Added a CSV type renderer. (Velocidex#456)

Many artifacts accept structured data as a CSV file. This GUI change adds a form renderer to allow users to easily manipulate this structured data. Additionally fixed bug in client event monitoring: * User parameters were not properly sent to client. * Wait time for event queries is now configurable.
smccooey-r7 · Jun 25, 2020 · 5b73771 · 5b73771
1 parent b7f5472
commit 5b73771
Show file tree

Hide file tree

Showing 29 changed files with 644 additions and 482 deletions.
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ To learn more about Velociraptor, read the documentation on:
 3. Start the server:
 
 ```bash
- $ velociraptor --config /etc/velociraptor.config.yaml frontend -v
+ $ velociraptor --config server.config.yaml frontend -v
 ```
 
 4. Point a browser at the GUI port that you set in the config
@@ -75,8 +75,7 @@ Explore more of Velociraptor's options using the -h flag.
 ## Building from source.
 
 To build from source, make sure you have a recent Golang installed
-from https://golang.org/dl/ (Currently at least Go 11 but Go 13 is
-recommended):
+from https://golang.org/dl/ (Currently at least Go 1.13):
 
 ```bash
 
@@ -132,6 +131,10 @@ built at each commit poiint - simply click on the `artifacts` tab,
 scroll down and download `velociraptor.exe` or
 `velociraptor_linux.elf`
 
+Additionally we build all binaries using Github actions. Simply click
+the actions tab on Github and download the `Binaries.zip` file. This
+will contain binaries for Windows, MacOS and Linux.
+
 
 ## Getting help
 
@@ -144,3 +147,5 @@ File issues on https://github.com/Velocidex/velociraptor
 Read more about Velociraptor on our blog:
 
 https://www.velocidex.com/blog/
+
+Hang out on Medium https://medium.com/velociraptor-ir
diff --git a/artifacts/definitions/Server/Utils/DownloadBinaries.yaml b/artifacts/definitions/Server/Utils/DownloadBinaries.yaml
@@ -16,6 +16,7 @@ type: SERVER
 
 parameters:
   - name: binaryList
+    type: csv
     default: |
       Tool,Enabled,Type,URL,Filename
       Autorun_amd64,Y,amd64,https://live.sysinternals.com/tools/autorunsc64.exe,autorunsc_x64.exe

diff --git a/artifacts/definitions/Triage/Collection/UploadTable.yaml b/artifacts/definitions/Triage/Collection/UploadTable.yaml
@@ -6,6 +6,7 @@ description: |
 parameters:
   - name: triageTable
     description: "A CSV table controlling upload. Must have the headers: Type, Accessor, Glob."
+    type: csv
     default: |
       Type,Accessor,Glob
 

diff --git a/artifacts/definitions/Windows/Attack/ParentProcess.yaml b/artifacts/definitions/Windows/Attack/ParentProcess.yaml
@@ -10,6 +10,7 @@ precondition: SELECT OS From info() where OS = 'windows'
 
 parameters:
   - name: lookupTable
+    type: csv
     default: |
        ProcessName,ParentRegex
        smss.exe,System

diff --git a/artifacts/definitions/Windows/Attack/Prefetch.yaml b/artifacts/definitions/Windows/Attack/Prefetch.yaml
@@ -16,6 +16,7 @@ reports:
   - type: CLIENT
     parameters:
       - name: lookupTable
+        type: csv
         default: |
            signature,description
            attrib,Attrib Execute is usually used to modify file attributes - ATT&CK T1158

diff --git a/artifacts/definitions/Windows/Collectors/File.yaml b/artifacts/definitions/Windows/Collectors/File.yaml
@@ -10,6 +10,7 @@ parameters:
        A CSV file with a Glob column with all the globs to collect.
        NOTE: Globs must not have a leading device since the device
        will depend on the VSS.
+    type: csv
     default: |
        Glob
        Users\*\NTUser.dat

diff --git a/artifacts/definitions/Windows/Collectors/VSS.yaml b/artifacts/definitions/Windows/Collectors/VSS.yaml
@@ -22,6 +22,7 @@ parameters:
        A CSV file with a Glob column with all the globs to collect.
        NOTE: Globs must not have a leading device since the device
        will depend on the VSS.
+    type: csv
     default: |
        Glob
        Users\*\NTUser.dat

diff --git a/artifacts/definitions/Windows/Detection/RemoteYara/RemoteYaraProcess.yaml b/artifacts/definitions/Windows/Detection/RemoteYara/RemoteYaraProcess.yaml
@@ -9,7 +9,7 @@ description: |
   This content also provides the user the option to dump any process with hits,
   and the rule summary information.
 
-  The user is also recommended to add any endpoint agents that may cause a false 
+  The user is also recommended to add any endpoint agents that may cause a false
   positive into the hidden parameters pathWhitelist.
 
   Output of the rule is process information, Yara rule name, metadata and hit
@@ -23,9 +23,9 @@ parameters:
   - name: pathWhitelist
     description: |
         Process paths to exclude. Default is common
-        AntiVirus we have seen cause false positives with 
+        AntiVirus we have seen cause false positives with
         signitures in memory.
-    type: hidden
+    type: csv
     default: |
       Path
       C:\Program Files\Microsoft Security Client\MsMpEng.exe
@@ -130,4 +130,4 @@ sources:
                     FROM proc_dump(pid=Pid)
                     GROUP BY Pid
                 })
-            })
+            })
diff --git a/artifacts/definitions/Windows/Events/ProcessCreation.yaml b/artifacts/definitions/Windows/Events/ProcessCreation.yaml
@@ -5,12 +5,7 @@ description: |
 type: CLIENT_EVENT
 
 parameters:
-  # This query will not see processes that complete within 1 second.
-  - name: wmiQuery
-    default: SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE
-      TargetInstance ISA 'Win32_Process'
-
-  # This query is faster but contains less data. If the process
+  # This query is fast but contains less data. If the process
   # terminates too quickly we miss its commandline.
   - name: eventQuery
     default: SELECT * FROM Win32_ProcessStartTrace
@@ -25,18 +20,10 @@ sources:
                Parse.ParentProcessID as PPID,
                Parse.ProcessID as PID,
                Parse.ProcessName as Name, {
-                 SELECT CommandLine
-                 FROM wmi(
-                   query="SELECT * FROM Win32_Process WHERE ProcessID = " +
-                    format(format="%v", args=Parse.ProcessID),
-                   namespace="ROOT/CIMV2")
+                 SELECT CommandLine FROM pslist(pid=Parse.ProcessID)
                } AS CommandLine,
                {
-                 SELECT CommandLine
-                 FROM wmi(
-                   query="SELECT * FROM Win32_Process WHERE ProcessID = " +
-                    format(format="%v", args=Parse.ParentProcessID),
-                   namespace="ROOT/CIMV2")
+                 SELECT CommandLine FROM pslist(pid=Parse.ParentProcessID)
                } AS ParentInfo
         FROM wmi_events(
            query=eventQuery,

diff --git a/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml b/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml
@@ -8,6 +8,7 @@ description: |
 
 parameters:
    - name: namespaces
+     type: csv
      default: |
        namespace
        root/subscription

diff --git a/artifacts/definitions/Windows/Search/VSS.yaml b/artifacts/definitions/Windows/Search/VSS.yaml
@@ -1,14 +1,14 @@
 name: Windows.Search.VSS
 description: |
-  This artifact will find all relevant files in the VSS. Typically used to  
-  out deduplicated paths for processing by other artifacts.  
-  
-  Input either search Glob or FullPath.  
-  Output is standard Glob results with additional fields:  
-  SHA1 hash for deduplication,  
-  Type for prioritisation, and  
-  Deduped to indicate if FullPath has been deduped with another row.  
-    
+  This artifact will find all relevant files in the VSS. Typically used to
+  out deduplicated paths for processing by other artifacts.
+
+  Input either search Glob or FullPath.
+  Output is standard Glob results with additional fields:
+  SHA1 hash for deduplication,
+  Type for prioritisation, and
+  Deduped to indicate if FullPath has been deduped with another row.
+
 author: Matt Green - @mgreen27
 
 precondition: SELECT * FROM info() where OS = 'windows'
@@ -28,22 +28,22 @@ sources:
                 else=if(condition=SearchFilesGlob=~"^.:",
                     then=split(string=SearchFilesGlob,sep=".:")[1],
                     else=SearchFilesGlob))
-                        
+
       # Build a SearchGlob for all logical disks and VSS
       - LET globs = SELECT * FullPath + Path as SearchGlob
             FROM glob(globs='/*', accessor='ntfs')
             ORDER BY FullPath
-        
+
       # Glob for results - add hash for deduplication and Source for priority
       - LET results = SELECT *
             FROM foreach(
                 row=globs,
                 query={
-                    SELECT 
+                    SELECT
                         *,
                         if(condition=
-                                FullPath=~'^\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy', 
-                            then=split(string=FullPath, sep='\\\\')[5], 
+                                FullPath=~'^\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy',
+                            then=split(string=FullPath, sep='\\\\')[5],
                             else=if(condition= FullPath=~'.:\\\\',
                                 then=FullPath)) as Source,
                         hash(path=FullPath,accessor='ntfs').SHA1 as SHA1
@@ -52,10 +52,10 @@ sources:
                 }
             )
             ORDER BY Source
-            
+
       # Dedup and show results
-      - SELECT *, 
-            if(condition= count(items=SHA1)>1, 
+      - SELECT *,
+            if(condition= count(items=SHA1)>1,
                 then=true, else=false) AS Deduped
         FROM results
-        GROUP BY SHA1
+        GROUP BY SHA1
diff --git a/artifacts/definitions/Windows/System/CriticalServices.yaml b/artifacts/definitions/Windows/System/CriticalServices.yaml
@@ -15,6 +15,7 @@ precondition: SELECT OS From info() where OS = 'windows'
 
 parameters:
   - name: lookupTable
+    type: csv
     default: |
        ServiceName
        WinDefend