Velociraptor offline collection samples

Create collector binary

To create offline collection binary from velociraptor binaries:

F:> velociraptor.exe config repack config.yaml WinTriage.exe
# OR
velociraptor.exe --config server.config.yaml -v artifacts collect
   Server.Utils.CreateCollector
   --args OS=Windows
   --args artifacts='["""Generic.System.Pstree"""]'
   --args parameters='{"""Generic.System.Pstree""":{}}'
   --args target=ZIP
   --args opt_admin=N
   --args opt_prompt=N
   --output collector.zip

or on Linux:

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.7-1/velociraptor-v0.6.7-linux-amd64
./velociraptor-v0.6.7-linux-amd64 config repack LinuxTriage.yaml LinuxOfflineTriage
# OR
/opt/velociraptor/velociraptor --config /etc/velociraptor/server.config.yaml -v artifacts collect \
   Server.Utils.CreateCollector \
   --args OS=Linux \
   --args artifacts='["Linux.Mounts","Linux.Network.Netstat","Linux.RHEL.Packages","Linux.Ssh.AuthorizedKeys","Linux.Ssh.KnownHosts","Linux.Sys.BashHistory","Linux.Sys.BashShell","Linux.Sys.Crontab","Linux.Sys.LastUserLogin","Linux.Sys.Pslist","Linux.Sys.Services","Linux.Sys.SUID","Linux.Sys.Users","Linux.Syslog.SSHLogin","Linux.Users.InteractiveUsers","Linux.Users.RootUsers","Linux.Sys.Maps","Linux.Sys.CPUTime","Linux.Proc.Modules","Linux.Proc.Arp","Linux.OSQuery.Generic","Linux.Network.NetstatEnriched","Linux.Detection.AnomalousFiles","Linux.Debian.Packages","Generic.Collectors.File"]' \
   --args parameters='{"""Linux.Sys.BashShell""":{"""Command""":"""ls -la / /tmp /var/tmp"""},"""Generic.Collectors.File""":{"""collectionSpec""":"""Glob\\n/etc/*\\n/var/log/*\\nUsers\\\\*\\\\NTUser.dat\\n""","""Root""":"""/"""}}' \
   --args target=ZIP \
   --args opt_admin=N \
   --args opt_prompt=N \
   --args opt_tempdir=/var/tmp \
   --args opt_verbose=Y \
   --args opt_progress_timeout=300 \
   --args opt_cpu_limit=80 \
   --args opt_format=jsonl \
   --output collector.zip

To extract config from an existing collector binary.

Collector_velociraptor-v0.6.7-linux-amd64 config show > LinuxTriage.yaml

You can also do the same from web frontend of velociraptor server (Server Artifacts menu: paper plane icon). Generate files will be available in web interface or locally in ${velociraptor_home}/clients/server/collections/

You may need to download artifacts pack from Artifact Exchange to get more artifacts.

Transfer data

$ python3 provision_az_storageaccount.py
Provisioned resource group PythonAzureExample-Storage-rg
Provisioned storage account pythonazurestorage61324
Primary key for storage account: [REDACTED]
Connection string: DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=pythonazurestorage61324;AccountKey=[REDACTED]
Provisioned blob container blob-container-01
Provisioned W sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]
Provisioned RO sas url https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=r&sv=2021-08-06&sr=b&sig=[REDACTED]
$ azcopy copy FILE "https://pythonazurestorage61324.blob.core.windows.net/blob-container-01/IMAGE_PATH/IMAGE_NAME?se=2022-12-04T00%3A08%3A14Z&sp=cw&sv=2021-08-06&sr=b&sig=[REDACTED]"

Using data

Data can be reviewed

either directly (usually json and/or csv outputs)
either by loading into velociraptor server (Importing collections into the GUI, import_collection; Menu collection - below eye > New collection > Server.Utils.ImportCollection)

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
.codespellignore		.codespellignore
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
LICENSE		LICENSE
LinuxTriage-advanced1.yaml		LinuxTriage-advanced1.yaml
LinuxTriage-advanced2.yaml		LinuxTriage-advanced2.yaml
LinuxTriage-basic.yaml		LinuxTriage-basic.yaml
LinuxTriage-files-etc-varlog.yml		LinuxTriage-files-etc-varlog.yml
LinuxTriage-memory.yaml		LinuxTriage-memory.yaml
MacosTriage.yml		MacosTriage.yml
README.md		README.md
WinTriage-files-azuresas.yml		WinTriage-files-azuresas.yml
WinTriage-files-reg.yml		WinTriage-files-reg.yml
WinTriage-s3.yml		WinTriage-s3.yml
config.yaml		config.yaml
local_all.yaml		local_all.yaml
provision_az_storageaccount.py		provision_az_storageaccount.py
requirements.txt		requirements.txt

License

juju4/velociraptor-offline-collections

Folders and files

Latest commit

History

Repository files navigation

Velociraptor offline collection samples

Create collector binary

Transfer data

Using data

References

About

Topics

Resources

License

Stars

Watchers

Forks

Languages