To create offline collection binary from velociraptor binaries:
F:> velociraptor.exe config repack config.yaml WinTriage.exe
# OR
velociraptor.exe --config server.config.yaml -v artifacts collect
Server.Utils.CreateCollector
--args OS=Windows
--args artifacts='["""Generic.System.Pstree"""]'
--args parameters='{"""Generic.System.Pstree""":{}}'
--args target=ZIP
--args opt_admin=N
--args opt_prompt=N
--output collector.zip
or on Linux:
wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.7-1/velociraptor-v0.6.7-linux-amd64
./velociraptor-v0.6.7-linux-amd64 config repack LinuxTriage.yaml LinuxOfflineTriage
# OR
/opt/velociraptor/velociraptor --config /etc/velociraptor/server.config.yaml -v artifacts collect \
Server.Utils.CreateCollector \
--args OS=Linux \
--args artifacts='["Linux.Mounts","Linux.Network.Netstat","Linux.RHEL.Packages","Linux.Ssh.AuthorizedKeys","Linux.Ssh.KnownHosts","Linux.Sys.BashHistory","Linux.Sys.BashShell","Linux.Sys.Crontab","Linux.Sys.LastUserLogin","Linux.Sys.Pslist","Linux.Sys.Services","Linux.Sys.SUID","Linux.Sys.Users","Linux.Syslog.SSHLogin","Linux.Users.InteractiveUsers","Linux.Users.RootUsers","Linux.Sys.Maps","Linux.Sys.CPUTime","Linux.Proc.Modules","Linux.Proc.Arp","Linux.OSQuery.Generic","Linux.Network.NetstatEnriched","Linux.Detection.AnomalousFiles","Linux.Debian.Packages","Generic.Collectors.File"]' \
--args parameters='{"""Linux.Sys.BashShell""":{"""Command""":"""ls -la / /tmp /var/tmp"""},"""Generic.Collectors.File""":{"""collectionSpec""":"""Glob\\n/etc/*\\n/var/log/*\\nUsers\\\\*\\\\NTUser.dat\\n""","""Root""":"""/"""}}' \
--args target=ZIP \
--args opt_admin=N \
--args opt_prompt=N \
--args opt_tempdir=/var/tmp \
--args opt_verbose=Y \
--args opt_progress_timeout=300 \
--args opt_cpu_limit=80 \
--args opt_format=jsonl \
--output collector.zip
To extract config from an existing collector binary.
Collector_velociraptor-v0.6.7-linux-amd64 config show > LinuxTriage.yaml
You can also do the same from web frontend of velociraptor server (Server Artifacts menu: paper plane icon). Generate files will be available in web interface or locally in ${velociraptor_home}/clients/server/collections/
You may need to download artifacts pack from Artifact Exchange to get more artifacts.
$ python3 provision_az_storageaccount.py
Provisioned resource group PythonAzureExample-Storage-rg
Provisioned storage account pythonazurestorage61324
Primary key for storage account: [REDACTED]
Connection string: DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=pythonazurestorage61324;AccountKey=[REDACTED]
Provisioned blob container blob-container-01
Provisioned W sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]
Provisioned RO sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=r&sv=2021-08-06&sr=b&sig=[REDACTED]
$ azcopy copy FILE "https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]"
Data can be reviewed
- either directly (usually json and/or csv outputs)
- either by loading into velociraptor server (Importing collections into the GUI, import_collection; Menu collection - below eye > New collection > Server.Utils.ImportCollection)