mgreen27 · October 1, 2021 20:25
diff --git a/buildLocalLR.sh b/buildLocalLR.sh
 #!/bin/bash
 # 
 # Author: Matt Green - @mgreen27
 # Description: script to download and build x64 and x86 Velociraptor local live response tool
 # 3rd party binaries embedded in output files
 # Linux requirements: wget, curl, zip
 # Tested: Velociraptor 0.3.7

 # latest Velociraptor release binary from github
 LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest  | grep browser_download_url | cut -d '"' -f 4 | grep linux-amd64)"
 WINDOWS="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest  | grep browser_download_url | cut -d '"' -f 4 | grep windows-amd64\.exe)"
 WINDOWSx86="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest  | grep browser_download_url | cut -d '"' -f 4 | grep windows-386\.exe)"

 # Download linux binary and make executable
 wget $LINUX
 mv $(basename $LINUX) ./velociraptor   
 chmod +x ./velociraptor

 # Download Windows binaries
 wget $WINDOWS  
 mv $(basename $WINDOWS) ./Velociraptor.exe

 wget $WINDOWSx86  
 mv $(basename $WINDOWSx86) ./Velociraptorx86.exe

 # Download Autoruns & WinPmem
 wget https://live.sysinternals.com/autorunsc64.exe
 wget https://live.sysinternals.com/autorunsc.exe
 wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/winpmem_v3.3.rc3.exe

 # create x64 package
 zip payload.zip autorunsc64.exe winpmem_v3.3.rc3.exe

 # create x86 package
 zip payload_x86.zip autorunsc.exe winpmem_v3.3.rc3.exe 

 # Download config file
 wget https://gist.githubusercontent.com/mgreen27/22cd70739e733647e1e23338ca35c9a9/raw/d26fc8a0c6fd2e01b08a026cb45db45e9a09ffdb/local.yaml

 # build binaries
 ./velociraptor config repack --exe Velociraptor.exe --append payload.zip local.yaml LRCollector.exe
 ./velociraptor config repack --exe Velociraptorx86.exe --append payload_x86.zip local.yaml LRCollector_x86.exe
diff --git a/local.yaml b/local.yaml
 autoexec:
  argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"]
  artifact_definitions:
    - name: MultiCollection
      parameters:
        - name: uploadTable
          description: "define additional files to collect"
          default: |
            Type,Accessor,Glob
            Pagefile,ntfs,C:\pagefile.sys
            Swapfile,ntfs,C:\swapfile.sys
            Hibernation,ntfs,C:\hiberfil.sys 
      sources:
        - name: MemoryCollection
          description: "memory aquisition leveraging WinPMem"
          queries:
            - LET hostname <= SELECT Hostname From info()
            - LET me  <= SELECT Exe FROM pslist(pid=getpid())
            - LET winpmem <= SELECT copy(
                       filename=FullPath,
                       accessor="zip",             
                       dest=tempfile(data="X", extension=".exe")
                   ) AS Filename
              FROM glob(globs=url(
                   path=basename(path=me.Exe), 
                   fragment="/**/winpmem_*").String, 
                   accessor="zip") 
              LIMIT 1
            - SELECT StdOut
              FROM execve(
                argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4"
              ])
              WHERE winpmem
        - name: uploadFiles
          description: "upload files listed in upload table if exist"
          queries:
            - SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable)
        - name: Kape
          queries:
            - SELECT * FROM Artifact.Windows.KapeFiles.Targets(
                Device ="C:", VSSAnalysis="Y",
                _BasicCollection = "Y",  WindowsDefender = "Y",WindowsFirewall = "Y", WBEM = "Y", 
                Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y", 
                RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y"
              )
        - name: Autoruns
          description: "generate autoruns output"
          queries:
            - LET hostname <= SELECT Hostname From info()
            - LET me  <= SELECT Exe FROM pslist(pid=getpid())
            - LET autoruns <= SELECT copy(
                       filename=FullPath,
                       accessor="zip",             
                       dest=tempfile(data="X", extension=".exe")
                   ) AS Filename
              FROM glob(globs=url(
                   path=basename(path=me.Exe), 
                   fragment="/**/autoruns*.exe").String, 
                   accessor="zip") 
              LIMIT 1
            - SELECT StdOut
              FROM execve(
                argv=[autoruns.Filename[0], "-a","*","-c","-h","-t",
                        "-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv"
                        ])
              WHERE autoruns
diff --git a/local_all.yaml b/local_all.yaml
 autoexec:
  argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"]
  artifact_definitions:
    - name: MultiCollection
      parameters:
        - name: uploadTable
          description: "define additional files to collect"
          default: |
            Type,Accessor,Glob
            Pagefile,ntfs,C:\pagefile.sys
            Swapfile,ntfs,C:\swapfile.sys
            Hibernation,ntfs,C:\hiberfil.sys 
      sources:
        - name: MemoryCollection
          description: "memory aquisition leveraging WinPMem"
          queries:
            - LET hostname <= SELECT Hostname From info()
            - LET me  <= SELECT Exe FROM pslist(pid=getpid())
            - LET winpmem <= SELECT copy(
                       filename=FullPath,
                       accessor="zip",             
                       dest=tempfile(data="X", extension=".exe")
                   ) AS Filename
              FROM glob(globs=url(
                   path=basename(path=me.Exe), 
                   fragment="/**/winpmem_*").String, 
                   accessor="zip") 
              LIMIT 1
            - SELECT StdOut
              FROM execve(
                argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4"
              ])
              WHERE winpmem
        - name: uploadFiles
          description: "upload files listed in upload table if exist"
          queries:
            - SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable)
        - name: Kape
          queries:
            - SELECT * FROM Artifact.Windows.KapeFiles.Targets(
                Device ="C:", VSSAnalysis="Y",
                _BasicCollection = "Y", KapeTriage = "Y", MiniTimelineCollection = "Y", 
                FileSystem = "Y", _MFT = "Y", _Boot = "Y", _J = "Y", _LogFile = "Y", 
                EvidenceOfExecution = "Y", Prefetch = "Y", Amcache = "Y", StartupInfo = "Y", Syscache = "Y", 
                EventLogs = "Y", RegistryHives = "Y", PowerShellConsole = "Y", 
                SRUM = "Y", ScheduledTasks = "Y", WER = "Y",  WindowsDefender = "Y",WindowsFirewall = "Y", SignatureCatalog = "Y", WBEM = "Y", 
                Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y", 
                RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y", 
                WebBrowsers = "Y", Chrome = "Y", ChromeExtensions = "Y", Edge = "Y", Firefox = "Y", InternetExplorer = "Y", JavaWebCache = "Y", 
                OutlookPSTOST = "Y", LiveUserFiles = "Y", LnkFilesAndJumpLists = "Y", MOF = "Y", RecentFileCache = "Y", Recycle = "Y",LinuxOnWindowsProfileFiles = "Y",
                CloudStorage = "Y",BoxDrive = "Y", Dropbox = "Y", GoogleDrive = "Y", OneDrive = "Y", 
                ApacheAccessLog = "Y", Exchange = "Y", ExchangeClientAccess = "Y", ExchangeTransport = "Y", IISLogFiles = "Y", MSSQLErrorLog = "Y", NGINXLogs = "Y", 
                AppData = "Y", ApplicationEvents = "Y", BCD = "Y", CombinedLogs = "Y", ComboFix = "Y", EncapsulationLogging = "Y", EventTraceLogs = "Y", Notepad__ = "Y", 
                McAfee_ePO = "Y", Kaseya = "Y", CiscoJabber = "Y", ConfluenceLogs = "Y", SUPERAntiSpyware = "Y", Gigatribe = "Y", HitmanPro = "Y", RogueKiller = "Y", 
                GroupPolicy = "Y", LogFiles = "Y", SDB = "Y", ThumbCache = "Y", USBDevicesLogs = "Y", VirtualDisks = "Y", WindowsIndexSearch = "Y", WindowsNotifcationsDB = "Y",                 
                Skype = "Y", iTunesBackup = "Y", TeraCopy = "Y", TorrentClients = "Y", Torrents = "Y"
              )
        - name: Autoruns
          description: "generate autoruns output"
          queries:
            - LET hostname <= SELECT Hostname From info()
            - LET me  <= SELECT Exe FROM pslist(pid=getpid())
            - LET autoruns <= SELECT copy(
                       filename=FullPath,
                       accessor="zip",             
                       dest=tempfile(data="X", extension=".exe")
                   ) AS Filename
              FROM glob(globs=url(
                   path=basename(path=me.Exe), 
                   fragment="/**/autoruns*.exe").String, 
                   accessor="zip") 
              LIMIT 1
            - SELECT StdOut
              FROM execve(
                argv=[autoruns.Filename[0], "-a","*","-c","-h","-t",
                        "-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv"
                        ])
              WHERE autoruns
	#!/bin/bash
	#
	# Author: Matt Green - @mgreen27
	# Description: script to download and build x64 and x86 Velociraptor local live response tool
	# 3rd party binaries embedded in output files
	# Linux requirements: wget, curl, zip
	# Tested: Velociraptor 0.3.7

	# latest Velociraptor release binary from github
	LINUX="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest \| grep browser_download_url \| cut -d '"' -f 4 \| grep linux-amd64)"
	WINDOWS="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest \| grep browser_download_url \| cut -d '"' -f 4 \| grep windows-amd64\.exe)"
	WINDOWSx86="$(curl -s https://api.github.com/repos/Velocidex/velociraptor/releases/latest \| grep browser_download_url \| cut -d '"' -f 4 \| grep windows-386\.exe)"

	# Download linux binary and make executable
	wget $LINUX
	mv $(basename $LINUX) ./velociraptor
	chmod +x ./velociraptor

	# Download Windows binaries
	wget $WINDOWS
	mv $(basename $WINDOWS) ./Velociraptor.exe

	wget $WINDOWSx86
	mv $(basename $WINDOWSx86) ./Velociraptorx86.exe

	# Download Autoruns & WinPmem
	wget https://live.sysinternals.com/autorunsc64.exe
	wget https://live.sysinternals.com/autorunsc.exe
	wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/winpmem_v3.3.rc3.exe

	# create x64 package
	zip payload.zip autorunsc64.exe winpmem_v3.3.rc3.exe

	# create x86 package
	zip payload_x86.zip autorunsc.exe winpmem_v3.3.rc3.exe

	# Download config file
	wget https://gist.githubusercontent.com/mgreen27/22cd70739e733647e1e23338ca35c9a9/raw/d26fc8a0c6fd2e01b08a026cb45db45e9a09ffdb/local.yaml

	# build binaries
	./velociraptor config repack --exe Velociraptor.exe --append payload.zip local.yaml LRCollector.exe
	./velociraptor config repack --exe Velociraptorx86.exe --append payload_x86.zip local.yaml LRCollector_x86.exe
	autoexec:
	argv: ["artifacts", "collect", "-v", "MultiCollection","--output", "collection_$COMPUTERNAME.zip"]
	artifact_definitions:
	- name: MultiCollection
	parameters:
	- name: uploadTable
	description: "define additional files to collect"
	default: \|
	Type,Accessor,Glob
	Pagefile,ntfs,C:\pagefile.sys
	Swapfile,ntfs,C:\swapfile.sys
	Hibernation,ntfs,C:\hiberfil.sys
	sources:
	- name: MemoryCollection
	description: "memory aquisition leveraging WinPMem"
	queries:
	- LET hostname <= SELECT Hostname From info()
	- LET me <= SELECT Exe FROM pslist(pid=getpid())
	- LET winpmem <= SELECT copy(
	filename=FullPath,
	accessor="zip",
	dest=tempfile(data="X", extension=".exe")
	) AS Filename
	FROM glob(globs=url(
	path=basename(path=me.Exe),
	fragment="/*/winpmem_").String,
	accessor="zip")
	LIMIT 1
	- SELECT StdOut
	FROM execve(
	argv=[winpmem.Filename[0], "-dd", "-t", "-c", "snappy", "-o", hostname.Hostname[0] + ".aff4"
	])
	WHERE winpmem
	- name: uploadFiles
	description: "upload files listed in upload table if exist"
	queries:
	- SELECT * FROM Artifact.Triage.Collection.UploadTable(triageTable=uploadTable)
	- name: Kape
	queries:
	- SELECT * FROM Artifact.Windows.KapeFiles.Targets(
	Device ="C:", VSSAnalysis="Y",
	_BasicCollection = "Y", WindowsDefender = "Y",WindowsFirewall = "Y", WBEM = "Y",
	Avast = "Y", AviraAVLogs = "Y", Bitdefender = "Y", ESET = "Y", FSecure = "Y", Malwarebytes = "Y", McAfee = "Y", Sophos = "Y",Symantec_AV_Logs = "Y",TrendMicro = "Y",VIPRE = "Y",
	RemoteAdmin = "Y", Ammyy = "Y", EventLogs_RDP = "Y", RDPCache = "Y", RDPLogs = "Y", LogMeIn = "Y", TeamViewerLogs = "Y", ScreenConnect = "Y", VNCLogs = "Y"
	)
	- name: Autoruns
	description: "generate autoruns output"
	queries:
	- LET hostname <= SELECT Hostname From info()
	- LET me <= SELECT Exe FROM pslist(pid=getpid())
	- LET autoruns <= SELECT copy(
	filename=FullPath,
	accessor="zip",
	dest=tempfile(data="X", extension=".exe")
	) AS Filename
	FROM glob(globs=url(
	path=basename(path=me.Exe),
	fragment="/*/autoruns.exe").String,
	accessor="zip")
	LIMIT 1
	- SELECT StdOut
	FROM execve(
	argv=[autoruns.Filename[0], "-a","*","-c","-h","-t",
	"-nobanner","-accepteula", "-o", hostname.Hostname[0] + "_autoruns.csv"
	])
	WHERE autoruns