Skip to content

VR Offline Collector GPO Distribution

Jump to bottom
Secure Cake edited this page Mar 11, 2024 · 3 revisions

The following is an outline of the process to deploy a Velociraptor Offline Collector to Active Directory domain-joined, Windows endpoints via Group Policy Object (GPO). This works nicely with a Collector configured for automatic upload to S3 (or similar), see VR-Offline-Collector-Creation for details on Collector Creation w/S3 Config.

High-level steps:

  1. Create a collector
  2. Stage the collector in a file share accessible to all target endpoints
  3. Create a GPO to execute the collector via a "scheduled task"
  4. Link the GPO to Organizational Units (OU's)

NOTE: WMI Filtering can be used to target specific Windows endpoints within a linked OU. Will update with details!

Deployment File Share:

After creating a collector (VR-Offline-Collector-Creation), you'll need to copy/paste it to a location that all "Domain Computers" have "read" permissions to access. If you are using GPO for software deployment, you likely already have a File Share configured with these permissions. If not, you can create one as below:

  1. On an Active Directory Domain Controller (or other File Server), in File Explorer create a new folder named "Deployment" under the C:\ drive or another Data Volume
  2. Right click the “Deployment” folder and select Properties\Sharing\Share
  3. Click the Drop Down Menu, “Find people…" type "domain computers," click "check names," then click "Ok"
  4. Confirm that the share "Permission Level" is "Read," then click "Share"
  5. Make a note of the UNC Path to the Shared Deployment Folder, then click Done
  6. Copy the “Triage Collector” to the “Deployment” share:

Create and Link a Group Policy Object:

After you've created the collector and staged it in a file share where all targets ("Domain Computers") can "read" the executable, we need to create a GPO and link that GPO to your target endpoints. [continuing from the previous steps]

  1. Go to Start, Windows Administrative Tools and click “Group Policy Management”
  2. Under your Domain, right click “Group Policy Object” and click "New"
  3. Type in a descriptive name for the Deployment GPO and click “Ok”
  4. Expand “Group Policy Objects,” right-click your Deployment GPO, and click “Edit”
  5. Go to Computer Configuration\Preferences\Control Panel Settings, right-click "Scheduled Tasks," click "New," then click "Immediate Task (At least Windows 7)”
  6. Enter a descriptive name for the task, e.g. "VR Offline Collector Deployment Task"
  7. Click the “Change User or Group” button, type “system" in the “Enter the object name to select” box, click “Check Names” to validate, then click "OK"
  8. Select "Run whether user is logged on or not" and "Hidden:”
  9. Click the "Actions" tab, click “New” and enter the UNC path to the “Triage Collector” executable (see Step #5 above), e.g. \W2K22-DC1\Deployment\Offline-Collector-GPO-S3-Upload.exe, then click “Ok”

IMPORTANT: Do not browse to or enter a local file path, e.g. C:\Deployment

  1. Click the “Settings” tab, enable "Stop the task if it runs longer than," and set to “2 Hours”
  2. Click the “Common” tab, enable "Apply once and do not reapply," click “Ok”
  3. Close the Group Policy Management Editor window. In the Group Policy Management console, right-click the desired “OU” (Organizational Unit), “Link an Existing GPO,” then select the GPO, e.g. “Triage-Collector-Deployment,” and click “Ok”
  4. Right click the linked GPO, e.g. “Triage-Collector-Deployment,” then select “Enforced”
  5. The Group Policy is now enabled and active. Clients in the linked OU’s will run the “Triage Collector” at the next group policy refresh, which occurs approximately every 90-120 min. Alternatively, Clients can be forced to update and run immediately by executing “gpupdate” in a command shell on the client: “gpupdate /force”

NOTES:

  • Make sure you create a collector that is not configured to "prompt" for collector execution completion
  • You'll want to thoroughly test your collector before wide distribution through GPO!
  • Confirm that all targets have access to the "upload" (collector output) location, eg your "S3" bucket
  • Generally collector output (ZIP file) is around 150-300 MB per endpoint
  • Link GPO to OU's incrementally to avoid saturating network bandwidth based on average ZIP-file upload

Clone this wiki locally