Velociraptor Artifact: Windows Hashes for Executable Content in Writeable Directories
It's really difficult to come up with a succinct, accurate description for this artifact!
Most malware writes and executes to directories accessible to a "standard" user, often "User" and "AppData" subdirectories. So, I wanted a specific artifact that listed all "executable" content created in common, standard-user writeable directories (User and ProgramData), created within the context ("modified within the past n days") of an investigation, including SHA1 hash value.
As usual, I'm working toward "good enough," as opposed to "perfect." If this fits your "use case," then test thoroughly, and hopefully you'll find this helpful.
This leverages PowerShell on the "target" host and, because of the potentially large number of files listed and hashed, IF YOU HAVE POWERSHELL TRANSCRIPT ENABLED (it is not enabled by default), you'll get verbose PowerShell transcript EVTX log entries, which may cause log rollover and loss of PowerShell transcript logging. Did I mention you should test this and make sure it works for you, in your specific "use case???"
To create this artifact, launch Velociraptor with gui, go to "View Artifacts," click the "+" symbol to "Add an artifact," replace the content in the "Create a new artifact" dialog with the "Windows.Hash.Executable.Files" artifact (vr-artifact-win-hash-executables), and click "Save." That's it!
You can easily customize the file extensions for your use case by editing the list: {$_.extension -in ".exe",".bat",".yourcustomextension"}
There is an option in the "Configure Parameters" for the artifact to set the "DaysSinceModified" (default: 5) or you can edit that within the artifact itself.
You can also easily change the "name:" to any other description that makes sense to you! You'll find it under "Client Artifacts" in VR.
You can easily test this by creating an "offline" collector and executing on a test system. See "workflow/details" here: Rapid-Triage-Workflow
The "offline" collector is not SIGNED, so you may see a "Defender SmartScreen" pop-up or it may be blocked by other mechanisms in your environment. If you have a code-signing cert, you can sign the collector to overcome this obstacle.
Output should look something like the below! I filtered out ".json" files because they are very noisy! Since we see the collector exe I just created, it appears to be working:
You can sort, filter, dedup, compare to a "known good" list of hashes from a standard Windows image...then feed a shortened list to the Virus Total API for free, just as an example/option...vt-api-on-a-budget