FAQ
- Why are we sharing CCX Digger?
- How does CCX Digger work?
- Is this just a Yara / IOC scanner?
- How can I contribute?
- What do I do if I need help or support?
- Who are CyberCX?
- What is Velociraptor?
- Will CCX Digger collect my information?
- How do I suggest features?
- How do I use the Wiki?
- How do I interpret the report?
Australian government agencies have been responding to the increase in cyber incidents, including the Prime Minister’s announcement in June to raise awareness of the issue. Various advisories have been published by the Australian Cyber Security Centre (ACSC) which describe specific tactics, techniques and procedures (TTPs). Through CyberCX’s work, we recognise that a significant challenge facing organisations is often a lack of technical capability and forensic knowledge required to detect attackers on their systems.
CCX Digger has been launched to help overcome this challenge, and to help contribute to CyberCX's mission which includes protecting the communities we live in.
As a proud Australian cyber security company, we aim for CCX Digger to contribute to the improvement of Australia's national response capability, by providing a simple, powerful and free scanning tool.
CCX Digger uses specific detection queries (leveraging Yara signatures) built to detect a range of known attacker activities (or Indicators of Compromise (IOCs)), encoded in the powerful Velociraptor Query Language (VQL). Scans can be performed in two ways; on an individual system using a single CCX Digger executable, or across a network by deploying Velociraptor and importing the CCX Digger artefact pack.
CCX Digger uses several VQL detection methods, including Yara scans for specific strings identifying malware. This is what we call a hunt.
For individual scans, a HTML report is produced which lists any findings and provides an explanation for what they mean, with accompanying recommendations on the next steps to take for further investigation.
Further investigation is necessary to determine if the compiled results are malicious.
The CCX Digger executable will locally collect suspicious files by copying them into a folder in the same directory as the executable. CCX Digger will not remove, modify or change your files. CCX Digger will not collect or transmit any data outside of your network, nor will it 'call home'; no network connection is required to use the tool. CCX Digger and Velociraptor are not anti-virus solutions and are not configured to remove potentially malicious files, but may detect malware used in known attacks.
It’s both, and more.
While CCX Digger (and Velociraptor) use Yara signatures, they also provide more advanced detections through the Velociraptor Query Language (VQL). CCX Digger leverages VQL to detect malicious activities through several techniques, including Yara scans for known malware components.
The effectiveness of CCX Digger depends upon the threat intelligence it leverages to detect attacker activities. This intelligence has been kindly contributed voluntarily by our clients and through our government and industry partners with whom CyberCX. We welcome contributions of any additional threat intelligence and are pleased to credit all contributors (or not, if you prefer). Please visit this page for further information on contributing.
If you believe your network may be compromised, or you are looking for more detailed ways on how to interpret the HTML report generated by CCX Digger, please vising the Need help? page.
CyberCX is Australia’s leading force of cyber security professionals, with over 500 specialists across Australia, New Zealand, the UK and the USA, providing services across the following practice areas:
- Strategy & Consulting
- Security Testing & Assurance
- Governance, Risk & Compliance
- Security Integration & Engineering
- Identity & Access Management
- Managed Security Services
- Digital Forensics & Incident Response
- Education & Training
The CyberCX Digital Forensics & Incident Response teams (DFIR) help our clients to investigate and respond to a broad range of digital forensic investigations and cyber incidents every day. With the largest number of DFIR specialists across Australia, we provide an unmatched depth of technical expertise, industry experience and local resources when and where our clients need us.
For more details, visit us at www.cybercx.com.au.
Velociraptor is an endpoint visibility platform developed in Australia, which provides leading capabilities for distributed forensic analysis, endpoint monitoring and the surgical collection of evidence from across networks.
The foundation of Velociraptor is a unique query language named VQL which allows writing specific detection queries, known in Velociraptor as artefacts, which leverage the underlying Velociraptor functionality and can be easily distributed and shared. For more details, visit www.velocidex.com
CCX Digger will not collect any information from your systems. In fact, no external connections are required. CCX Digger's key features include:
- Full transparency through free and open source software
- Single executable, which requires no installation and has no external dependencies
- No registration, licenses or dongles required
- No collection or transmission of data outside your network
- No ‘calling home’ and no external network connections required.
We welcome all feedback to help improve future versions. Please submit all issues and feature requests through our CCX Labs GitHub site at https://github.com/CCXLabs/CCXLabsVelociraptor
This wiki serves as a guide for you to interpret the results produced by the HTML report. After conducting a scan on your system or network, a report will be generated containing any hits found. To best use the report, the wiki can be used in the following way:
- Each hit within the report will link to an appropriate Wiki page, which will provide guidance on how to interpret the results.
- Investigation into each hit is highly recommended to determine if the hit is legitimate, or a false positive.
- Each wiki page for a finding will contain general guidance for investigating each hit on your own. This will be under the "Interpreting the Results" section.
Each wiki page for a hit is structured in the following way:
- Overview: A summary of the search.
- Detection Approach: How the search looks for the indicator of compromise, and what contextual information may be involved.
- Detection Artefact: The name of the specific artefact used by CCX Digger to identify the indicator.
- Threat Intelligence Sources: The origin of information which the search was derived from.
- Interpreting the Results: How to contextualise the results of your HTML report and any hits which may be present.
- Investigations: General guidance on how to investigate each finding. Please note the specific finding which the HTML report returns, as there may be multiple results for each artefact. (For example, an artefact which searches for many webshells may find only one specific hit. The investigation steps for the specific result from the HTML report is most relevant.).
- References: Any references that may be relevant to the artefact.
- Need Help?: What to do if you believe your system may be compromised, or need further guidance on interpreting the results.
- Revision History: Details relevant version information for the artefact.
