z,2023-04-29T21:39:33.725088Z,2023-04-29T21:39:33.7569566Z,2023-04-29T21:39:33.725088Z,False,True,True,False,"[NMAP-M~1, nmap-mac-prefixes]","DOS,Win32"
121683,124068,True,123977,\\.\C:\Program Files (x86)\Nmap\nmap-os-db,[\\.\C:\Program Files (x86)\Nmap\nmap-os-db],nmap-os-db,5032815,2,False,2022-09-01T22:24:06Z,...,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.7569566Z,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.7569566Z,False,True,True,False,"[NMAP-O~1, nmap-os-db]","DOS,Win32"
121684,124069,True,123977,\\.\C:\Program Files (x86)\Nmap\nmap-payloads,[\\.\C:\Program Files (x86)\Nmap\nmap-payloads],nmap-payloads,21165,2,False,2022-09-01T22:24:06Z,...,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,False,True,True,False,"[NMAP-P~1, nmap-payloads]","DOS,Win32"
121685,124070,True,123977,\\.\C:\Program Files (x86)\Nmap\nmap-protocols,[\\.\C:\Program Files (x86)\Nmap\nmap-protocols],nmap-protocols,6845,2,False,2022-09-01T22:24:06Z,...,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,2023-04-29T21:39:33.8728847Z,False,True,True,False,"[NMAP-P~2, nmap-protocols]","DOS,Win32"


In [86]:
qry_prov.velociraptor.Windows_Network_ArpCache()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,AddressFamily,Store,State,InterfaceIndex,LocalAddress,HardwareAddr,RemoteAddress,InterfaceAlias,RemoteMACAddress
0,IPv6,Active,Permanent,7,fe80::654f:3f85:dd69:94d8,06:a4:97:55:92:51,ff02::1:ff69:94d8,Ethernet,33-33-FF-69-94-D8
1,IPv6,Active,Permanent,7,172.16.50.20,06:a4:97:55:92:51,ff02::1:ff69:94d8,Ethernet,33-33-FF-69-94-D8
2,IPv6,Active,Permanent,7,fe80::654f:3f85:dd69:94d8,06:a4:97:55:92:51,ff02::1:3,Ethernet,33-33-00-01-00-03
3,IPv6,Active,Permanent,7,172.16.50.20,06:a4:97:55:92:51,ff02::1:3,Ethernet,33-33-00-01-00-03
4,IPv6,Active,Permanent,7,fe80::654f:3f85:dd69:94d8,06:a4:97:55:92:51,ff02::1:2,Ethernet,33-33-00-01-00-02
5,IPv6,Active,Permanent,7,172.16.50.20,06:a4:97:55:92:51,ff02::1:2,Ethernet,33-33-00-01-00-02
6,IPv6,Active,Permanent,7,fe80::654f:3f85:dd69:94d8,06:a4:97:55:92:51,ff02::fb,Ethernet,33-33-00-00-00-FB
7,IPv6,Active,Permanent,7,172.16.50.20,06:a4:97:55:92:51,ff02::fb,Ethernet,33-33-00-00-00-FB
8,IPv6,Active,Permanent,7,fe80::654f:3f85:dd69:94d8,06:a4:97:55:92:51,ff02::16,Ethernet,33-33-00-00-00-16
9,IPv6,Active,Permanent,7,172.16.50.20,06:a4:97:55:92:51,ff02::16,Ethernet,33-33-00-00-00-16


In [87]:
qry_prov.velociraptor.Windows_Network_InterfaceAddresses()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Index,MTU,Name,HardwareAddr,Flags,IP,Mask
0,7,1500,Ethernet,06:a4:97:55:92:51,19,fe80::654f:3f85:dd69:94d8,ffffffffffffffff0000000000000000
1,7,1500,Ethernet,06:a4:97:55:92:51,19,172.16.50.20,ffffff00
2,1,-1,Loopback Pseudo-Interface 1,,21,::1,ffffffffffffffffffffffffffffffff
3,1,-1,Loopback Pseudo-Interface 1,,21,127.0.0.1,ff000000


In [88]:
qry_prov.velociraptor.Windows_Network_ListeningPorts()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Pid,Name,Port,Protocol,Family,Address
0,872,svchost.exe,135,TCP,IPv4,0.0.0.0
1,4,System,139,TCP,IPv4,172.16.50.20
2,348,svchost.exe,3389,TCP,IPv4,0.0.0.0
3,652,lsass.exe,49664,TCP,IPv4,0.0.0.0
4,504,wininit.exe,49665,TCP,IPv4,0.0.0.0
5,1180,svchost.exe,49666,TCP,IPv4,0.0.0.0
6,1640,svchost.exe,49667,TCP,IPv4,0.0.0.0
7,1204,svchost.exe,49668,TCP,IPv4,0.0.0.0
8,652,lsass.exe,49671,TCP,IPv4,0.0.0.0
9,2312,spoolsv.exe,49690,TCP,IPv4,0.0.0.0


In [89]:
# From netstat, rdp connection from remote 172.16.10.93 to local 172.16.50.20. no other unexpected connection at collection time.
qry_prov.velociraptor.Windows_Network_Netstat()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Pid,Name,Family,Type,Status,Laddr.IP,Laddr.Port,Raddr.IP,Raddr.Port,Timestamp
0,872,svchost.exe,IPv4,TCP,LISTEN,0.0.0.0,135,0.0.0.0,0,2023-06-19 01:08:19+00:00
1,4,System,IPv4,TCP,LISTEN,172.16.50.20,139,0.0.0.0,0,2023-06-19 01:08:21+00:00
2,348,svchost.exe,IPv4,TCP,LISTEN,0.0.0.0,3389,0.0.0.0,0,2023-06-19 01:08:21+00:00
3,348,svchost.exe,IPv4,TCP,ESTAB,172.16.50.20,3389,172.16.10.93,55540,2023-06-19 01:09:31+00:00
4,652,lsass.exe,IPv4,TCP,LISTEN,0.0.0.0,49664,0.0.0.0,0,2023-06-19 01:08:19+00:00
5,504,wininit.exe,IPv4,TCP,LISTEN,0.0.0.0,49665,0.0.0.0,0,2023-06-19 01:08:19+00:00
6,1180,svchost.exe,IPv4,TCP,LISTEN,0.0.0.0,49666,0.0.0.0,0,2023-06-19 01:08:20+00:00
7,1640,svchost.exe,IPv4,TCP,LISTEN,0.0.0.0,49667,0.0.0.0,0,2023-06-19 01:08:21+00:00
8,1204,svchost.exe,IPv4,TCP,LISTEN,0.0.0.0,49668,0.0.0.0,0,2023-06-19 01:08:21+00:00
9,652,lsass.exe,IPv4,TCP,LISTEN,0.0.0.0,49671,0.0.0.0,0,2023-06-19 01:08:21+00:00


In [121]:
df_netstat_enriched = qry_prov.velociraptor.Windows_Network_NetstatEnriched_2FNetstat()

In [122]:
df_netstat_enriched.shape

(59, 16)

In [123]:
df_netstat_enriched.head(1)

Unnamed: 0,Pid,Ppid,Name,Path,CommandLine,Hash,Username,Authenticode,Family,Type,Status,Laddr.IP,Laddr.Port,Raddr.IP,Raddr.Port,Timestamp
0,872,640,svchost.exe,C:\Windows\System32\svchost.exe,C:\Windows\system32\svchost.exe -k RPCSS -p,"{'MD5': 'dc32aba4669eafb22fcacd5ec836a107', 'SHA1': 'da7a6e7798d448cd593b11735e2b614ec2b75b29', 'SHA256': '31780ff2aaf7bc71f755ba0e4fef1d61b060d1d2741eafb33cbab44d889595a0'}",NT AUTHORITY\NETWORK SERVICE,"{'Filename': 'C:\Windows\System32\svchost.exe', 'ProgramName': 'Microsoft Windows', 'PublisherLink': None, 'MoreInfoLink': 'http://www.microsoft.com/windows', 'SerialNumber': '33000002f49e469c54137b85e00000000002f4', 'IssuerName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011', 'SubjectName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher', 'Timestamp': None, 'Trusted': 'trusted', '_ExtraInfo': None}",IPv4,TCP,LISTEN,0.0.0.0,135,0.0.0.0,0,2023-06-19 01:08:19+00:00


In [91]:
qry_prov.velociraptor.Windows_Registry_EnabledMacro()

  0%|          | 0/1 [00:00<?, ?it/s]

In [92]:
# Only 3 users: local Administrator, Domain MAGNUMTEMPUS Administrator, seth.morgan
qry_prov.velociraptor.Windows_Sys_Users()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Uid,Gid,Name,Description,Directory,UUID,Mtime,HomedirMtime,Data
0,18,,SYSTEM,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18,%systemroot%\system32\config\systemprofile,S-1-5-18,2021-05-08T08:24:18.988647Z,2021-05-08T08:20:24.3752514Z,"{'ProfileLoadTime': None, 'ProfileUnloadTime': None}"
1,19,,LOCAL SERVICE,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19,%systemroot%\ServiceProfiles\LocalService,S-1-5-19,2021-05-08T08:24:18.988647Z,2021-08-19T13:31:46.3058657Z,"{'ProfileLoadTime': None, 'ProfileUnloadTime': None}"
2,20,,NETWORK SERVICE,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20,%systemroot%\ServiceProfiles\NetworkService,S-1-5-20,2021-05-08T08:24:18.988647Z,2021-08-19T13:31:43.2277311Z,"{'ProfileLoadTime': None, 'ProfileUnloadTime': None}"
3,1170,,seth.morgan,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2369732838-3797832421-459094119-1170,C:\Users\seth.morgan,S-1-5-21-2369732838-3797832421-459094119-1170,2023-04-29T22:34:43.4527231Z,2023-04-29T21:29:21.2334698Z,"{'ProfileLoadTime': '2023-04-29T21:35:27Z', 'ProfileUnloadTime': '2023-04-29T22:34:43Z'}"
4,500,,Administrator,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2369732838-3797832421-459094119-500,C:\Users\Administrator.MAGNUMTEMPUS,S-1-5-21-2369732838-3797832421-459094119-500,2023-06-19T01:09:35.6601435Z,2023-06-19T01:10:08.2302754Z,"{'ProfileLoadTime': '2023-06-19T01:09:35Z', 'ProfileUnloadTime': None}"
5,500,,Administrator,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-709932091-4166497167-3385689324-500,C:\Users\Administrator,S-1-5-21-709932091-4166497167-3385689324-500,2023-04-29T22:34:43.3389811Z,2023-04-29T18:47:32.908044Z,"{'ProfileLoadTime': '2023-04-29T18:47:17Z', 'ProfileUnloadTime': '2023-04-29T22:34:43Z'}"


In [125]:
df_autoruns = qry_prov.velociraptor.Windows_Sysinternals_Autoruns()

In [126]:
df_autoruns.shape

(1255, 17)

In [128]:
df_autoruns.head(5)

Unnamed: 0,Time,Entry Location,Entry,Enabled,Category,Profile,Description,Company,Image Path,Version,Launch String,MD5,SHA-1,PESHA-1,PESHA-256,SHA-256,IMP
0,20230619-011114,HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute,,,Boot Execute,System-wide,,,,,,,,,,,
1,19780805-182541,HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute,autocheck autochk /q /v *,enabled,Boot Execute,System-wide,Auto Check Utility,Microsoft Corporation,c:\windows\system32\autochk.exe,10.0.20348.1,autocheck autochk /q /v *,60D35DCBD7F61CED00F96ACA79B5F63A,D49925DD4C7B9661B68D79F0B3BF95C9F7C5B957,945FB3755C0B7FE3EC35C623FD9A0D88333A7343,6F536C329C1CB1DE326D43218F8454028F3658974611844AB375B40DA84E9640,25ED9D247D1849B6B9B403C93C3966C180E645726D0EDC706C94F56450EB7FD2,13819FB7B1F01E2037570A1D4960A671
2,20210819-133124,HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default),,,Hijacks,System-wide,,,,,,,,,,,
3,19560508-000235,HKLM\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default),C:\Program Files\Internet Explorer\iexplore.exe,enabled,Hijacks,System-wide,Internet Explorer,Microsoft Corporation,c:\program files\internet explorer\iexplore.exe,11.0.20348.380,,9B72DCA2D2080B95EF233F30026D206D,9128B49ADBAE37D131B8D703EC9EF912E35A732A,01F4948CB9923BD7A32CCC3DBB3F2DD76153EDD7,035F02B0114A55A70ADB71B1A333679406F7C16A7442A9292EE3BF1EAC912826,5FDFC590B1F84FBC06FDA7BCF15B43D202E543CEB3664E176CBA98D3B87FFB89,7534C642BDCB1528E25E71D0CE72D8BB
4,20230619-011513,HKLM\System\CurrentControlSet\Services,,,Services,System-wide,,,,,,,,,,,


In [94]:
qry_prov.velociraptor.Windows_System_Amcache_2FFile()

  0%|          | 0/1 [00:00<?, ?it/s]

In [130]:
df_amcache_inv = (
    qry_prov.velociraptor.Windows_System_Amcache_2FInventoryApplicationFile()
)

In [131]:
df_amcache_inv.shape

(161, 11)

In [132]:
df_amcache_inv.head()

Unnamed: 0,FileId,Key,Hive,LastModified,Binary,Name,Size,ProductName,Publisher,Version,BinFileVersion
0,0000d2246473a4a77b764fe6e022073a7c94fee15f5e,\Root\InventoryApplicationFile\aggregatorhost.e|2f15385328865347,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\windows\system32\aggregatorhost.exe,AggregatorHost.exe,221184,,,,
1,00004d88361dab8afe4f55cce4d92a5afa570415d8af,\Root\InventoryApplicationFile\amazon-ssm-agent|230d2c5c9111aae8,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files\amazon\ssm\amazon-ssm-agent.exe,amazon-ssm-agent.exe,12053192,,,,
2,0000fe27e8af7fa23a1df24a4efc60727713ebe721cc,\Root\InventoryApplicationFile\amazonssmagentse|b40e927f0766f7b6,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\programdata\package cache\{a03aa3d3-9def-49cc-b485-98af979363d5}\amazonssmagentsetup.exe,AmazonSSMAgentSetup.exe,587968,amazon ssm agent,amazon web services,3.1.1856.0,3.1.1856.0
3,00001990733b217298b0c4a1c4aebed80613ca675fa7,\Root\InventoryApplicationFile\aws-cfn-bootstra|83c0e351c3872ddc,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\programdata\package cache\{74bc3bd9-5872-4bcd-9f39-ca47be15b4ad}\aws-cfn-bootstrap-bundle.exe,aws-cfn-bootstrap-bundle.exe,574079,aws-cfn-bootstrap,amazon web services,2.0.19,2.0.19.0
4,000065263d34d9e7e6cc95df30a98c8edbdd4aa5e630,\Root\InventoryApplicationFile\aws.cloudwatch.e|834f84d45122d238,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files\amazon\ssm\plugins\awscloudwatch\aws.cloudwatch.exe,AWS.CloudWatch.exe,18432,,"amazon web services, inc.",4.9.9,4.9.9.0


In [143]:
df_amcache_inv[df_amcache_inv["Binary"].str.contains("nmap")]

Unnamed: 0,FileId,Key,Hive,LastModified,Binary,Name,Size,ProductName,Publisher,Version,BinFileVersion
69,,\Root\InventoryApplicationFile\ncat.exe|ee87626eac0e966d,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\ncat.exe,ncat.exe,327312,,,,
70,,\Root\InventoryApplicationFile\ndiff.exe|69ed2f1682772a38,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\ndiff.exe,ndiff.exe,31376,zenmap,,7.93,7.93.0.0
72,0000ab2de49f90330cc3b305457a9a0f897f296e95f4,\Root\InventoryApplicationFile\nmap-7.93-setup.|f8918f85502c0c40,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\users\seth.morgan\downloads\nmap-7.93-setup.exe,nmap-7.93-setup.exe,29115768,nmap,insecure.org,7.93,7.93.0.0
73,,\Root\InventoryApplicationFile\nmap.exe|ca2723a4280e6400,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\nmap.exe,nmap.exe,2615440,nmap,insecure.org,7.93,7.93.0.0
75,,\Root\InventoryApplicationFile\nping.exe|aea212f892503f7e,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\nping.exe,nping.exe,349328,,,,
124,,\Root\InventoryApplicationFile\uninstall.exe|a4d3e1dc723a18d,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\uninstall.exe,Uninstall.exe,93592,nmap,insecure.org,7.93,7.93.0.0
160,,\Root\InventoryApplicationFile\zenmap.exe|17e1b52ee953118e,C:\Windows\appcompat\Programs\Amcache.hve,2023-06-19T01:11:06Z,c:\program files (x86)\nmap\zenmap.exe,zenmap.exe,451736,zenmap,,7.93,7.93.0.0


In [96]:
qry_prov.velociraptor.Windows_System_DNSCache()

  0%|          | 0/1 [00:00<?, ?it/s]

Unnamed: 0,Name,Record,RecordType,_RecordType,TTL,QueryStatus,_QueryStatus,SectionType,_SectionType
0,edgedl.me.gvt1.com,34.104.35.123,A,1,15,Success,0,Answer,1
1,_ldap._tcp.default-first-site-name._sites.forestdnszones.magnumtempus.financial,dc.magnumtempus.financial 0 100 389,SRV,33,171,Success,0,Answer,1
2,_ldap._tcp.default-first-site-name._sites.forestdnszones.magnumtempus.financial,172.16.50.100,A,1,171,Success,0,Additional,3
3,_ldap._tcp.magnumtempus.financial,dc.magnumtempus.financial 0 100 389,SRV,33,172,Success,0,Answer,1
4,_ldap._tcp.magnumtempus.financial,172.16.50.100,A,1,172,Success,0,Additional,3
5,_ldap._tcp.domaindnszones.magnumtempus.financial,dc.magnumtempus.financial 0 100 389,SRV,33,172,Success,0,Answer,1
6,_ldap._tcp.domaindnszones.magnumtempus.financial,172.16.50.100,A,1,172,Success,0,Additional,3
7,_ldap._tcp.default-first-site-name._sites.dc._msdcs.magnumtempus.financial,dc.magnumtempus.financial 0 100 389,SRV,33,312,Success,0,Answer,1
8,_ldap._tcp.default-first-site-name._sites.dc._msdcs.magnumtempus.financial,172.16.50.100,A,1,312,Success,0,Additional,3
9,ctldl.windowsupdate.com,wu-bg-shim.trafficmanager.net,CNAME,5,231,Success,0,Answer,1


In [133]:
df_pslist = qry_prov.velociraptor.Windows_System_Pslist()

In [134]:
df_pslist.shape

(109, 11)

In [135]:
df_pslist.head()

Unnamed: 0,Pid,Ppid,TokenIsElevated,Name,CommandLine,Exe,TokenInfo,Hash,Authenticode,Username,WorkingSetSize
0,4,0,False,System,,,,"{'MD5': 'd41d8cd98f00b204e9800998ecf8427e', 'SHA1': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'SHA256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'}",,,147456.0
1,96,4,False,Registry,,,,"{'MD5': 'd41d8cd98f00b204e9800998ecf8427e', 'SHA1': 'da39a3ee5e6b4b0d3255bfef95601890afd80709', 'SHA256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'}",,NT AUTHORITY\SYSTEM,54575104.0
2,308,4,True,smss.exe,\SystemRoot\System32\smss.exe,C:\Windows\System32\smss.exe,,"{'MD5': '44962fd12f0d29b0713bb5e14653194a', 'SHA1': '3b2af5ef58ecf86abe51a730493363448b95dd0a', 'SHA256': 'd94c6656d377bb43a5cca307fc46f5de2b259e8884acedddf0b07f45425f457e'}","{'Filename': 'C:\Windows\System32\smss.exe', 'ProgramName': 'Microsoft Windows', 'PublisherLink': None, 'MoreInfoLink': 'http://www.microsoft.com/windows', 'SerialNumber': '33000002a5e1a081b7c895c0ed0000000002a5', 'IssuerName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011', 'SubjectName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher', 'Timestamp': None, 'Trusted': 'trusted', '_ExtraInfo': None}",NT AUTHORITY\SYSTEM,1290240.0
3,432,424,True,csrss.exe,"%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",C:\Windows\System32\csrss.exe,,"{'MD5': 'a6c9ee45bff7c5e696b07ec41af84541', 'SHA1': '7821fb14835083bae87a66ce96b67b261bea6b2b', 'SHA256': '50cbdbce85014f1042f99d5acdaad88ff268317a605bc3700b2487edd0f2ef0e'}","{'Filename': 'C:\Windows\System32\csrss.exe', 'ProgramName': 'Microsoft Windows', 'PublisherLink': None, 'MoreInfoLink': 'http://www.microsoft.com/windows', 'SerialNumber': '33000002a5e1a081b7c895c0ed0000000002a5', 'IssuerName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011', 'SubjectName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher', 'Timestamp': None, 'Trusted': 'trusted', '_ExtraInfo': None}",NT AUTHORITY\SYSTEM,6639616.0
4,504,424,True,wininit.exe,wininit.exe,C:\Windows\System32\wininit.exe,,"{'MD5': '6ec6810c6fdae02e87d8a43db98e194d', 'SHA1': '999cdef567bb7497e6206587cf57b95ad8037c75', 'SHA256': '71dd6bfc68e6a840bc935ac08dc71618043bf705849b619d31a2b83e54670a3e'}","{'Filename': 'C:\Windows\System32\wininit.exe', 'ProgramName': 'Microsoft Windows', 'PublisherLink': None, 'MoreInfoLink': 'http://www.microsoft.com/windows', 'SerialNumber': '33000003f6f4e8b30a2be45bd00000000003f6', 'IssuerName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011', 'SubjectName': 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher', 'Timestamp': None, 'Trusted': 'trusted', '_ExtraInfo': None}",NT AUTHORITY\SYSTEM,7376896.0


In [136]:
df_services = qry_prov.velociraptor.Windows_System_Services()

In [137]:
df_services.shape

(219, 19)

In [138]:
df_services.head()

Unnamed: 0,State,Name,DisplayName,Status,Pid,ExitCode,StartMode,PathName,ServiceType,UserAccount,Created,ServiceDll,FailureCommand,FailureActions,AbsoluteExePath,HashServiceExe,CertinfoServiceExe,HashServiceDll,CertinfoServiceDll
0,Stopped,AJRouter,AllJoyn Router Service,OK,0,1077,Manual,C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p,Share Process,NT AUTHORITY\LocalService,2021-08-19T13:32:39.0871257Z,C:\Windows\System32\AJRouter.dll,,"{'ResetPeriod': 86400, 'FailureAction': [{'Type': 'SC_ACTION_RESTART', 'Delay': 3}, {'Type': 'SC_ACTION_RESTART', 'Delay': 3}, {'Type': 'SC_ACTION_NONE', 'Delay': 0}]}",C:\Windows\system32\svchost.exe,,,,
1,Stopped,ALG,Application Layer Gateway Service,OK,0,1077,Manual,C:\Windows\System32\alg.exe,Own Process,NT AUTHORITY\LocalService,2021-08-19T13:32:39.0871257Z,,,"{'ResetPeriod': 900, 'FailureAction': [{'Type': 'SC_ACTION_RESTART', 'Delay': 120}, {'Type': 'SC_ACTION_RESTART', 'Delay': 300}, {'Type': 'SC_ACTION_NONE', 'Delay': 0}]}",C:\Windows\System32\alg.exe,,,,
2,Stopped,Amazon EC2Launch,Amazon EC2Launch,OK,0,0,Auto,"""C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe""",Own Process,LocalSystem,2023-01-11T04:10:57.3268843Z,,,,C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe,,,,
3,Running,AmazonSSMAgent,Amazon SSM Agent,OK,2472,0,Auto,"""C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe""",Own Process,LocalSystem,2023-04-24T17:18:25.5172819Z,,,"{'ResetPeriod': 86400, 'FailureAction': [{'Type': 'SC_ACTION_RESTART', 'Delay': 30}, {'Type': 'SC_ACTION_RESTART', 'Delay': 30}, {'Type': 'SC_ACTION_RESTART', 'Delay': 30}]}",C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe,,,,
4,Stopped,AppIDSvc,Application Identity,OK,0,1077,Manual,C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p,Share Process,NT Authority\LocalService,2021-08-19T13:32:39.0871257Z,C:\Windows\System32\appidsvc.dll,,"{'ResetPeriod': 86400, 'FailureAction': [{'Type': 'SC_ACTION_RESTART', 'Delay': 120}, {'Type': 'SC_ACTION_RESTART', 'Delay': 300}, {'Type': 'SC_ACTION_NONE', 'Delay': 0}]}",C:\Windows\system32\svchost.exe,,,,


In [139]:
df_taskscheduler_analysis = (
    qry_prov.velociraptor.Windows_System_TaskScheduler_2FAnalysis()
)

In [140]:
df_taskscheduler_analysis.shape

(155, 6)

In [141]:
df_taskscheduler_analysis.head()

Unnamed: 0,FullPath,Command,Arguments,ComHandler,UserId,_XML
0,C:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask,C:\Windows\Explorer.EXE,/NoUACCheck,,MAGNUMTEMPUS\Administrator,"{'Task': {'Actions': {'AttrContext': 'Author', 'Exec': {'Arguments': '/NoUACCheck', 'Command': 'C:\\Windows\\Explorer.EXE'}}, 'Attrversion': '1.3', 'Attrxmlns': 'http://schemas.microsoft.com/windows/2004/02/mit/task', 'Principals': {'Principal': {'Attrid': 'Author', 'LogonType': 'InteractiveToken', 'RunLevel': 'LeastPrivilege', 'UserId': 'MAGNUMTEMPUS\\Administrator'}}, 'RegistrationInfo': {'Author': 'ExplorerShellUnelevated', 'URI': '\CreateExplorerShellUnelevatedTask'}, 'Settings': {'Allow..."
1,C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore{2D73E118-D2BD-477A-916E-701FE6B49FBE},"""C:\Program Files (x86)\Google\Update\GoogleUpdate.exe""",/c,,S-1-5-18,"{'Task': {'Actions': {'AttrContext': 'Author', 'Exec': {'Arguments': '/c', 'Command': '""C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe""'}}, 'Attrversion': '1.2', 'Attrxmlns': 'http://schemas.microsoft.com/windows/2004/02/mit/task', 'Principals': {'Principal': {'Attrid': 'Author', 'RunLevel': 'HighestAvailable', 'UserId': 'S-1-5-18'}}, 'RegistrationInfo': {'Description': 'Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be ke..."
2,C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA{9497080B-5115-497E-8FDD-8CF382C268F8},"""C:\Program Files (x86)\Google\Update\GoogleUpdate.exe""",/ua /installsource scheduler,,S-1-5-18,"{'Task': {'Actions': {'AttrContext': 'Author', 'Exec': {'Arguments': '/ua /installsource scheduler', 'Command': '""C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe""'}}, 'Attrversion': '1.2', 'Attrxmlns': 'http://schemas.microsoft.com/windows/2004/02/mit/task', 'Principals': {'Principal': {'Attrid': 'Author', 'RunLevel': 'HighestAvailable', 'UserId': 'S-1-5-18'}}, 'RegistrationInfo': {'Description': 'Keeps your Google software up to date. If this task is disabled or stopped, your Goog..."
3,C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineCore,C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,/c,,S-1-5-18,"{'Task': {'Actions': {'AttrContext': 'Author', 'Exec': {'Arguments': '/c', 'Command': 'C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'}}, 'Attrversion': '1.2', 'Attrxmlns': 'http://schemas.microsoft.com/windows/2004/02/mit/task', 'Principals': {'Principal': {'Attrid': 'Author', 'RunLevel': 'HighestAvailable', 'UserId': 'S-1-5-18'}}, 'RegistrationInfo': {'Description': 'Keeps your Microsoft software up to date. If this task is disabled or stopped, your Microsoft softw..."
4,C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineUA,C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe,/ua /installsource scheduler,,S-1-5-18,"{'Task': {'Actions': {'AttrContext': 'Author', 'Exec': {'Arguments': '/ua /installsource scheduler', 'Command': 'C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'}}, 'Attrversion': '1.2', 'Attrxmlns': 'http://schemas.microsoft.com/windows/2004/02/mit/task', 'Principals': {'Principal': {'Attrid': 'Author', 'RunLevel': 'HighestAvailable', 'UserId': 'S-1-5-18'}}, 'RegistrationInfo': {'Description': 'Keeps your Microsoft software up to date. If this task is disabled or sto..."
