-
Notifications
You must be signed in to change notification settings - Fork 0
/
LinuxTriage-basic.yaml
123 lines (116 loc) · 3.54 KB
/
LinuxTriage-basic.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Frontend: {}
autoexec:
argv:
- artifacts
- collect
- Collector
- --logfile
- Collector_velociraptor-linux-amd64.log
- -v
- --require_admin
artifact_definitions:
- name: Collector
parameters:
- name: Artifacts
default: |-
[
"Linux.Mounts",
"Linux.Network.Netstat",
"Linux.RHEL.Packages",
"Linux.Ssh.AuthorizedKeys",
"Linux.Ssh.KnownHosts",
"Linux.Sys.BashHistory",
"Linux.Sys.BashShell",
"Linux.Sys.Crontab",
"Linux.Sys.LastUserLogin",
"Linux.Sys.Pslist",
"Linux.Sys.Services",
"Linux.Sys.Users",
"Linux.Syslog.SSHLogin"
]
type: json_array
- name: Parameters
default: |-
{
"Linux.Sys.BashShell": {
"Command": "ls -la / /tmp /var/tmp"
}
}
type: json
- name: Template
default: Reporting.Default
- name: Password
- name: Level
default: "5"
type: int
- name: Format
default: csv
- name: OutputPrefix
- name: CpuLimit
default: "50"
type: int
- name: ProgressTimeout
default: "0"
type: int
- name: Timeout
default: "600"
type: int
- name: target_args
default: |-
{
"bucket": "",
"GCSKey": "",
"credentialsKey": "",
"credentialsSecret": "",
"region": "",
"endpoint": "",
"serverSideEncryption": ""
}
type: json
sources:
- query: |
// Add all the tools we are going to use to the inventory.
LET _ <= SELECT inventory_add(tool=ToolName, hash=ExpectedHash)
FROM parse_csv(filename="/inventory.csv", accessor="me")
WHERE log(message="Adding tool " + ToolName)
LET baseline <= SELECT Fqdn FROM info()
// Make the filename safe on windows but we trust the OutputPrefix.
LET filename <= OutputPrefix + regex_replace(
source=format(format="Collection-%s-%s",
args=[baseline[0].Fqdn,
timestamp(epoch=now()).MarshalText]),
re="[^0-9A-Za-z\\-]", replace="_")
LET _ <= log(message="Will collect package " + filename)
LET report_filename <= if(condition=Template, then=filename + ".html")
SELECT * FROM collect(artifacts=Artifacts, report=report_filename,
args=Parameters, output=filename + ".zip", template=Template,
cpu_limit=CpuLimit,
progress_timeout=ProgressTimeout,
timeout=Timeout,
password=Password, level=Level, format=Format)
- name: Generic.Utils.FetchBinary
parameters:
- name: SleepDuration
default: "0"
type: int
- name: ToolName
- name: ToolInfo
- name: IsExecutable
default: "Y"
type: bool
sources:
- query: |
LET RequiredTool <= ToolName
LET matching_tools <= SELECT ToolName, Filename
FROM parse_csv(filename="/inventory.csv", accessor="me")
WHERE RequiredTool = ToolName
LET get_ext(filename) = parse_string_with_regex(
regex="(\\.[a-z0-9]+)$", string=filename).g1
LET temp_binary <= if(condition=matching_tools,
then=tempfile(
extension=get_ext(filename=matching_tools[0].Filename),
remove_last=TRUE,
permissions=if(condition=IsExecutable, then="x")))
SELECT copy(filename=Filename, accessor="me", dest=temp_binary) AS FullPath,
Filename AS Name
FROM matching_tools