VHDX artifact suite #1115
VHDX artifact suite #1115
Conversation
|
|
|
Thanks for this. Just a quick question: How is this different from the built in https://docs.velociraptor.app/artifact_references/pages/generic.utils.deaddiskremapping/ and https://docs.velociraptor.app/artifact_references/pages/server.utils.deaddiskclient/ If there is anything that the built in does not do we probably should add it into that instead of having slightly different versions that do the same things. |
| @@ -0,0 +1,78 @@ | |||
| name: Windows.Sys.Users | |||
There was a problem hiding this comment.
You cant call the artifact the same name as a built in artifact
There was a problem hiding this comment.
I use the Vhdx suite naming convention to avoid this issue.
0d5f170
| } | ||
| path_type: registry | ||
| "on": | ||
| accessor: registry |
There was a problem hiding this comment.
there are actually alot of registry paths to mount - like user class, sam etc. You are better off to use the supported remapping builder artifact for completeness.
There was a problem hiding this comment.
For user profiles, only NTUser.dat and UsrClass.dat are available. I added UsrClass with de0f4a3
| "-ExecutionPolicy", "Bypass", | ||
| "-NoProfile", | ||
| "-Command", | ||
| "Start-Process -FilePath '"+ veloInfo[0].Exe +"' -ArgumentList '--config client.config.yaml --config.client-writeback-windows=\"" + writebackFilename + "\" --config.client-local-buffer-filename-windows=\"" + localBufferPath + "\" --remap \"" + RemappingFile + "\" --config.client-labels=" + customLabel + " client' -WorkingDirectory '" + veloFolderPath + "' -WindowStyle Hidden" |
There was a problem hiding this comment.
it is probably better to run the execve() plugin with specific argv - this artifact may not actually be running on windows and powershell is not necessary
There was a problem hiding this comment.
Reworked in 11ab2c9 to allow a PowerShell-less experience.
| ) | ||
|
|
||
| // Write the remapping content in a temp file | ||
| LET tmpFile = SELECT |
There was a problem hiding this comment.
LET tmpFile <= tempfile(...)
| // Copy the file to the remapping YAML file | ||
| LET copyFile = SELECT copy( | ||
| filename=tmpFile.Path, | ||
| dest=strip(string=veloExe.OSPath.Dirname.String, suffix=" ") + '\\Vhdx\\Remapping\\'+strip(string=rows[0].userProfile.Username, suffix=" ")+'.yaml', |
There was a problem hiding this comment.
Just use path manipulation here
pathspec(parse=veloInfo[0].Exe).Dirname + "Vhdx\Remapping" + "Goo.yaml"
Also I cant see where rows is defined.
There was a problem hiding this comment.
rows was the return variable from the batch plugin, I made it clearer by renaming it in 9789fa7
| // Retrieve the directory from the running Velociraptor executable | ||
| LET veloInfo = SELECT Exe FROM info() | ||
| LET veloExe = SELECT OSPath FROM glob(globs=veloInfo.Exe) | ||
| LET veloFolderPath = strip(string=veloExe.OSPath.Dirname, prefix=' ', suffix=' ') |
There was a problem hiding this comment.
pathspec(parse=veloInfo[0].Exe).Dirname
|
|
||
| // Run the agent for each remapping file | ||
| SELECT * FROM foreach( | ||
| row=remappingFiles, |
There was a problem hiding this comment.
use async=TRUE here to force all the clients to run in another thread.
This will wait for all the client . This way when the user kills this collection all the clients are shut down at once. No need for the other killing artifact.
There was a problem hiding this comment.
I wanted to keep the possible PS experience, but I also added the native VQL solution in 11ab2c9. The remover should remain, as it also allows for cleaning the setup from the machine.
3 participants
I'm adding the artifacts for the VHDX artifact suite described in the blog post https://labs.infoguard.ch/posts/automation_of_vhdx_investigations, which allows the investigation of VHDX-based user profiles.