Skip to content

juju4/velociraptor-offline-collections

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.codespellignore
.codespellignore
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
LICENSE
LICENSE
 
 
LinuxTriage-advanced1.yaml
LinuxTriage-advanced1.yaml
 
 
LinuxTriage-advanced2.yaml
LinuxTriage-advanced2.yaml
 
 
LinuxTriage-basic.yaml
LinuxTriage-basic.yaml
 
 
LinuxTriage-files-etc-varlog.yml
LinuxTriage-files-etc-varlog.yml
 
 
LinuxTriage-memory.yaml
LinuxTriage-memory.yaml
 
 
MacosTriage.yml
MacosTriage.yml
 
 
README.md
README.md
 
 
WinTriage-files-azuresas.yml
WinTriage-files-azuresas.yml
 
 
WinTriage-files-reg.yml
WinTriage-files-reg.yml
 
 
WinTriage-s3.yml
WinTriage-s3.yml
 
 
config.yaml
config.yaml
 
 
local_all.yaml
local_all.yaml
 
 
provision_az_storageaccount.py
provision_az_storageaccount.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Velociraptor offline collection samples

Create collector binary

To create offline collection binary from velociraptor binaries:

F:> velociraptor.exe config repack config.yaml WinTriage.exe
# OR
velociraptor.exe --config server.config.yaml -v artifacts collect
   Server.Utils.CreateCollector
   --args OS=Windows
   --args artifacts='["""Generic.System.Pstree"""]'
   --args parameters='{"""Generic.System.Pstree""":{}}'
   --args target=ZIP
   --args opt_admin=N
   --args opt_prompt=N
   --output collector.zip

or on Linux:

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.7-1/velociraptor-v0.6.7-linux-amd64
./velociraptor-v0.6.7-linux-amd64 config repack LinuxTriage.yaml LinuxOfflineTriage
# OR
/opt/velociraptor/velociraptor --config /etc/velociraptor/server.config.yaml -v artifacts collect \
   Server.Utils.CreateCollector \
   --args OS=Linux \
   --args artifacts='["Linux.Mounts","Linux.Network.Netstat","Linux.RHEL.Packages","Linux.Ssh.AuthorizedKeys","Linux.Ssh.KnownHosts","Linux.Sys.BashHistory","Linux.Sys.BashShell","Linux.Sys.Crontab","Linux.Sys.LastUserLogin","Linux.Sys.Pslist","Linux.Sys.Services","Linux.Sys.SUID","Linux.Sys.Users","Linux.Syslog.SSHLogin","Linux.Users.InteractiveUsers","Linux.Users.RootUsers","Linux.Sys.Maps","Linux.Sys.CPUTime","Linux.Proc.Modules","Linux.Proc.Arp","Linux.OSQuery.Generic","Linux.Network.NetstatEnriched","Linux.Detection.AnomalousFiles","Linux.Debian.Packages","Generic.Collectors.File"]' \
   --args parameters='{"""Linux.Sys.BashShell""":{"""Command""":"""ls -la / /tmp /var/tmp"""},"""Generic.Collectors.File""":{"""collectionSpec""":"""Glob\\n/etc/*\\n/var/log/*\\nUsers\\\\*\\\\NTUser.dat\\n""","""Root""":"""/"""}}' \
   --args target=ZIP \
   --args opt_admin=N \
   --args opt_prompt=N \
   --args opt_tempdir=/var/tmp \
   --args opt_verbose=Y \
   --args opt_progress_timeout=300 \
   --args opt_cpu_limit=80 \
   --args opt_format=jsonl \
   --output collector.zip

To extract config from an existing collector binary.

Collector_velociraptor-v0.6.7-linux-amd64 config show > LinuxTriage.yaml

You can also do the same from web frontend of velociraptor server (Server Artifacts menu: paper plane icon). Generate files will be available in web interface or locally in ${velociraptor_home}/clients/server/collections/

You may need to download artifacts pack from Artifact Exchange to get more artifacts.

Transfer data

$ python3 provision_az_storageaccount.py
Provisioned resource group PythonAzureExample-Storage-rg
Provisioned storage account pythonazurestorage61324
Primary key for storage account: [REDACTED]
Connection string: DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=pythonazurestorage61324;AccountKey=[REDACTED]
Provisioned blob container blob-container-01
Provisioned W sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]
Provisioned RO sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=r&sv=2021-08-06&sr=b&sig=[REDACTED]
$ azcopy copy FILE "https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]"

Using data

Data can be reviewed

References

About

Sample configurations for velociraptor offline collections

Topics

forensics velociraptor

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages