scudette/autoexec.yaml

## autoexec.yaml
autoexec:
  argv:
    - "-v"
    - "artifacts"
    - "collect"
    - MemoryAcquisition

  artifact_definitions:
  - name: MemoryAcquisition
    description: |
      This artifact extracts the winpmem.exe binary from a zip file appended to the
      running executable and then uses it to take a memory image. It then uploads
      the image to an S3 bucket automatically.

      Before you can use this artifact you need to prepare the binary by compressing
      winpmem.exe into a payload zip, then appending the zip to the repacked
      executable.

      ```
      $ zip payload.zip winpmem.exe
      $ velociraptor config repack --binary velociraptor.exe autoexec.yaml my_velo.exe --append payload.zip
      ```
      This command:
      1. Takes the windows binary and repacks autoexec.yaml into it
      2. Appends the payload.zip to the end of my_velo.exe (adjusting PE headers as necessary).
      3. When run, the autoexec config will be loaded and immediately collect memory, into a tempfile
         then upload to S3 and finally clean up the tempfiles.

    parameters:
    - name: Bucket
      default: upload.bucket.example.com
    - name: Region
      default: ap-southeast-2
    - name: key
      default: BucketKey
    - name: secret
      default: BucketSecret
    sources:
    - queries:
        # Get the path to our own executable.
        - LET me = SELECT Exe FROM pslist(pid=getpid())
        # Open our own executable as a zip file and glob
        # all the members for name matching winpmem
        - LET winpmem = SELECT FullPath FROM glob(
               globs=url(scheme='file',
                   path=me.Exe[0],
                   fragment="/**").String,
             accessor='zip')
          WHERE FullPath =~ 'winpmem'

        # Create a tempfile for the aff4 image file.
        - LET temp1 <= SELECT tempfile(extension=".aff4") AS Filename FROM scope()

        # Get the hostname
        - LET hostinfo = SELECT * FROM info()

        # Copy the winpmem.exe out of the zip into a tempfile then run it
        # with the correct flags to write the image to the tempfile above
        # Note <= will force us to wait here until the whole image is done.
        - LET image <= SELECT * FROM execve(argv=[
              copy(filename=winpmem.FullPath[0],
                accessor='zip',
                dest=tempfile(extension='.exe')),
                "-o", temp1.Filename[0], "-dd"])

        # Upload the image to the s3 bucket with hostname and
        # timestamp filename.
        - SELECT upload_s3(file=temp1.Filename[0],
                bucket=Bucket,
                name=format(format="%v-%v-Memory.zip", args=[hostinfo.Fqdn[0],
                timestamp(epoch=now())]),
                region=Region,
                credentialskey=key,
                credentialssecret=secret), {
                   SELECT * FROM image
                } AS Output
          FROM scope() LIMIT 1
	autoexec:
	argv:
	- "-v"
	- "artifacts"
	- "collect"
	- MemoryAcquisition

	artifact_definitions:
	- name: MemoryAcquisition
	description: \|
	This artifact extracts the winpmem.exe binary from a zip file appended to the
	running executable and then uses it to take a memory image. It then uploads
	the image to an S3 bucket automatically.

	Before you can use this artifact you need to prepare the binary by compressing
	winpmem.exe into a payload zip, then appending the zip to the repacked
	executable.

	```
	$ zip payload.zip winpmem.exe
	$ velociraptor config repack --binary velociraptor.exe autoexec.yaml my_velo.exe --append payload.zip
	```
	This command:
	1. Takes the windows binary and repacks autoexec.yaml into it
	2. Appends the payload.zip to the end of my_velo.exe (adjusting PE headers as necessary).
	3. When run, the autoexec config will be loaded and immediately collect memory, into a tempfile
	then upload to S3 and finally clean up the tempfiles.

	parameters:
	- name: Bucket
	default: upload.bucket.example.com
	- name: Region
	default: ap-southeast-2
	- name: key
	default: BucketKey
	- name: secret
	default: BucketSecret
	sources:
	- queries:
	# Get the path to our own executable.
	- LET me = SELECT Exe FROM pslist(pid=getpid())
	# Open our own executable as a zip file and glob
	# all the members for name matching winpmem
	- LET winpmem = SELECT FullPath FROM glob(
	globs=url(scheme='file',
	path=me.Exe[0],
	fragment="/**").String,
	accessor='zip')
	WHERE FullPath =~ 'winpmem'

	# Create a tempfile for the aff4 image file.
	- LET temp1 <= SELECT tempfile(extension=".aff4") AS Filename FROM scope()

	# Get the hostname
	- LET hostinfo = SELECT * FROM info()

	# Copy the winpmem.exe out of the zip into a tempfile then run it
	# with the correct flags to write the image to the tempfile above
	# Note <= will force us to wait here until the whole image is done.
	- LET image <= SELECT * FROM execve(argv=[
	copy(filename=winpmem.FullPath[0],
	accessor='zip',
	dest=tempfile(extension='.exe')),
	"-o", temp1.Filename[0], "-dd"])

	# Upload the image to the s3 bucket with hostname and
	# timestamp filename.
	- SELECT upload_s3(file=temp1.Filename[0],
	bucket=Bucket,
	name=format(format="%v-%v-Memory.zip", args=[hostinfo.Fqdn[0],
	timestamp(epoch=now())]),
	region=Region,
	credentialskey=key,
	credentialssecret=secret), {
	SELECT * FROM image
	} AS Output
	FROM scope() LIMIT 1