Rule Description
This rule is designed for SLEEPER MODE deployments, where all agents are put to sleep and are only awakened in an IR scenario. It can easily be expanded upon to grab additional artifacts or even to initiate a Velociraptor acquisition.
Order of operations
- watches for an agent to send a
STARTING_UPevent (happens when coming out of sleep) - checks that
evidence_acquiredtag has not already been set on the sensor - acquires all specified artifacts from the endpoint immediately
- sets the
evidence_acquiredtag so that the rule does not apply to the same system twice
Detect
event: STARTING_UP
op: is tagged
tag: evidence_acquired
not: true
Respond
- action: report
name: Sleeper Activated - Get Evidence
- action: task
command: >-
artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Security.evtx'
--days-retention 30 --type wel
- action: task
command: >-
artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\System.evtx'
--days-retention 30 --type wel
- action: task
command: >-
artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Application.evtx'
--days-retention 30 --type wel
- action: task
command: >-
artifact_get --file 'C:\\Windows\\System32\\winevt\\logs\\Windows
PowerShell.evtx' --days-retention 30 --type wel
- action: add tag
tag: evidence_acquired