Awesome

DetectRaptor

A repository to share publicly available bulk Velociraptor detection content in an easy to consume way.

Simply take the release VQL zip and import it into Velociraptor.

This is made easy via the Velociraptor artifact exchange: Server.Import.DetectRaptor

Current artifacts include:

• Windows.Detection.Amcache
• Windows.Detection.Applications
• Windows.Detection.BinaryRename
• Windows.Detection.Bootloaders
• Windows.Detection.Evtx
• Windows.Detection.HijackLibsEnv
• Windows.Detection.HijackLibsMFT
• Windows.Detection.LolDriversMalicious
• Windows.Detection.LolDriversVulnerable
• Windows.Detection.MFT
• Windows.Detection.NamedPipes
• Windows.Detection.Powershell.ISEAutoSave
• Windows.Detection.Powershell.PSReadline
• Windows.Detection.Webhistory
• Windows.Detection.ZoneIdentifier
• Generic.Detection.WebshellYara
• Linux.Detection.YaraProcessLinux
• Windows.Detection.YaraProcessWin
• Macos.Detection.YaraProcessMacos
• Server.StartHunts

Some contributing repositories:

• https://github.com/svch0stz/velociraptor-detections
• https://www.bootloaders.io/
• https://hijacklibs.net/
• https://www.loldrivers.io/
• https://github.com/SigmaHQ/sigma
• https://yarahq.github.io/