-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yaml
45 lines (44 loc) · 2.07 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
# https://docs.velociraptor.app/blog/2019/2019-10-08_triage-with-velociraptor-pt-3-d6f63215f579/
autoexec:
# These parameters are run when the binary is started without args.
# It will just collect our custom artifact and quit.
argv: ["artifacts", "collect", "-v", "AcquireAndUploadToGCS"]
artifact_definitions:
- name: AcquireAndUploadToGCS
parameters:
- name: GCSKey
description: JSON Blob you get from GCS when you create a service account.
default: |
{
"type": "service_account",
"project_id": "velociraptor-demo",
"private_key_id": "XXXXXXX",
"private_key": "XXXXXXX",
"client_email": "uploader@velociraptor-demo.iam.gserviceaccount.com",
"client_id": "XXXXXX",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/uploader%40velociraptor-demo.iam.gserviceaccount.com"
}
- name: bucket
default: velociraptor-uploads-121
- name: project
default: velociraptor-demo
sources:
- queries:
# This collects the WebBrowsers target from KapeFiles into
# a tempfile, then uploads the tempfile to GCS with the
# above credentials.
- SELECT upload_gcs(
file=Container,
bucket=bucket,
project=project,
name=format(format="Collection %s.zip", args=[timestamp(epoch=now())]),
credentials=GCSKey) AS Uploaded
FROM collect(
artifacts="Windows.KapeFiles.Targets",
args=dict(WebBrowsers="Y"),
password="MyPassword", // Use this password to encrypt the zip file.
output=tempfile( extension=".zip"))