Skip to content

Instantly share code, notes, and snippets.

@mgreen27
Last active October 1, 2021 20:25
Show Gist options
  • Save mgreen27/22cd70739e733647e1e23338ca35c9a9 to your computer and use it in GitHub Desktop.
Save mgreen27/22cd70739e733647e1e23338ca35c9a9 to your computer and use it in GitHub Desktop.
Velociraptor local live response configuration files
#!/bin/bash
#
# Author: Matt Green - @mgreen27
# Description: script to download and build x64 and x86 Velociraptor local live response tool
# 3rd party binaries embedded in output files
# Linux requirements: wget, curl, zip
# Tested: Velociraptor 0.3.7
# latest Velociraptor release binary from github
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"
WINDOWS="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep windows-amd64\.exe)"
WINDOWSx86="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep windows-386\.exe)"
# Download linux binary and make executable
wget $LINUX
mv $(basename $LINUX) ./velociraptor
chmod +x ./velociraptor
# Download Windows binaries
wget $WINDOWS
mv $(basename $WINDOWS) ./Velociraptor.exe
wget $WINDOWSx86
mv $(basename $WINDOWSx86) ./Velociraptorx86.exe
# Download Autoruns & WinPmem
wget https://live.sysinternals.com/autorunsc64.exe
wget https://live.sysinternals.com/autorunsc.exe
wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/winpmem_v3.3.rc3.exe
# create x64 package
zip payload.zip autorunsc64.exe winpmem_v3.3.rc3.exe
# create x86 package
zip payload_x86.zip autorunsc.exe winpmem_v3.3.rc3.exe
# Download config file
wget https://gist.githubusercontent.com/mgreen27/22cd70739e733647e1e23338ca35c9a9/raw/d26fc8a0c6fd2e01b08a026cb45db45e9a09ffdb/local.yaml
# build binaries
./velociraptor config repack --exe Velociraptor.exe --append payload.zip local.yaml LRCollector.exe
./velociraptor config repack --exe Velociraptorx86.exe --append payload_x86.zip local.yaml LRCollector_x86.exe
autoexec:
argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"]
artifact_definitions:
- name: MultiCollection
parameters:
- name: uploadTable
description: "define additional files to collect"
default: |
Type,Accessor,Glob
Pagefile,ntfs,C:\pagefile.sys
Swapfile,ntfs,C:\swapfile.sys
Hibernation,ntfs,C:\hiberfil.sys
sources:
- name: MemoryCollection
description: "memory aquisition leveraging WinPMem"
queries:
- LET hostname <= SELECT Hostname From info()
- LET me <= SELECT Exe FROM pslist(pid=getpid())
- LET winpmem <= SELECT copy(
filename=FullPath,
accessor="zip",
dest=tempfile(data="X", extension=".exe")
) AS Filename
FROM glob(globs=url(
path=basename(path=me.Exe),
fragment="/**/winpmem_*").String,
accessor="zip")
LIMIT 1
- SELECT StdOut
FROM execve(
argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4"
])
WHERE winpmem
- name: uploadFiles
description: "upload files listed in upload table if exist"
queries:
- SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable)
- name: Kape
queries:
- SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device ="C:", VSSAnalysis="Y",
_BasicCollection = "Y", WindowsDefender = "Y",WindowsFirewall = "Y", WBEM = "Y",
Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y",
RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y"
)
- name: Autoruns
description: "generate autoruns output"
queries:
- LET hostname <= SELECT Hostname From info()
- LET me <= SELECT Exe FROM pslist(pid=getpid())
- LET autoruns <= SELECT copy(
filename=FullPath,
accessor="zip",
dest=tempfile(data="X", extension=".exe")
) AS Filename
FROM glob(globs=url(
path=basename(path=me.Exe),
fragment="/**/autoruns*.exe").String,
accessor="zip")
LIMIT 1
- SELECT StdOut
FROM execve(
argv=[autoruns.Filename[0], "-a","*","-c","-h","-t",
"-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv"
])
WHERE autoruns
autoexec:
argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"]
artifact_definitions:
- name: MultiCollection
parameters:
- name: uploadTable
description: "define additional files to collect"
default: |
Type,Accessor,Glob
Pagefile,ntfs,C:\pagefile.sys
Swapfile,ntfs,C:\swapfile.sys
Hibernation,ntfs,C:\hiberfil.sys
sources:
- name: MemoryCollection
description: "memory aquisition leveraging WinPMem"
queries:
- LET hostname <= SELECT Hostname From info()
- LET me <= SELECT Exe FROM pslist(pid=getpid())
- LET winpmem <= SELECT copy(
filename=FullPath,
accessor="zip",
dest=tempfile(data="X", extension=".exe")
) AS Filename
FROM glob(globs=url(
path=basename(path=me.Exe),
fragment="/**/winpmem_*").String,
accessor="zip")
LIMIT 1
- SELECT StdOut
FROM execve(
argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4"
])
WHERE winpmem
- name: uploadFiles
description: "upload files listed in upload table if exist"
queries:
- SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable)
- name: Kape
queries:
- SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device ="C:", VSSAnalysis="Y",
_BasicCollection = "Y", KapeTriage = "Y", MiniTimelineCollection = "Y",
FileSystem = "Y", _MFT = "Y", _Boot = "Y", _J = "Y", _LogFile = "Y",
EvidenceOfExecution = "Y", Prefetch = "Y", Amcache = "Y", StartupInfo = "Y", Syscache = "Y",
EventLogs = "Y", RegistryHives = "Y", PowerShellConsole = "Y",
SRUM = "Y", ScheduledTasks = "Y", WER = "Y", WindowsDefender = "Y",WindowsFirewall = "Y", SignatureCatalog = "Y", WBEM = "Y",
Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y",
RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y",
WebBrowsers = "Y", Chrome = "Y", ChromeExtensions = "Y", Edge = "Y", Firefox = "Y", InternetExplorer = "Y", JavaWebCache = "Y",
OutlookPSTOST = "Y", LiveUserFiles = "Y", LnkFilesAndJumpLists = "Y", MOF = "Y", RecentFileCache = "Y", Recycle = "Y",LinuxOnWindowsProfileFiles = "Y",
CloudStorage = "Y",BoxDrive = "Y", Dropbox = "Y", GoogleDrive = "Y", OneDrive = "Y",
ApacheAccessLog = "Y", Exchange = "Y", ExchangeClientAccess = "Y", ExchangeTransport = "Y", IISLogFiles = "Y", MSSQLErrorLog = "Y", NGINXLogs = "Y",
AppData = "Y", ApplicationEvents = "Y", BCD = "Y", CombinedLogs = "Y", ComboFix = "Y", EncapsulationLogging = "Y", EventTraceLogs = "Y", Notepad__ = "Y",
McAfee_ePO = "Y", Kaseya = "Y", CiscoJabber = "Y", ConfluenceLogs = "Y", SUPERAntiSpyware = "Y", Gigatribe = "Y", HitmanPro = "Y", RogueKiller = "Y",
GroupPolicy = "Y", LogFiles = "Y", SDB = "Y", ThumbCache = "Y", USBDevicesLogs = "Y", VirtualDisks = "Y", WindowsIndexSearch = "Y", WindowsNotifcationsDB = "Y",
Skype = "Y", iTunesBackup = "Y", TeraCopy = "Y", TorrentClients = "Y", Torrents = "Y"
)
- name: Autoruns
description: "generate autoruns output"
queries:
- LET hostname <= SELECT Hostname From info()
- LET me <= SELECT Exe FROM pslist(pid=getpid())
- LET autoruns <= SELECT copy(
filename=FullPath,
accessor="zip",
dest=tempfile(data="X", extension=".exe")
) AS Filename
FROM glob(globs=url(
path=basename(path=me.Exe),
fragment="/**/autoruns*.exe").String,
accessor="zip")
LIMIT 1
- SELECT StdOut
FROM execve(
argv=[autoruns.Filename[0], "-a","*","-c","-h","-t",
"-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv"
])
WHERE autoruns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment