Last active
October 1, 2021 20:25
-
-
Save mgreen27/22cd70739e733647e1e23338ca35c9a9 to your computer and use it in GitHub Desktop.
Velociraptor local live response configuration files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Author: Matt Green - @mgreen27 | |
# Description: script to download and build x64 and x86 Velociraptor local live response tool | |
# 3rd party binaries embedded in output files | |
# Linux requirements: wget, curl, zip | |
# Tested: Velociraptor 0.3.7 | |
# latest Velociraptor release binary from github | |
LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)" | |
WINDOWS="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep windows-amd64\.exe)" | |
WINDOWSx86="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep windows-386\.exe)" | |
# Download linux binary and make executable | |
wget $LINUX | |
mv $(basename $LINUX) ./velociraptor | |
chmod +x ./velociraptor | |
# Download Windows binaries | |
wget $WINDOWS | |
mv $(basename $WINDOWS) ./Velociraptor.exe | |
wget $WINDOWSx86 | |
mv $(basename $WINDOWSx86) ./Velociraptorx86.exe | |
# Download Autoruns & WinPmem | |
wget https://live.sysinternals.com/autorunsc64.exe | |
wget https://live.sysinternals.com/autorunsc.exe | |
wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/winpmem_v3.3.rc3.exe | |
# create x64 package | |
zip payload.zip autorunsc64.exe winpmem_v3.3.rc3.exe | |
# create x86 package | |
zip payload_x86.zip autorunsc.exe winpmem_v3.3.rc3.exe | |
# Download config file | |
wget https://gist.githubusercontent.com/mgreen27/22cd70739e733647e1e23338ca35c9a9/raw/d26fc8a0c6fd2e01b08a026cb45db45e9a09ffdb/local.yaml | |
# build binaries | |
./velociraptor config repack --exe Velociraptor.exe --append payload.zip local.yaml LRCollector.exe | |
./velociraptor config repack --exe Velociraptorx86.exe --append payload_x86.zip local.yaml LRCollector_x86.exe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
autoexec: | |
argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"] | |
artifact_definitions: | |
- name: MultiCollection | |
parameters: | |
- name: uploadTable | |
description: "define additional files to collect" | |
default: | | |
Type,Accessor,Glob | |
Pagefile,ntfs,C:\pagefile.sys | |
Swapfile,ntfs,C:\swapfile.sys | |
Hibernation,ntfs,C:\hiberfil.sys | |
sources: | |
- name: MemoryCollection | |
description: "memory aquisition leveraging WinPMem" | |
queries: | |
- LET hostname <= SELECT Hostname From info() | |
- LET me <= SELECT Exe FROM pslist(pid=getpid()) | |
- LET winpmem <= SELECT copy( | |
filename=FullPath, | |
accessor="zip", | |
dest=tempfile(data="X", extension=".exe") | |
) AS Filename | |
FROM glob(globs=url( | |
path=basename(path=me.Exe), | |
fragment="/**/winpmem_*").String, | |
accessor="zip") | |
LIMIT 1 | |
- SELECT StdOut | |
FROM execve( | |
argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4" | |
]) | |
WHERE winpmem | |
- name: uploadFiles | |
description: "upload files listed in upload table if exist" | |
queries: | |
- SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable) | |
- name: Kape | |
queries: | |
- SELECT * FROM Artifact.Windows.KapeFiles.Targets( | |
Device ="C:", VSSAnalysis="Y", | |
_BasicCollection = "Y", WindowsDefender = "Y",WindowsFirewall = "Y", WBEM = "Y", | |
Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y", | |
RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y" | |
) | |
- name: Autoruns | |
description: "generate autoruns output" | |
queries: | |
- LET hostname <= SELECT Hostname From info() | |
- LET me <= SELECT Exe FROM pslist(pid=getpid()) | |
- LET autoruns <= SELECT copy( | |
filename=FullPath, | |
accessor="zip", | |
dest=tempfile(data="X", extension=".exe") | |
) AS Filename | |
FROM glob(globs=url( | |
path=basename(path=me.Exe), | |
fragment="/**/autoruns*.exe").String, | |
accessor="zip") | |
LIMIT 1 | |
- SELECT StdOut | |
FROM execve( | |
argv=[autoruns.Filename[0], "-a","*","-c","-h","-t", | |
"-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv" | |
]) | |
WHERE autoruns |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
autoexec: | |
argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"] | |
artifact_definitions: | |
- name: MultiCollection | |
parameters: | |
- name: uploadTable | |
description: "define additional files to collect" | |
default: | | |
Type,Accessor,Glob | |
Pagefile,ntfs,C:\pagefile.sys | |
Swapfile,ntfs,C:\swapfile.sys | |
Hibernation,ntfs,C:\hiberfil.sys | |
sources: | |
- name: MemoryCollection | |
description: "memory aquisition leveraging WinPMem" | |
queries: | |
- LET hostname <= SELECT Hostname From info() | |
- LET me <= SELECT Exe FROM pslist(pid=getpid()) | |
- LET winpmem <= SELECT copy( | |
filename=FullPath, | |
accessor="zip", | |
dest=tempfile(data="X", extension=".exe") | |
) AS Filename | |
FROM glob(globs=url( | |
path=basename(path=me.Exe), | |
fragment="/**/winpmem_*").String, | |
accessor="zip") | |
LIMIT 1 | |
- SELECT StdOut | |
FROM execve( | |
argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4" | |
]) | |
WHERE winpmem | |
- name: uploadFiles | |
description: "upload files listed in upload table if exist" | |
queries: | |
- SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable) | |
- name: Kape | |
queries: | |
- SELECT * FROM Artifact.Windows.KapeFiles.Targets( | |
Device ="C:", VSSAnalysis="Y", | |
_BasicCollection = "Y", KapeTriage = "Y", MiniTimelineCollection = "Y", | |
FileSystem = "Y", _MFT = "Y", _Boot = "Y", _J = "Y", _LogFile = "Y", | |
EvidenceOfExecution = "Y", Prefetch = "Y", Amcache = "Y", StartupInfo = "Y", Syscache = "Y", | |
EventLogs = "Y", RegistryHives = "Y", PowerShellConsole = "Y", | |
SRUM = "Y", ScheduledTasks = "Y", WER = "Y", WindowsDefender = "Y",WindowsFirewall = "Y", SignatureCatalog = "Y", WBEM = "Y", | |
Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y", | |
RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y", | |
WebBrowsers = "Y", Chrome = "Y", ChromeExtensions = "Y", Edge = "Y", Firefox = "Y", InternetExplorer = "Y", JavaWebCache = "Y", | |
OutlookPSTOST = "Y", LiveUserFiles = "Y", LnkFilesAndJumpLists = "Y", MOF = "Y", RecentFileCache = "Y", Recycle = "Y",LinuxOnWindowsProfileFiles = "Y", | |
CloudStorage = "Y",BoxDrive = "Y", Dropbox = "Y", GoogleDrive = "Y", OneDrive = "Y", | |
ApacheAccessLog = "Y", Exchange = "Y", ExchangeClientAccess = "Y", ExchangeTransport = "Y", IISLogFiles = "Y", MSSQLErrorLog = "Y", NGINXLogs = "Y", | |
AppData = "Y", ApplicationEvents = "Y", BCD = "Y", CombinedLogs = "Y", ComboFix = "Y", EncapsulationLogging = "Y", EventTraceLogs = "Y", Notepad__ = "Y", | |
McAfee_ePO = "Y", Kaseya = "Y", CiscoJabber = "Y", ConfluenceLogs = "Y", SUPERAntiSpyware = "Y", Gigatribe = "Y", HitmanPro = "Y", RogueKiller = "Y", | |
GroupPolicy = "Y", LogFiles = "Y", SDB = "Y", ThumbCache = "Y", USBDevicesLogs = "Y", VirtualDisks = "Y", WindowsIndexSearch = "Y", WindowsNotifcationsDB = "Y", | |
Skype = "Y", iTunesBackup = "Y", TeraCopy = "Y", TorrentClients = "Y", Torrents = "Y" | |
) | |
- name: Autoruns | |
description: "generate autoruns output" | |
queries: | |
- LET hostname <= SELECT Hostname From info() | |
- LET me <= SELECT Exe FROM pslist(pid=getpid()) | |
- LET autoruns <= SELECT copy( | |
filename=FullPath, | |
accessor="zip", | |
dest=tempfile(data="X", extension=".exe") | |
) AS Filename | |
FROM glob(globs=url( | |
path=basename(path=me.Exe), | |
fragment="/**/autoruns*.exe").String, | |
accessor="zip") | |
LIMIT 1 | |
- SELECT StdOut | |
FROM execve( | |
argv=[autoruns.Filename[0], "-a","*","-c","-h","-t", | |
"-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv" | |
]) | |
WHERE autoruns |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment