Competition Cheat Sheet

Arkime

Operators: ==, != (not =), && (and), || (or)

• tcp.flags.syn:1 && tcp.flags.ack:0 — Quick check for nmap / port scanning
• http.uri == "*nmaplowercheck*" — Detects nmap fingerprinting
• http.user-agent == "*wpscan*" — Quick WordPress scanner (WPScan) check

Velociraptor

Custom PE Parser

name: Custom.PEwithParam.Parser
description: |
   A custom artifact to parse executable files

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT

parameters:
   - name: FilePath
     
sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      SELECT parse_pe(file=FilePath)
      FROM scope()

Custom Hash Search

name: Custom.Hash.Search
description: |
   This is a custom artifact to find a file by hash

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT
type: CLIENT

parameters:
   - name: SizeofFile
     type: int
     default: 46098856
   - name: FileHash
     default: "df93462351b227368d2398f94964ede6e19c694b19bc82ce9908ea8754beb5ce"

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows' 
      
    query: |
      SELECT *, hash(path="C:/" + FullPath) AS Hash
      FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
      WHERE FileSize = SizeofFile AND Hash.SHA256 = FileHash

Windows Hunts

• Windows.sys.users — Shows user accounts on Windows
• Windows.Applications.Chrome.History — Shows websites visited in Chrome
• Windows.Network.Netstat — Active connections, ports, status, IP
• Windows.Forensics.Prefetch — Info about exe, last run, path, filename
• Windows.System.Pslist — Running processes, hash, PID
• Windows.Forensics.SAM — Account info, password reset date
• Windows.System.Powershell.PSReadline — PowerShell command history by user
• Windows.Registry.UserAssist — Full path to directories and # times ran
• Windows.Registry.AppCompatCache — Info about executed EXEs even if logs deleted
• Windows.Detection.Amcache — Detailed info about executed applications
• Windows.Detection.BinaryHunter — Hunts through binaries; customizable
• Windows.Search.FileFinder — Locates files; supports glob (* wildcard)

Windows.EventLogs.Modifications

• EvtxGlob: Glob of EventLogs to target
• dateAfter / dateBefore: Limit by time range
• IocRegex: Search message field by regex
• WhitelistRegex: Regex whitelist for message
• PathRegex: Filter on specific EVTX path
• ChannelRegex: Filter by EVTX Channel
• IdRegex: Target specific Event IDs
• SearchVSS: Enables Volume Shadow Copy search

Specialized Hunts

• Windows.Persistence.PermanentWMIEvents — Detects MITRE T1546.003 (WMI event triggers)
• Windows.EventLogs.EvtxHunter — Search log messages for IPs, users, or strings
• Use keyword trainingmalware to search event data for file-related info
• Windows.Detection.Impersonation — Detects token theft or impersonation (MITRE T1134)

Linux Hunts

• Linux.Sys.Users — Shows user accounts on Linux
• Linux.Network.Netstat — Active connections, ports, status, IP
• Linux.Sys.Pslist — Running processes, hash, PID
• Linux.Syslog.SSHLogin — Identify SSH logins
• Linux.Sys.SUID — Detect anomalies (e.g., unusual binaries in /usr/local with SUID bit)
• Linux.Users.InteractiveUsers — Accounts with valid shells
• Linux.Users.RootUsers — Accounts with UID 0 (root/superuser)