diff --git a/content/_index.md b/content/_index.md index 40dbb026da8..6d876a1db17 100644 --- a/content/_index.md +++ b/content/_index.md @@ -21,6 +21,11 @@ carousel: --- +{{% notice warning "CVE-2023-5950 published on 2023-11-06" %}} +Please upgrade your servers to mitigate `CVE-2023-5950` to at least release `0.7.0-4` or `0.6.9-1`. + +[More details](/announcements/2023-cves/) +{{% /notice %}} ## Velociraptor - Digging Deeper! diff --git a/content/announcements/2023-cves/CVE-2023-5950.html b/content/announcements/2023-cves/CVE-2023-5950.html new file mode 100644 index 00000000000..4477509ae0a --- /dev/null +++ b/content/announcements/2023-cves/CVE-2023-5950.html @@ -0,0 +1,86 @@ + + + + + + + +

Published on 2023-11-06

+
+ CVSS · HIGH · + 8.6⁄10 · + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L +
Scoring scenario: + GENERAL +
attackVector: NETWORK
+
attackComplexity: LOW
+
privilegesRequired: NONE
+
userInteraction: NONE
+
scope: UNCHANGED
+
confidentialityImpact: HIGH
+
integrityImpact: LOW
+
availabilityImpact: LOW
+
Open CVSS Calc
+
+
+
+

Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a + reflected cross site scripting vulnerability. This vulnerability + allows attackers to inject JS into the error path, potentially + leading to unauthorized execution of scripts within a user's web + browser. This vulnerability is fixed in version 0.7.0-4 and + a patch is available to download. Patches are also + available for version 0.6.9 (0.6.9-1)
+ + This issue affects the server only. +

+
+
+

Problem:

+

CWE-79 Improper Neutralization of Input During Web Page + Generation ('Cross-site Scripting') CWE-79

+
+
+

Product Status:

+ + + + + + + + + + + + + + + + +
ProductAffected
Rapid7 Velociraptorbefore 0.7.0-4
+
+
+

Credits:

+

Mathias Kujala

+
+
+

References

+
+ docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
+
+
+

Timeline:

+ +
+ + diff --git a/content/announcements/2023-cves/_index.md b/content/announcements/2023-cves/_index.md index 375ce0d4fc9..07227fbe13c 100644 --- a/content/announcements/2023-cves/_index.md +++ b/content/announcements/2023-cves/_index.md @@ -10,20 +10,23 @@ noTitle: true --- -The following CVEs were reported with the current 0.6.7 release. Both -Vulnerabilities can result in privilege escalation from low privilege -"investigator" Velociraptor users to "administrator" level. +The following CVEs were reported in 2023. Please upgrade to the +current release which is 0.7.0-4 -If you use multiple roles with your Velociraptor GUI users, we -recommend to upgrade your server to the 0.6.7-5 release. These issues -do not affect clients so there is no need to upgrade clients. +## CVE-2023-5950 Rapid7 Velociraptor Reflected XSS. +{{< include-html "CVE-2023-5950.html" >}} + +
## CVE-2023-2226 Velociraptor crashes while parsing some malformed PE or OLE files. {{< include-html "CVE-2023-2226.html" >}} +
+ ## CVE-2023-0242 Insufficient Permission Check In The VQL Copy() Function {{< include-html "CVE-2023-0242.html" >}} +
## CVE-2023-0290 Directory Traversal In Client Id Parameter {{< include-html "CVE-2023-0290.html" >}} diff --git a/content/vql_reference/event/watch_evtx/_index.md b/content/vql_reference/event/watch_evtx/_index.md index e203e827911..708f7f3ab2a 100644 --- a/content/vql_reference/event/watch_evtx/_index.md +++ b/content/vql_reference/event/watch_evtx/_index.md @@ -22,6 +22,7 @@ Arg | Description | Type filename|A list of event log files to parse.|list of OSPath (required) accessor|The accessor to use.|string messagedb|A Message database from https://github.com/Velocidex/evtx-data.|string +workers|If specified we use this many workers to parse the file in parallel (default 1).|int64 Required Permissions: FILESYSTEM_READ diff --git a/content/vql_reference/misc/_index.md b/content/vql_reference/misc/_index.md index a3db687ab52..087d5781240 100644 --- a/content/vql_reference/misc/_index.md +++ b/content/vql_reference/misc/_index.md @@ -27,6 +27,7 @@ Miscellaneous plugins not yet categorized. |[hunt_delete](hunt_delete)|Plugin|Delete a hunt| |[hunt_update](hunt_update)|Function|Update a hunt| |[leveldb](leveldb)|Plugin|Enumerate all items in a level db database| +|[logging](logging)|Plugin|Watch the logs emitted by the server| |[logscale_upload](logscale_upload)|Plugin|Upload rows to LogScale ingestion server| |[lru](lru)|Function|Creates an LRU object| |[lzxpress_decompress](lzxpress_decompress)|Function|Decompress an lzxpress blob| @@ -54,10 +55,13 @@ Miscellaneous plugins not yet categorized. |[profile_memory](profile_memory)|Plugin|Enumerates all in use memory within the runtime| |[pskill](pskill)|Function|Kill the specified process| |[query](query)|Plugin|Evaluate a VQL query| +|[read_crypto_file](read_crypto_file)|Plugin|Read a previously stored encrypted local storage file| |[rekey](rekey)|Function|Causes the client to rekey and regenerate a new client ID| |[remap](remap)|Function|Apply a remapping configuration to the root scope| |[repack](repack)|Function|Repack and upload a repacked binary or MSI to the server| |[server_frontend_cert](server_frontend_cert)|Function|Get Server Frontend Certificate| +|[sigma](sigma)|Plugin|Evaluate sigma rules| +|[sigma_log_sources](sigma_log_sources)|Function|Constructs a Log sources object to be used in sigma rules| |[sysinfo](sysinfo)|Function|Collect system information on Linux clients| |[tlsh_hash](tlsh_hash)|Function|Calculate the tlsh hash of a file| |[trace](trace)|Function|Upload a trace file| @@ -66,4 +70,5 @@ Miscellaneous plugins not yet categorized. |[user](user)|Function|Retrieves information about the Velociraptor user| |[user_grant](user_grant)|Function|Grants the user the specified roles| |[vfs_ls](vfs_ls)|Plugin|List directory and build a VFS object| +|[write_crypto_file](write_crypto_file)|Plugin|Write a query into an encrypted local storage file| |[write_jsonl](write_jsonl)|Plugin|Write a query into a JSONL file| diff --git a/content/vql_reference/misc/logging/_index.md b/content/vql_reference/misc/logging/_index.md new file mode 100644 index 00000000000..074b28940af --- /dev/null +++ b/content/vql_reference/misc/logging/_index.md @@ -0,0 +1,30 @@ +--- +title: logging +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## logging +Plugin + + + +
+ +Arg | Description | Type +----|-------------|----- +component||string + +Required Permissions: +READ_RESULTS + +### Description + +Watch the logs emitted by the server. + diff --git a/content/vql_reference/misc/read_crypto_file/_index.md b/content/vql_reference/misc/read_crypto_file/_index.md new file mode 100644 index 00000000000..8ef546fa17d --- /dev/null +++ b/content/vql_reference/misc/read_crypto_file/_index.md @@ -0,0 +1,30 @@ +--- +title: read_crypto_file +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## read_crypto_file +Plugin + + + +
+ +Arg | Description | Type +----|-------------|----- +filename|Path to the file to write|OSPath (required) + +Required Permissions: +FILESYSTEM_READ + +### Description + +Read a previously stored encrypted local storage file. + diff --git a/content/vql_reference/misc/sigma/_index.md b/content/vql_reference/misc/sigma/_index.md new file mode 100644 index 00000000000..d1cec8658dd --- /dev/null +++ b/content/vql_reference/misc/sigma/_index.md @@ -0,0 +1,32 @@ +--- +title: sigma +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## sigma +Plugin + + + +
+ +Arg | Description | Type +----|-------------|----- +rules|A list of sigma rules to compile.|list of string (required) +log_sources|A log source object as obtained from the sigma_log_sources() VQL function.|Any (required) +field_mapping|A dict containing a mapping between a rule field name and a VQL Lambda to get the value of the field from the event.|ordereddict.Dict +debug|If enabled we emit all match objects with description of what would match.|bool +rule_filter|If specified we use this callback to filter the rules for inclusion.|Lambda +default_details|If specified we use this callback to determine a details column if the sigma rule does not specify it.|Lambda + +### Description + +Evaluate sigma rules. + diff --git a/content/vql_reference/misc/sigma_log_sources/_index.md b/content/vql_reference/misc/sigma_log_sources/_index.md new file mode 100644 index 00000000000..a383eb03426 --- /dev/null +++ b/content/vql_reference/misc/sigma_log_sources/_index.md @@ -0,0 +1,20 @@ +--- +title: sigma_log_sources +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## sigma_log_sources +Function + + +### Description + +Constructs a Log sources object to be used in sigma rules. Call with args being category/product/service and values being stored queries. You may use a * as a placeholder for any of these fields. + diff --git a/content/vql_reference/misc/write_crypto_file/_index.md b/content/vql_reference/misc/write_crypto_file/_index.md new file mode 100644 index 00000000000..0a2e1279457 --- /dev/null +++ b/content/vql_reference/misc/write_crypto_file/_index.md @@ -0,0 +1,34 @@ +--- +title: write_crypto_file +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## write_crypto_file +Plugin + + + +
+ +Arg | Description | Type +----|-------------|----- +filename|Path to the file to write|OSPath (required) +query|query to write into the file.|StoredQuery (required) +max_wait|How often to flush the file (default 60 sec).|uint64 +max_rows|How many rows to buffer before writing (default 1000).|uint64 +max_size|When the file grows to this size, truncate it (default 1Gb).|uint64 + +Required Permissions: +FILESYSTEM_WRITE + +### Description + +Write a query into an encrypted local storage file. + diff --git a/content/vql_reference/parsers/parse_evtx/_index.md b/content/vql_reference/parsers/parse_evtx/_index.md index 8ce4e89d90b..3707393c397 100644 --- a/content/vql_reference/parsers/parse_evtx/_index.md +++ b/content/vql_reference/parsers/parse_evtx/_index.md @@ -22,6 +22,7 @@ Arg | Description | Type filename|A list of event log files to parse.|list of OSPath (required) accessor|The accessor to use.|string messagedb|A Message database from https://github.com/Velocidex/evtx-data.|string +workers|If specified we use this many workers to parse the file in parallel (default 1).|int64 Required Permissions: FILESYSTEM_READ diff --git a/content/vql_reference/plugin/_index.md b/content/vql_reference/plugin/_index.md index 01771167cd1..62e33bd971a 100644 --- a/content/vql_reference/plugin/_index.md +++ b/content/vql_reference/plugin/_index.md @@ -55,6 +55,7 @@ or in condition clauses (i.e. after the `WHERE` keyword). |[js_set](js_set)|Function|Set a variables value in the JS VM| |[magic](magic)|Function|Identify a file using magic rules| |[netcat](netcat)|Plugin|Make a tcp connection and read data from a socket| +|[netstat](netstat)|Plugin|Collect network information| |[pathspec](pathspec)|Function|Create a structured path spec to pass to certain accessors| |[pipe](pipe)|Function|A pipe allows plugins that use files to read data from a vql| |[profile](profile)|Plugin|Returns a profile dump from the running process| diff --git a/content/vql_reference/plugin/netstat/_index.md b/content/vql_reference/plugin/netstat/_index.md new file mode 100644 index 00000000000..da79fb27f34 --- /dev/null +++ b/content/vql_reference/plugin/netstat/_index.md @@ -0,0 +1,23 @@ +--- +title: netstat +index: true +noTitle: true +no_edit: true +--- + + + +
+ + +## netstat +Plugin + + +Required Permissions: +MACHINE_STATE + +### Description + +Collect network information. + diff --git a/content/vql_reference/plugin/profile/_index.md b/content/vql_reference/plugin/profile/_index.md index 3656ee6b388..7bcfe637856 100644 --- a/content/vql_reference/plugin/profile/_index.md +++ b/content/vql_reference/plugin/profile/_index.md @@ -31,6 +31,7 @@ logs|Recent logs|bool queries|Recent Queries run|bool metrics|Collect metrics|bool duration|Duration of samples (default 30 sec)|int64 +type|The type of profile (this is a regex of debug output types that will be shown).|string Required Permissions: MACHINE_STATE diff --git a/content/vql_reference/windows/_index.md b/content/vql_reference/windows/_index.md index cf451eb6e95..79a3581a26c 100644 --- a/content/vql_reference/windows/_index.md +++ b/content/vql_reference/windows/_index.md @@ -20,7 +20,6 @@ APIs. The following are only available when running on Windows. |[interfaces](interfaces)|Plugin|List all active network interfaces using the API| |[lookupSID](lookupSID)|Function|Get information about the SID| |[modules](modules)|Plugin|Enumerate Loaded DLLs| -|[netstat](netstat)|Plugin|Collect network information| |[partitions](partitions)|Plugin|List all partitions| |[proc_dump](proc_dump)|Plugin|Dumps process memory| |[proc_yara](proc_yara)|Plugin|Scan processes using yara rules| diff --git a/static/reference/data.json b/static/reference/data.json index 4b36d1d3ef2..4a904312036 100644 --- a/static/reference/data.json +++ b/static/reference/data.json @@ -2890,14 +2890,6 @@ "permissions": "FILESYSTEM_READ" } }, - { - "name": "sysinfo", - "description": "Collect system information on Linux clients", - "type": "Function", - "metadata": { - "permissions": "MACHINE_STATE" - } - }, { "name": "log", "description": "Log the message and return TRUE.", @@ -2928,6 +2920,20 @@ ], "category": "basic" }, + { + "name": "logging", + "description": "Watch the logs emitted by the server.", + "type": "Plugin", + "args": [ + { + "name": "component", + "type": "string" + } + ], + "metadata": { + "permissions": "READ_RESULTS" + } + }, { "name": "logscale_upload", "description": "Upload rows to LogScale ingestion server.", @@ -3536,7 +3542,10 @@ "name": "netstat", "description": "Collect network information.", "type": "Plugin", - "category": "windows" + "category": "plugin", + "metadata": { + "permissions": "MACHINE_STATE" + } }, { "name": "notebook_delete", @@ -3905,6 +3914,11 @@ "name": "messagedb", "type": "string", "description": "A Message database from https://github.com/Velocidex/evtx-data." + }, + { + "name": "workers", + "type": "int64", + "description": "If specified we use this many workers to parse the file in parallel (default 1)." } ], "category": "parsers", @@ -4905,6 +4919,11 @@ "name": "duration", "type": "int64", "description": "Duration of samples (default 30 sec)" + }, + { + "name": "type", + "type": "string", + "description": "The type of profile (this is a regex of debug output types that will be shown)." } ], "category": "plugin", @@ -5081,6 +5100,22 @@ ], "category": "server" }, + { + "name": "read_crypto_file", + "description": "Read a previously stored encrypted local storage file.", + "type": "Plugin", + "args": [ + { + "name": "filename", + "type": "OSPath", + "description": "Path to the file to write", + "required": true + } + ], + "metadata": { + "permissions": "FILESYSTEM_READ" + } + }, { "name": "read_file", "description": "Read a file into a string.", @@ -5663,6 +5698,51 @@ "permissions": "COLLECT_SERVER" } }, + { + "name": "sigma", + "description": "Evaluate sigma rules.", + "type": "Plugin", + "args": [ + { + "name": "rules", + "type": "string", + "description": "A list of sigma rules to compile.", + "repeated": true, + "required": true + }, + { + "name": "log_sources", + "type": "Any", + "description": "A log source object as obtained from the sigma_log_sources() VQL function.", + "required": true + }, + { + "name": "field_mapping", + "type": "ordereddict.Dict", + "description": "A dict containing a mapping between a rule field name and a VQL Lambda to get the value of the field from the event." + }, + { + "name": "debug", + "type": "bool", + "description": "If enabled we emit all match objects with description of what would match." + }, + { + "name": "rule_filter", + "type": "Lambda", + "description": "If specified we use this callback to filter the rules for inclusion." + }, + { + "name": "default_details", + "type": "Lambda", + "description": "If specified we use this callback to determine a details column if the sigma rule does not specify it." + } + ] + }, + { + "name": "sigma_log_sources", + "description": "Constructs a Log sources object to be used in sigma rules. Call with args being category/product/service and values being stored queries. You may use a * as a placeholder for any of these fields.", + "type": "Function" + }, { "name": "sleep", "description": "Sleep for the specified number of seconds. Always returns true.", @@ -6158,6 +6238,14 @@ "type": "Plugin", "category": "plugin" }, + { + "name": "sysinfo", + "description": "Collect system information on Linux clients", + "type": "Function", + "metadata": { + "permissions": "MACHINE_STATE" + } + }, { "name": "tempdir", "description": "Create a temporary directory. The directory will be removed when the query ends.", @@ -7263,6 +7351,11 @@ "name": "messagedb", "type": "string", "description": "A Message database from https://github.com/Velocidex/evtx-data." + }, + { + "name": "workers", + "type": "int64", + "description": "If specified we use this many workers to parse the file in parallel (default 1)." } ], "category": "event", @@ -7392,6 +7485,43 @@ ], "category": "event" }, + { + "name": "write_crypto_file", + "description": "Write a query into an encrypted local storage file.", + "type": "Plugin", + "args": [ + { + "name": "filename", + "type": "OSPath", + "description": "Path to the file to write", + "required": true + }, + { + "name": "query", + "type": "StoredQuery", + "description": "query to write into the file.", + "required": true + }, + { + "name": "max_wait", + "type": "uint64", + "description": "How often to flush the file (default 60 sec)." + }, + { + "name": "max_rows", + "type": "uint64", + "description": "How many rows to buffer before writing (default 1000)." + }, + { + "name": "max_size", + "type": "uint64", + "description": "When the file grows to this size, truncate it (default 1Gb)." + } + ], + "metadata": { + "permissions": "FILESYSTEM_WRITE" + } + }, { "name": "write_csv", "description": "Write a query into a CSV file.",