Skip to content

Instantly share code, notes, and snippets.

@scudette

scudette/disk_remapping.yaml

Created August 24, 2022 04:06
Show Gist options
  • Save scudette/97152f6b7427ebbb924308954ab06d39 to your computer and use it in GitHub Desktop.
Save scudette/97152f6b7427ebbb924308954ab06d39 to your computer and use it in GitHub Desktop.
Download ZIP
A Sample remapping configuration for raw disk access.
Raw
disk_remapping.yaml
remappings:
- type: permissions
permissions:
- COLLECT_CLIENT
- FILESYSTEM_READ
- FILESYSTEM_WRITE
- READ_RESULTS
- MACHINE_STATE
- SERVER_ADMIN
- type: impersonation
os: windows
hostname: Virtual Host
env:
- key: SystemRoot
value: C:\Windows
- key: WinDir
value: C:\Windows
disabled_functions:
- amsi
- lookupSID
- token
disabled_plugins:
- users
- certificates
- handles
- pslist
- interfaces
- modules
- netstat
- partitions
- proc_dump
- proc_yara
- vad
- winobj
- wmi
- type: mount
description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C:
drive (NTFS)'
from:
accessor: raw_ntfs
prefix: |
{
"DelegateAccessor": "offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path":"122683392"
},
"Path": "/"
}
"on":
accessor: ntfs
prefix: '\\.\C:'
path_type: ntfs
- type: mount
description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C:
drive (File Accessor)'
from:
accessor: raw_ntfs
prefix: |
{
"DelegateAccessor": "offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path":"122683392"
},
"Path": "/"
}
"on":
accessor: file
prefix: 'C:'
path_type: windows
- type: mount
description: 'Mount the partition /shared/mnt/flat (offset 122683392) on the C:
drive (Auto Accessor)'
from:
accessor: raw_ntfs
prefix: |
{
"DelegateAccessor": "offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path":"122683392"
},
"Path": "/"
}
"on":
accessor: auto
prefix: 'C:'
path_type: windows
- type: mount
description: Map the /Windows/System32/Config/SOFTWARE Registry hive on HKEY_LOCAL_MACHINE\Software
(Prefixed at /)
from:
accessor: raw_reg
prefix: |-
{
"Path": "/",
"DelegateAccessor": "raw_ntfs",
"Delegate": {
"DelegateAccessor":"offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path": "122683392"
},
"Path":"/Windows/System32/Config/SOFTWARE"
}
}
path_type: registry
"on":
accessor: registry
prefix: HKEY_LOCAL_MACHINE\Software
path_type: registry
- type: mount
description: Map the /Windows/System32/Config/SYSTEM Registry hive on HKEY_LOCAL_MACHINE\System
(Prefixed at /)
from:
accessor: raw_reg
prefix: |-
{
"Path": "/",
"DelegateAccessor": "raw_ntfs",
"Delegate": {
"DelegateAccessor":"offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path": "122683392"
},
"Path":"/Windows/System32/Config/SYSTEM"
}
}
path_type: registry
"on":
accessor: registry
prefix: HKEY_LOCAL_MACHINE\System
path_type: registry
- type: mount
description: Map the /Windows/System32/Config/SYSTEM Registry hive on HKEY_LOCAL_MACHINE\System\CurrentControlSet
(Prefixed at /ControlSet001)
from:
accessor: raw_reg
prefix: |-
{
"Path": "/ControlSet001",
"DelegateAccessor": "raw_ntfs",
"Delegate": {
"DelegateAccessor":"offset",
"Delegate": {
"DelegateAccessor": "file",
"DelegatePath": "/shared/mnt/flat",
"Path": "122683392"
},
"Path":"/Windows/System32/Config/SYSTEM"
}
}
path_type: registry
"on":
accessor: registry
prefix: HKEY_LOCAL_MACHINE\System\CurrentControlSet
path_type: registry
- type: shadow
from:
accessor: zip
"on":
accessor: zip
- type: shadow
from:
accessor: raw_reg
"on":
accessor: raw_reg
- type: shadow
from:
accessor: data
"on":
accessor: data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment