Created
May 18, 2020 01:46
-
-
Save scudette/44540483c9fcf577507434259735e891 to your computer and use it in GitHub Desktop.
Artifact to remove Velociraptor that has been installed manually
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Uninstall.Velociraptor | |
| description: | | |
| Uninstall Velociraptor which was installed using | |
| ``` | |
| Velociraptor.exe --config client.config.yaml service install | |
| ``` | |
| The problem with installation method is that it becomes hard to remove since it | |
| is not properly managed by the windows installer. We can not delete the executable | |
| we are running from and if we stopped the service, we wont be around to delete the | |
| executable | |
| This artifact creates a scheduled task in 2 minutes to remove the executable, then we | |
| stop and delete the service. The executable should be removed by the scheduled task later. | |
| parameters: | |
| - name: PostInstallScript | |
| description: This script will be run inside the scheduled task. | |
| default: | | |
| Get-ChildItem "C:/Program Files/velociraptor/*" -Include *.exe | Remove-Item | |
| - name: PowershellScript | |
| default: | | |
| sc.exe delete velociraptor | |
| schtasks /delete /tn vraptor /f | |
| $time = [DateTime]::Now.AddMinutes(2) | |
| $user = "system" | |
| $action = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument ' -ExecutionPolicy Unrestricted -encodedCommand %s' | |
| $trigger = New-ScheduledTaskTrigger -Once -At $time | |
| Register-ScheduledTask -Action $action -User $user -TaskName "vraptor" -Trigger $trigger | |
| echo stopping service - This will kill us but the scheduled task above will clean up after. | |
| sc.exe stop velociraptor | |
| sources: | |
| - precondition: | |
| SELECT OS From info() where OS = 'windows' | |
| query: | | |
| SELECT * FROM execve(argv=[ | |
| "powershell", | |
| "-ExecutionPolicy", "Unrestricted", "-encodedCommand", | |
| base64encode(string=utf16_encode( | |
| string=format(format=PowershellScript, | |
| args=base64encode(string=utf16_encode( | |
| string=PostInstallScript)))))]) |
Author
Yes you should install the msi as recommended. This script is for cases
when the recommendation is not followed and it's not usually needed
…On Fri, 12 May 2023, 05:37 dfirhoze, ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
Is there any method to fully remove *everything*, even the Velociraptor
directory created in Program Files?
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/scudette/44540483c9fcf577507434259735e891#gistcomment-4565434>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA5NRISZEU724ONBVE4THOLXFU5ZFBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMZRGI4TAMJWU52HE2LHM5SXFJTDOJSWC5DF>
.
You are receiving this email because you authored the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there any method to fully remove everything, even the Velociraptor directory created in Program Files?