From f93d668f0700a2d49f97d5421946c5c8f55a2f84 Mon Sep 17 00:00:00 2001 From: jbauvinet-r7 <74978171+jbauvinet-r7@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:00:04 -0500 Subject: [PATCH] Add files via upload --- plugins/velociraptor_legacy/Dockerfile | 20 +++ plugins/velociraptor_legacy/Makefile | 53 ++++++++ .../bin/icon_velociraptor_legacy | 46 +++++++ plugins/velociraptor_legacy/extension.png | Bin 0 -> 14561 bytes plugins/velociraptor_legacy/help.md | 122 ++++++++++++++++++ plugins/velociraptor_legacy/icon.png | Bin 0 -> 17992 bytes .../icon_velociraptor_legacy/__init__.py | 1 + .../actions/__init__.py | 4 + .../actions/run/__init__.py | 2 + .../actions/run/action.py | 85 ++++++++++++ .../actions/run/schema.py | 78 +++++++++++ .../connection/__init__.py | 2 + .../connection/connection.py | 90 +++++++++++++ .../connection/schema.py | 77 +++++++++++ .../tasks/__init__.py | 2 + .../triggers/__init__.py | 2 + .../icon_velociraptor_legacy/util/__init__.py | 1 + plugins/velociraptor_legacy/plugin.spec.yaml | 84 ++++++++++++ plugins/velociraptor_legacy/requirements.txt | 7 + plugins/velociraptor_legacy/setup.py | 14 ++ .../velociraptor_legacy/unit_test/__init__.py | 1 + .../velociraptor_legacy/unit_test/test_run.py | 20 +++ 22 files changed, 711 insertions(+) create mode 100644 plugins/velociraptor_legacy/Dockerfile create mode 100644 plugins/velociraptor_legacy/Makefile create mode 100644 plugins/velociraptor_legacy/bin/icon_velociraptor_legacy create mode 100644 plugins/velociraptor_legacy/extension.png create mode 100644 plugins/velociraptor_legacy/help.md create mode 100644 plugins/velociraptor_legacy/icon.png create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/action.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/schema.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/connection.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/schema.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/tasks/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/triggers/__init__.py create mode 100644 plugins/velociraptor_legacy/icon_velociraptor_legacy/util/__init__.py create mode 100644 plugins/velociraptor_legacy/plugin.spec.yaml create mode 100644 plugins/velociraptor_legacy/requirements.txt create mode 100644 plugins/velociraptor_legacy/setup.py create mode 100644 plugins/velociraptor_legacy/unit_test/__init__.py create mode 100644 plugins/velociraptor_legacy/unit_test/test_run.py diff --git a/plugins/velociraptor_legacy/Dockerfile b/plugins/velociraptor_legacy/Dockerfile new file mode 100644 index 0000000000..5a5e31731f --- /dev/null +++ b/plugins/velociraptor_legacy/Dockerfile @@ -0,0 +1,20 @@ +FROM rapid7/insightconnect-python-3-38-plugin:5 + +LABEL organization=jbauvinet +LABEL sdk=python + +WORKDIR /python/src + +ADD ./plugin.spec.yaml /plugin.spec.yaml +ADD ./requirements.txt /python/src/requirements.txt + +RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + +ADD . /python/src + +RUN python setup.py build && python setup.py install + +# User to run plugin code. The two supported users are: root, nobody +USER nobody + +ENTRYPOINT ["/usr/local/bin/icon_velociraptor_legacy"] diff --git a/plugins/velociraptor_legacy/Makefile b/plugins/velociraptor_legacy/Makefile new file mode 100644 index 0000000000..cdbcdb1721 --- /dev/null +++ b/plugins/velociraptor_legacy/Makefile @@ -0,0 +1,53 @@ +# Include other Makefiles for improved functionality +INCLUDE_DIR = ../../tools/Makefiles +MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk) +# We can't guarantee customers will have the include files +# - prefix to ignore Makefiles when not present +# https://www.gnu.org/software/make/manual/html_node/Include.html +-include $(MAKEFILES) + +ifneq ($(MAKEFILES),) + $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets) + $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES)) + $(info --) +else + $(warning Makefile includes directory not present: $(INCLUDE_DIR)) +endif + +VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //') +NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //') +VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //') +CWD?=$(shell basename $(PWD)) +_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }') +PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz + +# Set default target explicitly. Make's default behavior is the first target in the Makefile. +# We don't want that behavior due to includes which are read first +.DEFAULT_GOAL := default # Make >= v3.80 (make -version) + + +default: image tarball + +tarball: + $(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball) + rm -rf build + rm -rf $(PKG) + tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh * + +image: + $(info [$(YELLOW)*$(NORMAL)] Building plugin image) + docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) . + docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest + +regenerate: + $(info [$(YELLOW)*$(NORMAL)] Refreshing schema from plugin.spec.yaml) + insight-plugin refresh + +export: image + $(info [$(YELLOW)*$(NORMAL)] Exporting docker image) + @printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n" + @docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar + +# Make will not run a target if a file of the same name exists unless setting phony targets +# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html +.PHONY: default tarball image regenerate diff --git a/plugins/velociraptor_legacy/bin/icon_velociraptor_legacy b/plugins/velociraptor_legacy/bin/icon_velociraptor_legacy new file mode 100644 index 0000000000..99664fa289 --- /dev/null +++ b/plugins/velociraptor_legacy/bin/icon_velociraptor_legacy @@ -0,0 +1,46 @@ +#!/usr/bin/env python +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +import os +import json +from sys import argv + +Name = "Velociraptor Legacy" +Vendor = "jbauvinet" +Version = "1.0.0" +Description = "Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches" + + +def main(): + if 'http' in argv: + if os.environ.get("GUNICORN_CONFIG_FILE"): + with open(os.environ.get("GUNICORN_CONFIG_FILE")) as gf: + gunicorn_cfg = json.load(gf) + if gunicorn_cfg.get("worker_class", "sync") == "gevent": + from gevent import monkey + monkey.patch_all() + elif 'gevent' in argv: + from gevent import monkey + monkey.patch_all() + + import insightconnect_plugin_runtime + from icon_velociraptor_legacy import connection, actions, triggers, tasks + + class ICONVelociraptorLegacy(insightconnect_plugin_runtime.Plugin): + def __init__(self): + super(self.__class__, self).__init__( + name=Name, + vendor=Vendor, + version=Version, + description=Description, + connection=connection.Connection() + ) + self.add_action(actions.Run()) + + + """Run plugin""" + cli = insightconnect_plugin_runtime.CLI(ICONVelociraptorLegacy()) + cli.run() + + +if __name__ == "__main__": + main() diff --git a/plugins/velociraptor_legacy/extension.png b/plugins/velociraptor_legacy/extension.png new file mode 100644 index 0000000000000000000000000000000000000000..84bb0cdb9868e9120a1fc2fef81b0ca5acc3869a GIT binary patch literal 14561 zcmc(`1z6N=yDw_IilhS4=};muLpLZrbaxF5G1Sluts%>4br{; zsPDVJea^SmUgzv{uFZA9{AcF5`@VnA{RAN@N;0@u z_*-}2sRO)VI>_oe-?)KIc>R0xMp6ptjT>102n`(<9YqB}Go&3m430E4XGhsN0Hbf* z5Eer@z|3sSU1&|sEfMx2pzZo*5G?{O0@CJDgeW>lm|G!aJ)O+eJ(V=fJZ;Pb;2<$k zT49tRz`)Mj1xAaqv$b~?M2UcY@f8G~uRjKZXnzfHu@M11yB0{Rqo_hFfpjvb6=3IJ zGlM`lX!(FAZeC7)0RcWfK2};z2qza9!VBi)VdLZy%tXy0i1i@f;cXxJoE_S4oC744%KmZKk1aoq-0VCL)J?vdzC^ma%y1zL{nme00 zAsk!~NPF6AjxbZCtBVK-(Dt_(b`JlrwRisGD!^%A6wCq4!4A1L>(@ZI*+1hPT%Bxx z35T13&27!?%doQ z8Gjt|Z$~?8csQ7Y)y$odu1;p=Qf`2nbbnjp?4oA=AO8GrkORYi5jzMLR;Jc3-D|I<() zCE+j^*#B}c+)U5{>0}23oQbf5S(<|#>@7jG|Aa_T0%?nM0t5rvasARlQBe?T@9YAz zH#3JyihuwU*bxZ0pa9$y#%~HUXA|J#fU|LPnewy2cwho-0=zJ8a{&%c3tkB9Z+c0j znd^1dT+{z9A~@0v;PD?)`MDt+d}dr+Y-ZdrIGY88n~#kjV#dX0VGe=w!FWy0IAFhh z0%)V`gaGOoX8W&PueE{$908?ZTs#6CY&;MFPBv}<3m6-W8^X=T&&|zk27#Gz!y)kN zO8F1Te{*>T*yjwy+4)Z;io-1bJlP^dEfGNAe(U_}QGkP6fRoPx&=d$Z8#jk3Cz}8_ zAB4?}Ux1&NgV)@QgA*nUzAit2nD+P6Z-(IiTJo==5R^q+YvS=ozPh>NKbp|~ssllo z*>!!3fXuFQ(;N=^^D*Mz#Oc4~kw5hAR^|ZH{~{@WOLsfYUIWHI7f`^}r z=fAY|U-9DqtgU89dpC2Zf5}=0m=g?`QO%v4ML-q+P|^a0_6sh+ZuaoMXDA0}I1Ahi zMeBm3{SVmsPyGoucS8J2_WY}af5g-Ne;o>7xGr2x!f& zAOGnKfj9qjmge?AeLDetqlj+Jw;MOu|AI9ZdqC zsXX|L9(orazkEK_=9a4uPX7DHftu-t?zn?>EH6WKIl}O@{u(B@`|N2ftM1dq2Nv`S zTSaH*yZK35tGPvaMMZ0AWPa&m>rHj*fzE@Q+G8iP&c3;id)3e`Ns9&VPoNB^sv3TW zW~Q!wsu#M?kOxOC`&v;EbIscdDZwkSJM5bL%B${jS!rv!m6t?6o*5q;P412O7UNjg zk~-OKo}6J&twX-`I#bF@D=F`(qv0ZNxkpWZl8T1%EfO~vBW@Birv%b*z!bb<>CF_d zWXoV*viSDzPCw^^35wEwS3zo@z8SJRrgx**Gh*l_jlPApJ$~q4wN?s$8FF>iY=iHLVx)kTM+A4b!YQ50#R zZqBj_*Ss9+jVMtj!x7*#T(yzQ3705F!zHgd9{+^B zCNO`@v}pN*Dro)_Jt73q03m&Zv7^3QC3t51GHibeKS76l7n*UMbP||%f;nyR-6RZt}>nxTT|+$BhiDm zcbTFVh+KtOj8D`bLgG~XsL4asHl`%M;-Qox5g9a& z#Hlg8pRzEnkXiZKO7nvKbhu2NQ`gH#dU4k2_j3~{L~4e5?4^{3kOG>6?hgIL4l`Bg z(E>!F$hi}gQoMiroIqaC^C~GgyeSp@WF6}sWt8&c>5&&g3{d%H0$h*wz_)fNDei} z#qV{D@{?Y%r|5}=dhHHG9%O%iqq$dLZHX;bu#M*xHI%Q>XPdtX826r)D_3dABeYyk zXTKQtL%_}Ik&wH#cPr0T8b^(8trb#JIJ`-HdP*(PG`&N`EO`_9Eu= z^R8!68Lrja5>dR``kyU15SDbzpUPFkYC`Uv#S#3?Ro)U23&0T zuJ;zFR56?8#`}ufX(2v4U+az%ex&bu?QUKhD_-QX zE{|?){;|8Oiuq|?G@|pv?6x;-Ft_Vqy#HPy`yb>W{}SVxsymJ+6#T-GX(M-zvTcg{ z?qkZlIjLhoB^A?buGoS7ntY=CJ8-cEtpy3Kljsk4D3E>2${W$_IbW=+#}=%cT&D~f zG~`B4(~3%phs-mY)H&vrzCv4~7A< z6jMBu7&AS;Re6Un>jW#k%`Y^ur)m7wl{RaH;S0Kv;;}E}BGN1%5^jM@aw#m?As;79 zmQ^e|qt-lBT`1qGBlmarx7fyN$C*R8PqGtN`#pWS-K7+c=vAv$Yf)vvw{iux1ILD$ z<(L+wRX?q=ZWxO!DTy3vdOB!q)n@2+J~50k3=}wxZatKSsLN5v4&ki^ym1NAGE|q3 z(e%a}TRm_C@;Bi4&Co3cu8yw#Q?&A;{`<=g!s92ip~WV-ko+-=y8-SY^nuE4M-E9P zi60G!#Hd|uWduSajJd5moGBqavkXvmpa8c%vqDX1PWuVu#gP(BVVtSpTkGE+Uvy}R zE;CtUi-CzsA70^66O6vD*6=C|d6D>RAwpa)^5foa&a)%_d)ri9=jtT9!g`(q_wF!5 zr2#k}qSEW-^{Rq|yPpo!FG`t|Dc9b&q+1m6)f2gV1na#=-IDW4*OxYCOFW=hbCCZo zSJ3pj7*3`XnLy>oR=29w5ptQn=BK{RG3+r{CQx@P;bYa~;MQk`HO?<`wEecr6P?fX zSgoZp4<%5V2gltu1}A@AT76JBuR3*3(itG{qt7~uux8GidD|L#=4j*J+@>_%*s@Dc z#=}h8jVckkER?sqf0^E-TkOTAe{lji*B$4cf9kIuR{)`HowN`7v_^hsf<V11w|X zd{W0+Y(`5dR8lYBNK%%Q^lsCjdY;Zz--Zp9<)yJg=1%Flb5K5 z$8{5XMBdh(JBWMKwGH8a?=AY>^n`qca=O)rSJU%5f8W!~z%vTU^n!f=g);Sl0ypb$ zmV6RzVT(8xR;IJ8jp-vytT>*C&Jg3|&;7KHL+^%j7wpcHQTf8Nrlr2o=4^K?u<^-8 z0`G6?8QA8{wOHaJy?}fNwXV}INWR{Nwl2urE$?#AWnypGfd>;-dKLx_wTd#nu9rS+ zPIcnhfr_!`g4%G<_>48E| zVB*u-{?s4Fso#}-m)$lPIHlj9YCP>>=wOK7_PuRRZJ5mMJNccV7)kd&9xj4E&+Qca znmaOuaQ^CURKqdtPspZNRL#&{c$Aa0$`AgDo1YSOCTvS)5uDNhR^e}%#9t{?ot!}3 zlQm0wB~Vj-W(d8U1p-pn_ECRVc5b;|1{~)V_bn~!bB;^S4t&y}hBPWJr=pQ^UC*Nw#j6*bMm%sdcrtE zdxw4%FDpIFwgf*%1(l~`ofvs#NQZ3)`@uPYk0tYj>hVkLoN&V~nSNe7+|dmE9=*}! zkp&eQLPr;`K*%dJ#9v*w0E5*LP*nI02*%9XW*Ls8eTAw3n zfi|~*sJcj^5?U2aIF)(!kXj9u_TuZ(8OueC@0~-U&ch2Sf{yeB$1IB7)wN5SC7yA; z*moDo24aEAB|7W=$fZT~nRkhBMKcw{PWsgcKx^er=AhcBOb;z69P`s##c8|Wr`%ER z5F)F4dFK&z{NqMt1m8x)(R_STb3k=l;jth!Sqsk+tQo;b8&f#vmIbF`0IX;CU!ugS zp10zdw|g~KHQqznpu1`sK$G;`D693&lS_(0LVb)kVK%Wl2Xcfk2kM)-kocx*$P1pHs3tm%kgI)uBic(V!wa z5`7CD&Q@yT8c7|*;xi`8xf2LES8dLa3O#Prs@AQ+z6#rmE&95oG@a!#8ZA}UEneff zE9q)%?CNj1uriXqxl>)WBDy&!p5zlXj7oC}@CJICu-?*~7g#R}f8IP7R}{WGuC#FQ zUSU&F4yh|*OZ=UAGXr7>3xI@*6;y*0-tk`p4@6oEcf{j0*!%;X|5O@hmfWE<*NgR9NmA46r~dRHg=kCn6|*>Hj+Kn0g$+BcGF+-PlLAf)D{Cr!TX%sGNw}&~MKwlEG+Plz z_3mM@rFyK>=&nyAsNLT8~sI9yi2kvR@h3| zIO0)$+|SrI?{0>*51!?TVGt1BSJ4>s>Y6a9rQmB+Id-W$+_W|FZ!CFi=o(`Wta)6b z-uY|6`mbvAA{w^7_UMP`=S{gEymfdk+N@TgxxXr%6_va!#M@aq}a!W5>dJkccpZQR(F(ry=d*u%MRFV|2|^z=!_kHsVQ6&^`Ulr`gq3s zu9~OAs~IRd4w#BY?@Mz@g7=X8Lj%Q`y-jN4D6|&0_CE`fTt+#-9sb!bJMq zh_d!pJQp_TD9Dnw`&79U@&Jx+NN6W-9J-f}3s%OVn%P1NCtzPfVIV*@?LTI95(s?q-4#01~W?t5$uuq?l zPOvq+N9gDH^bvx4?DOs0B^`==hWH~nTPD8X?X7S9f$6o)HFc?~KaD|J=I#5Th|d&P z@hoW_t}I0=YV|lh9ekS7OU~f0N<;zSg|zj)c1RAP!$bdmLZ+o}KVE(}t@} zcxSHz)6~(WC}Z zI%xnd7D|a^(gs+-%VUF!FC}UaGSpKyiN;XRQ;RL;=62ujB{T}p9_OzM*T@|ZJuVCQP~%M7WRRuidqSnsM0LQ~?Cg0gJtFG5O{{2I6E*Gt zOCcuQYHwZT&3RaukSB|f4#;Cm9e0g}32c$DlHA^Ve=Lx{Jf4<7Rl!N>9-4s_Niagv z9I{Pek((U{jD^gVlmk$3sXN>l_LJ( znu;jm#g<1c~9ew7XFK98)aMK0iKP z3o9%6MOa!Z$?TvpZ~m4ysR(b`SN7A5cO}iAWQBEMNLUn7*26aPcK4@iL}|VE*D?;Q zq-d9a03Vy@es0Yy{3vM|%!ny7iMc;Luz^)?G%!0>cGS_ghK(Ex5a;(C&s-*Lkk#Ny z8BNT=#!_MvXk6C3L$eB>YMpf!^^HuA9l_LuePq}e@bJF+W>ASCqFiF-doT}T<$9Lh zzwhz(jW^*p4goxRIwqhc!lHW+?bjNQ;nSpwSQ$|diuf|fC_lczi&vlWO?`abw94-l zGYjb9*-e;vv7~G3%EH8m-LR6#FzsdV5y^R#R#isO?cNV)lq|_swd7ZSF`AWyI3v|N z?ste4EyQU^s6P!A)|lKUM)odFfWAPn-%R%UI9+c~0DP9)^Nm`G-J@~KXUqayXpm#X3#^OZc_dH#lY@=)GnqckcX->Q;aaBk zTXV#^`PS^}d;4mK?Q8M@axL|xL8bUnSWW&SyFD-0ClQ(Rht_z7IZMuZg&h2X+1T;3 z)jt&Ieb6}a0Isl?;8^0FHZ(HTAS|~MdnzCv=hir=oBi<6eKF!9_YM=qv!OP8 zC%#K6A(Ged-D<fOrh8@fjI`CH+`}d&sn!%6d6!1PolD}R zcZ(0c)`@5y?@&Lnz^m6jDkOKAm3ya_jKu-6AQ=vLW{Js8#IDVkd%}#t)$zF5UnM|M za`w#$O06Y}H8P-KP%F*T1 zi@Z)myRAuG0{%2;t;c9;=X(pmYnJ83wUwE?&4O0v_5xVmJ%w7e;BN6p3d54`qPobZ zbKGo8U@Ls4scV%Wk=@1-UmW&TqxQ@!GG^-TgzGLY=u2V_SQ~ZIb6@%)>2+%KBT2BgkM723>h)^mg!}w0HkASB{CRy#ttr|1QY-I}WhLYG z*Vb<{p=MAt&vlokC}-PJL{hra3h~`{u<;9@icoX0)hwg4PoW=m8qnK2wk?(8Hcp`N zlnQ+<7M%Ht&wXEDZI6Dzu+q5le%7aSSD~hS>l@9gtgeb>dcxTx{dP}%YAg+Rl$ChB zuhTY$nibY84|<*fKAhE`akF(WSA_{p>)>C_C+B77;L5!&%5?waihRHrgPb?4i?3c= zLgl}xQ;|67{!AsJ1vcKy^RWFS!cd(9>=r%C<^&YZUW6Ui3Qp_g7Yyk=U2uD4vk~*^ zi`Rp&SNRSio&l>1axkWCdO|7H5BEupgqtj)F(zKL3gr_gzueTX85BWzFDJs$zqXfW zV4lfS5Ao@DT_R6;_Tq|ph>j)7^+`7PQ6?#fLcjfOZiFe*dBuc}^e1hpO|&#lQJFg--puEq<#Sz}>KJ|pdjG{Y^eluEL2dbTL>X1w_01v{R*xsW&-%DV}(TzkfbPdPx z?4oqqol-(DFe2xkyq`@UdmC}#m@+UvcSPtGFKrOTa(6qyrr+wgEaYaR-jB7=kj(>* z-}{|JP5XY64Gsk5)Ddr+yRjl%O9tmxd@V(o{cdLF_xIA9s~d>Xx{VI22FsEJf5iKR`yHDZrWB@ny*d_oBh0 z(0pCcC7!8r zXAQtay%G}q^3KUU<)st%PGv|NlgS2I0>@#z1jBJeHtF>e*hdX{l|>9t%j<%Z*%}qL z9Ki!cQ@m!Y)|yA$V`!SoEJUFC@10`Egt0z};O~m=d7(^vA{RI=mW?2g3>L!P8XyC< zYp)moEdAC-3SGlCx8a*KK2xVFzWUDkKi8!{^Xcg~oz8xyl7GcC89g4~FQpYHeO?>> zQr%8~i5@BhkQ%<5;akABt*-bSVF-}-NBf#w?Ai0E2)gm7y{moJ&?#KHF%pciKC?&r z+A~Y*yirhSynnKrCg|rF@fmQY2^>qUV!dHUn%ku52;us+88J2_2fiaR^UN=g_WSH@ z{sTwi)^ZNknash77E%hEy`l2nzCo*8Cvf1I$>O5_^hu#qkeJ;L?MX=jF-}bEngKrN zQ1FdaAldPe(hT4OoRwtYlI z_%jO*!=^2C2oLDbwMqTSf?uvDxn$&+*cabi&}IEuaX&_5jo9FGW31!48)XJH zJEQGO_V^!mzn-ofA?&d|@;;nYbow~R#;g~0(yUYIz;w(GixejfCI&|`INs*qiy-2! z;}`z=IqMhU(nUP=ai_e;JseV`d6xG$$O4CX{5WWmvM(YO2bfI7MoqyRbQ@d}adEtA zg*HRaDZFG5PnGFBhuDGhkyE8|RCI)Ag3#A68&DeWIgek9l;Wh%>lX&vje7ZlI($02 zQsU#Mg$&Vq++dJvqCtS%ubnlYl}QVxSXDZoh!&5;U@TjRpkEfWoC~LBzv=1HP|c3n z>xU?|Z2kOGlZe!$3aAbK33Q0)+GVNh`ur=267IrJ-s7xix)<+CsDi5S!Nr%hS!?t0 zfWst61&GI*EsBXJ?Y{S<&>I37t~*z&s6lMo?kh2)#S~n9$#maOFv=hI|; zw}DcC%%$cmDoJwVM5pa4_u+7>*q&P6~&SXmkUzbt(>aMEiobAw- zhPUe8xBOyU_xY!f;I2)<$-xO-(gqA_mJHoBKqp{(@2gKeO?x|5J+9)X8lCWST+l&L z7c#j*q_BH8>sYn%HielxKsc_5g7GYdDrE&i(QcovQsEMB?QJ_AjF$QDhaQLZQy9BT z3sI4`R~KrUKv3zA9W=+vW|Jem8}^bWyj)tQv%k@QA{T_E1qs1R-t zuBmw1gYsav;~3Zmmok2NR7dMwPSkpsd8vi!W_2j)4Lunj5Czf0(dzRc&Ys+kil$$>-VuH0;ETP|Py{jIFX|U3 zUZCe-Aq~tAVA+z@$yAzj6Mt;PYC%I-i0CU~x1^dAKf4lYy`+bB{Z@7A>BHAU8HrTO z0(Z^(3JvRT>09Zc8tjQ@?s~UC@U&#iFjUVnluX+!YG`z0GS^v5nYTfMUxc8GgaITVj+e*7HP{4i>% zk9d;l7RDGs6eho_WZL~0%;TJ-FpPde5yoH5p)KTLzk1ZyaUwC&h74_u*OSCx%FDW8 zJ*zWS?~>UUBw+<%MmY8W(eiCS^TD|anbT3}3So2=>>=9;|SN*v$C8OH+(aA#J zCAU_Ziti(LkWY@~nCLLDVPP*wzVSy_JiDGS*ePB-*TBIk@wt0<@{7tvv8bxQ)y^Yf z#M}$R?`41P#XrB6k zyAA=i;VIWB*sxm5CihX2QKSV%(lND@4Js*)Yjof?RcqW5>;3#(tEM@awdUxJsa~1X z!HQQzft#(Ouzj)7oDI-0veJoZv3#>$uwg)^_}`gwni6e&hl*8rOo#WaAp^Kq6=a;e z^pw*HD48M^gUQ7bv75c)i^PoJg%4p9C)REky-yvC>w9^7Up+W@6=o}Mq$Cx7au%zJ zyH4_+7k>pSS(Yx1F;qhY!<`JGcJ#J2_T`-b>uGs`A zE~|=5W-mZNwIhD|LZJ;9;0_8&=9YTg<*B^(?U)`&RWjxbXVRt5qgw4ggxCU};XPL(gQ4jfrLsCf_76+g{-~4RJ|5MU1j|h&NIU zWf@h{Ur=%w|6wgps2*n*;X1K)h^DJvYMMh1dMRab-o{oOTEE4rR>$1d8{>L?95s{k zKwhnqCv)`fXHB_Y1&2rsyC!SmZGHwxxDc_XsY!EH2emM6JW(OV$MhF-W>>^C+XJF$ zTtW5hb7?V`$(M=NclYK@Y`p6_yo#Y%&>^Yo2{r6>qoLnz{dLzD0gOc{9YV?rJpz3Z z;~i~MFWa@o8-j(kkqD>R{NBgKQ*S>mkWXta>}=L74N;*6SAI}Dh$??&C6evYJxd#( zkLI{uxHcn%P1uQ;3*Ek~3u7M?q;x=Y9L)P9shK4t^-@Fj7x&RLy85(ftZUD`_19OS zTLlh347O@qsJDgQXeQr7=7-X-G}d^|g1`2+CD1QjZ?Rks>qrjdU3ym;HJ3m@#d8;A z>~oQus2T#$&m8>eT^$4UpPKlYmmZJAi)o%wRBQ4(P`ev7h-`}mG_8WFWsA3UxGcV< z!1SSX9-NVx6v!bW!L?5PV0v8`DNRYh=bm{1<5g*V1-zBDJ#T%kRn^ONs*N-4Et4f9 zUk0@@_hkJil$`MxzI;(J${BunIvVS{hUZIfo#kI2E|1o+5%~|~`B0yp&HJ=fytZ$E z3N7Q%Pe4Abym%$=l*Vyk=O7$>bB)TV>83r3G@_k}}*{)nvfvTY7P4YHxN> zt7GZe{&5pe$8CF6$Cb5EZGi!%b>Q^4JFx3H1z6-%>O-eV$!JP!IO1kUc`obD1;=X~dj@&A7k<8z``Tqmj5~Zlj60;VA5Us-CWRiLv3`kSE(~ixky`ADgSq4(!_k zsZN~KknX>l@e}9P)k_ODUD}~T=GT40>uwO{C!CFNOFn-0`y%XB2Hf#6O{BP99~nK_J`1Z|JWze_9*D};>fL9AjzPf%*S#yrC~JU! zN&L{j`^#Zz(AYxeTGg9Tg12*7E}6OZr7TS6gxe=VGL%_9JB;ex6V)R27*CNJbFP& zhAHOrS*Nqwi9*Y!2p^c7`{*@f)RH*U_v_+g=~)i8J-Jd)m%2FFTkSL^A)-M?@Fvr*^J5a`SC&Hpp!`iS%-cV8N*G!vRTg^F7nAJF zR%k6h5C%+bMvM$rFS+tJd1i%v&_Er&E11TN`Y-|F)%S@iUFeXr4B0=}ekes0lSy~I zz$HkY-!v@|(jOP>Oq!6RV1AWbmyT?FQn2HX8+b>oBaOcxJbf;YD*sJWqlv!nx%BJz znZ!~?lcW?;{TT%995-@D)V|j|GcuLt=I<&xwn9QeKEclcIqe zPwrMe9X^3WLQ>RuWFWVOw5iP}9426rfEzYN1wJEoZ*G!|$&^@q-pw^NNN3)d9LB9V zQKH;GaeQ5|)5NnS7#4Q_TP>eVTmLv|x*xTV(1N{0v$=a|o$S~BwLR9t+1&5h^_izQ zQJQ|nS{KQE!LtQbo5}@;^}NrL>}j>&atD?fHLv|k-l&N+O|@n)bd$p=WzqD|A>!Is zZ|I@FF4O#a3#?Xw*X!$5z^mQ$HRb>Nm*;+*%4>2s6F&Uc|AYvYQj#nZH+lI#07yiR As{jB1 literal 0 HcmV?d00001 diff --git a/plugins/velociraptor_legacy/help.md b/plugins/velociraptor_legacy/help.md new file mode 100644 index 0000000000..6a54f7a287 --- /dev/null +++ b/plugins/velociraptor_legacy/help.md @@ -0,0 +1,122 @@ +# Description + +Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches + +# Key Features + +* dfir + +# Requirements + +* Velociraptor API Conf(velociraptor --config velociraptor.config.yaml config api_client --name rapid7 --role +administrator api.config.yaml) + +# Supported Product Versions + +* 1.0.0 + +# Documentation + +## Setup + +The connection configuration accepts the following parameters: + +|Name|Type|Default|Required|Description|Enum|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|api_connection_string|string|None|True|Velociraptor API Connection Address|None|x.x.x.x:8001| +|ca_certificate|credential_secret_key|None|True|A base64 encoded CA_Certificate Key|None|{'privateKey': 'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ=='}| +|client_cert|credential_secret_key|None|True|A base64 encoded Client_Cert Key|None|{'privateKey': 'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ=='}| +|client_private_key|credential_secret_key|None|True|A base64 encoded Client_Private Key|None|{'privateKey': 'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ=='}| +|username|string|None|True|User to run command as|None|rapid7| + +Example input: + +``` +{ + "api_connection_string": "x.x.x.x:8001", + "ca_certificate": { + "privateKey": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==" + }, + "client_cert": { + "privateKey": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==" + }, + "client_private_key": { + "privateKey": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==" + }, + "username": "rapid7" +} +``` + +## Technical Details + +### Actions + + +#### Run Velociraptor Command + +Run Velociraptor command + +##### Input + +|Name|Type|Default|Required|Description|Enum|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | :--- | +|command|string|None|True|Command to execute on Velociraptor host|None|SELECT * FROM host()| + +Example input: + +``` +{ + "command": "SELECT * FROM host()" +} +``` + +##### Output + +|Name|Type|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | +|results|results|True|Results|None| + +Example output: + +``` +{ + "results": { + "LOGS_LIST": [ + {} + ] + } +} +``` +### Triggers + +*This plugin does not contain any triggers.* +### Tasks + +*This plugin does not contain any tasks.* + +### Custom Types + +**results** + +|Name|Type|Default|Required|Description|Example| +| :--- | :--- | :--- | :--- | :--- | :--- | +|LOGS_LIST|[]object|None|None|Logs List|None| + + +## Troubleshooting + +*There is no troubleshooting for this plugin.* + +# Version History + +* 1.0.0 - Initial plugin + +# Links + +* [Velociraptor Product Page](https://docs.velociraptor.app) +* [Base64 Encode/Decode Page](https://www.base64encode.org/) + +## References + +* [Velociraptor Product Page](https://docs.velociraptor.app) +* [Base64 Encode/Decode Page](https://www.base64encode.org/) diff --git a/plugins/velociraptor_legacy/icon.png b/plugins/velociraptor_legacy/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..f1c022030f346c0c0e4307a03d441419e7e31092 GIT binary patch literal 17992 zcmd742UJtrwlGXnuu-Kbh7wei-a`keQUt_=UJRj#KtK{Ygd)9)3W9VMh0sK#hN6I= zbQJ_7p-2lYL0ag1n{)0t_xUlO7@IdVfwLn|kGE_u(dWgXt zJsq6H{5`w?XeugYHGeNS!p#ZI=iubxic|rUaV=mzS4S1Fx$G^8TV9$@_grrVdOO_- zG=d@m-4F_nU^P`fWq(Bgfrk?s&gbvpjzlT?tAPK&s|Y+Fe=QE?`vU~+rUJfkOpwpw zmIN$Vtg7C_o?(5k4siDQR&DIdLgjQ7LIfS%{*f4BtO~ zzyL*WM`uM-EuDYR13syM@1fCNisIsaetu$p(qf+8F5;333JT&9QsPolq5y;_DgcRw z`->t`0)Ju9azY`zUA@q*o=Co9jBp1}AG8V>;Py{3JiKn*`WrD4^$%qMY7_T|dx=Ym zNr-!R9Lx3xGzx9%^iMYaLueEH!g<|}G?JHgSO-cV0Z_rIdT=?F)||65>3grc*jw+9?>Q&$hTi<7t)(gn=-Pt9q1 zx_f#9gaPgV36HIPY&O7H@Z=;E&rSGe-6Wt zt^hMqV7_C2QT&7c9Uy%H49LmKN&{y4<9icVes(4&-s9}{fql*OWu&xkkFRXfCAA?MI+8Lv5LxXTl2V!w83moc=6e2bLqPm* z!EU;u0LKgXM;g83^xz*)?ydlzKps+rBmT6G1cm6Y1;Z zjdpV6b3WG3-yXq-_T>9ZOmSbN<6k+`3*{*6i0}s=b8(z%|AiI`4(R$XO8=3fWgX<5 z<>VdVqEZraGNLl_2su%C1!);k2pl5ofRL1Nc9i*hzTZ73z~lZkNFaX&$)5tDJe|>g zaBrs@E`Xc_{Iq+ROMj|F9B_<&z!6z#xAtNm-Bkv#sxz2Y@*VEI*-HA{09-sgx zAV&YhiMR(xx;OzVruhFt*8izf9b4t!$@;HR{(o22za8Z-1^rtu`onkr3wJs8roUb5 zKiB8~+)w}awEkN^{hzG>e;Vcg9ovZ?2j!osK>W}2_s=Zx&m6Dyj|6rDSoMx`28Pj_ zSM;=QK>f2<2xBRZmcGNktFaB(H=Q2cxdoz+KCr%Pr#+%c|IIepZRiKn(Sr5fRk!%? zkcCxz|J-W)TRI(ve*XrX6!;z1<)`#x(a6-wPoW8lpAhGd=Mz)+X+A z6JcUW&0ZE$e%O4V7DJ%OO(a)n&wLzjk!`6x%-y9BCJxH^z|U|k!!5jDBWD*LMk6=o zY)xA_ZeS_hX|cifTBOT zr`CEyUIg!jhYC+p8%C>lHV(3n9N^FWHV}u-Vw+4WK)b3MJh3V2oytRm)f)_yaI|%l zx5Wl;ty{G66l431d|ID6wMX}tK~2OnL%RV>R@IOpHO;rQ)67KmJ1UtAX;8NOfdnM% zO5zz`mR1l~ggSllXdX!IrR5jIf)xyH@iu{(^nsa9abTzrZ)asLZr$({i{tT2EFN(~ zf1xFqpr|B^V)u*jw&b%cacmv%3mO*D%x3Pn)R#2!X)A5xKF>#bO}rF`Az-7x*mgh! z=-!KNP==`rV}J3w>_IY4y{aTQBOgAy~;)c@bhfJp-Dr zFp$?1{~}AC@Egw3I)de0jaR4l<{M#(m+LTki-_jZr1y46JYYOXx}T_`!&j9HLbbx_ z-cIU|`1%@`BDa5LRIi57(<$E73z3z#NsxVD6ltP6%7Fd=);M5nij{eQ{IadsrIk-> zcDs!C)l#hVuYLyKrw`TXOL6Cayya!C;?9*_zD6C+=zpUc6NBOM`*!IgV?QvTtzn8h z;4w40YJAFP8<@|-vgp@tGpAF?m;#In*XSu+n`0+9;F%ts1}1kz%g`?<{)$wH02u-5 zKShja(ah7$m7v7ljq#vUG>I2x*%9#*aQ{j!>cIZc)@l`JUVNLNPOq=YxevPS@==X{ z5Y86P_>_ntog8^74vto|?ri0w0bLtPlVHObFPGG^EWeEe;B{y4FT|(qICD&5*y$7{ z=zAhswACE_6rRSY)6Yeiv-*w_Q=Wyl^!-#V~Gj4bFX|4bUtR)7cJy`#tz1#}cQMD+Xrm zWAHHq_zGit5u=D$%wPy-oRk;xVPW~|Gh^bSt6&%gj4?VOS%ftTlefn|6R4;d>3#=! zY`(<}JvmT)f_=L4YW~1*$eQKV{gmN(PG^$>T6Nt(qclbwK!;HIO7!ruLV6WHD-B3p z&Ax{awhz$Z?&qTcK8KQLkm_gHQ}@7YA;rnwlAdhvB*hN!0QK4RXTG(W@wSBtpL=JT z)Y7uP1Yf~Fq6=rdn=L+r48yxyX6P79o|ozWsXBOBMuXe|T)k&t$R-MTxdeIxDD!j4fWGZ8+ldOr zM*dR(rk$ax$)#D3yxIG)A#nCqN5L~*NvAW$73Q zzwMm_k9K01`kmNed}h?k`5Rj$9z|zSlMZ56lrXWFWg6U#bl_m$Q_?u)O_S9Nc;m^p za=2|Xzu+&n73RNG2RA9uwtl0H!v}}>yO(G{#E)&xJU;z5Du;gZ&LP9#a}zlktn(;! zdiaHiD6uWoc#wM+gCVUt#dr(cMJ!GseYh)>2 zk8R=yS8yNM`N>X<9W))T!=~pK$zw+-mGIKvzV9*W_s!ZgTUP@cn|AhBTCxRlQ2CZy8Q3k{-`q}!v`31i>OI&8^Vrhjox+;yCidX@=U4uc+RrWaCyp=Emp}8 zJJ^8jv*HCEm>Tq4e}fujD)F3t{D-~=RX3jDP&^HI1MaL99RKH!5=Ylrb|%0f4fqnJ zu>w_9SH z3#_#6kgE(d7^#_WRA6iFKNZ(~Vbz}5yr5hhDtKPcjrJ2o=b7wA;zt(QgjEN$wHgr3{~T9d9z5W*E&(jH}pXQYFfjD z2=b)-`ZN0d*22W{5nQPXV>k1L^+B7$es2aJXD5EP!y1&6rmUmd@v&?F3xRxw9=&_wO~*t9*#_x5 zi#xx7OEt7FH(I__)|Tu2i$8B-jfF^TAEH){*_8;s4mKtqQYu$TmlkPn1@xlKsUOS| zPoCAvf0*wHyU8hA%eANh=bocjj`%HaSBY*nUYDwe{mu+jK-{dfXEHosz-Rzik zZ+6ju6^aza}xIpSLhhN;U6AS=k%>B$*0=R~ue- zDfP6mM8!QAn)MpZ%a`X-#oUZsY>c5U7;s8#q{uf^o4fxKbzxx5X#zz^=ZZ+s=t zys`44aA|g8q4daSlnEaV0mt?G?$N3nQ~&4#o@fF25cYsaIO^CWl#EFZ)5jCC$vCtZ zYW4Xol@8GOEXw|(&_*W0c}-o}O}Bo*cV6~f(OGWUM(b&)AU0{kZugPws{E zkpc#KS#8z2~98G8m<*d0ntI zN}FMqHyHK~nVqomuyFI{JaOKIMnJJZgMth-{#|38oI*0!)|v@*-tJu}^*oZ@jk3^j zkZq%8Y`||iMNn>^QaQ)WLKEWqF3~AeS4->Ad2K?ea-`p>;z`&pT?Fl-eEo2nUp+O5 zg(xjGR48rTJ8N5mJW9VN7Zl3mAa&NpFw#&qx@TLOHKV(r#zsdhN5TA!Mz?+~F5zzP z70N3}pgA*3%ueQKACut}sBMowPl@VwF4O*Rv8k5S@g}Os`p||<|1%cj0-yK>nxrx5 zyyL=0cOT4$jW7`I!FDl_Ao?lSoqiQ?!LtGe5qw6tCG>M9AhV|U>jzRBII|hg&%IKT z>`I6VM(4+<^IF%72AZaqM-r_CjX)(E*Wj2UQJwVSC>Ob()IHSmucOYmTr#km3MYZ+ z!BvZ4P3+El?EZ;-5Ggy%;{%R9?h0cTh7FBOZrz;9-Rjt;+!5_Z!=+3|{uxPX{9@ls zPtp*S)M7S9apfbrCvn|Rs$-vJDKt;=drT~t%&D=2m?iXpH@A3_*uPnrHTYF{L#T+c-*1g&a1nDiQO;C_3>}`*oa2Qt{YpX`8t1DTPkoY7 z`%XZ1e=F$hmj$+hijh|(E&%K@K3Z+}R(m{KLk(gkp18ZBfPWiIbHCoB*z59xBz1Z! zmR7?^EwAKf{Ys1)t20u5v{w5Peza?+Q#1yiMGK1kx}07{ee6sJ+b&||hJG?La-oc-vimuxKszDD`rlMj2_L9Yt8gASbDb_%R@Lq&+oyEDvo;Mq) zqtufm9wO)(Pz|t^s>+_6ruQ%-p7s#|o{S5oA4TmNGzh0id_#%b5MUoS9NHr8=iIxb zv)RDCcJn>kuKEoN=Q)mWyRZiR7RKLv5JY&dMDxT{-y+j`rJqjKiwQz45?T@JGJSL^ z@RH*}!x*q+s5=MWCx8de6fEgn2{}j^dS++4#!E6f{ruxNg|_*O-$67sxO`V>D%r{( zLU(W#mzw!Wcp9LA<$KuozO9P6Tr=e8$Vy|!2y)bxB}eo%|J1@iJQnJGJM%(T5c^r6 zhUv6ravWep$Iu)p&e-d1B1?pihJysD^gqyk;G)|-OSFHWTc7JE z6i;d+lj@ghBu1ei+Vf;7X~+ z01CGAaj@)u@isEL*t#v!Aeav=Sd^;8i87xhBll}d4+^K42(qjN)x%eXRt@H6HWmKxW%Bd z3Xh4plOg`gld^6Xy?*mvZogY32`4?JK4xD#R!y^Tihyw|E_n z^f6Sw_y!(4&Jx>>8%(hkzsQd^)>3`4_#IW`_O85-Oh#7Bpa&ooGQ(RcoAyb$_k1+6 z$8@7etO8f=%?8juzgK>-me!X1BxmE2|J;0VM3mNeVz4GFlt_HlEVtv{_9|cz$4T_5 z4qmQTsBUhe^n2ZpI`5xX5A19>jX8bd7C)CRi}ioXf0Dl&_H+BoXs#i@iWz?$Fbp}k z1>3=&rJZZGF`u6rZBJ=xrWh0l((7Y0L|WYR19Lm?o+VtN0X^)kw(76kF}f~jJm*q3 zhO|{w19Ifq8~KRy2Nl@0&RM#?+Z1W{aZ}1k`O&5dwx#c0-2t!ZzgJvPTWGxvY*nu{ zTNyXj`dCEg_ru!0x8{C-$8#$abJ>qp;(U1Wy~Q(GPq~&Y1Nlg`p$SSq+**E(*VC?E zs?*LFXc!fLknrmLeE&Y?WY2OmicazB%YHxhAo$0~aQDvo0PWtw50@FxhDg#_r$gti zQW#tE>Hdd6GJ8Bwjl~P2f#lbh=8}*CDWhUVw43g)=PJ=9o&X5Pm z4?h07oukxNGRqO3T)Gj3wfV|!FT+$J!XHh;Oq96M@>(db;;@IV!MpB)-4rN>Mk1OK zMSP)cx;T@rpD`H?kk5F<4T~T^AVUf!3=MerMO+_s+;2Tp!fB8gvB8R@Gc^D3*|2NX zW7mcZ6+dfx;BEn6J+C*6XRy9)toAwO6$vg7h4m@@nNdYIl>7DHFVv-PEKp8qi3AL9=Zl-%-a4E2AxSZ1q%yZtdx> zZ%eY==oGy^Y&te5HjfzFZ3O#s?gc(rhx%G_B0oCIwh86z;(2&W$y9A!v^q?mSWkdF%fKzrnvS@6(PmHIbyEX3~ZlkUDPH@(G>rVSso4_d$=}d-#-v@zubE-vu?3E=L%7(vr|(rn z#R9pgD{tqVFG0r0#Au{+u97F%%$6*@SDGGu;`DgaIHA?8lwv+rjK#L)K#cG^lp=#fDSu{mV^ zR=+o7^8J!taD~>))B?E-_q?fz?n!1Kc{CfN3(0>NB=<+!+r`E*h9JwiUAy;y%agzeghd@S_<4Lv35Fb9A4r*wjWv0X?IAH!~>( zn(;2ZPt+l8!MNo^uSLFzqrGkgx}cpDW=0m`wf=c+#uXw*&eX#OzLvJ_Pa45S0j<86*tTWv;=%c_Jq8 zw4OL?yYMVec=C=(u^bmKP6s~{ZVbT=vz=6m-1+qGNL9;4B_jA}ULRy_FMbAxZ1~6q z-O$WOG?$XghhI>(x3N}*TiDM2jpENZysqn1vu(VH{;ACuc9{X-0ZC6ae27Phdy-G3 zAK?Y;)z8<}l$P0AB21h$h_W@rJtcZAJ~@3JA1yJuzPZT37}PvJ0eHB!KD*(gTOHoRJ$*z=GMv1JzG9n62PG z_U;NF;D%7Qd=tKmDQ>OkJ5G6s5caF$#Q+>n?{tp_HZ(H^^k4Df#Ki|=MXgjU~b2BIWErZDfh&;Sj1(k^b_Kfv&qk6fv!CItt|oi z`Hq?05$4L;CqiD6sER@FC$6CAG}ebbB*LAmKud4oMdhAVsaJ(D*J0g!f0~4jYWggo z?5;y6vrYUDRP+?E2wdG?lYxJC;axBGFdG^+Uw&th4oU1J=>3*lv(d08p~T~T>+vG9bF7WF$m^S~!voxp^EGtEr;3llTyqmG zvY0pe8CLaXv(;-Y<3wt&haz-et5O3kZc4Ih`U6GfP)*@w)r_)SyJRnW@w0Z$X?}K+ z3}`fm*=%IrX1Ryp+0l_grmOX%sc7H*r7xkHYEa^FIXK-ml8J*sQt0bPf7v)%cu>E1MIAX3ULJ`9EJJ-S=5U;wMfA2@Mti!f8o2M!e- zKft^#m0QM=1DEe~z7|g_!}jgekAyBGDu$XdW=*=r9{kFYx#W&tg{S>OK1SAkVbGcy_aU!@)8>wGq0nCG!DCD-8B3}W{L7!$n?X~ zC(^46+JNY&fmw`j9ru%f*WQ)!cfui(1_w1~nzEq0MT^|tRep-UQtF4huiGblHZS!s zdAJPN>9shtZJL^X=@jk$M5z`gkTO5g5^-VC&$j43O7bJW&ybO4N7D5UJfu5IZGtUT zng+846q=QSdpC(DN`GdWdT@- zD0E44rZHD(SzzGnSiVrm3r$MP>4LWE?*qPoxavNdem$`2tA-G0#

P*Czs zsn>srKX`NX#_o73_iI!E_6RtcJ&2mBp-#VDAdnMN&n@BkLulE&3ZABMAK31q8aQce{$ZlDk!mjY$~m-jZP6*SK^VKycU^UoSk@$UR#j12vPC=w)lRN2_heW_22n1+UGTcVH;#8ZRn^ zS$qD=1A6BkiSGyHWmvmqpcii%FZzUNA}@r__>k%3gj*8pKm$5xHmQ863~bXE-lHxZ zEYS~1SEu&rz{Cp`8Tzi^?SXdgRqgzs`DKaoxsmzvepPNrcnu+G1skjUnZRY!e}}=8 zv^lCalU)g9ju(q)%OTp3E^VG0ltIG6GpQCfF5}#i`|BSp^f&wB5IYR$SAKV$57#st zL(-eC-??w}AyCOhQ=;q8>*jUplr?5zY_WVNqYfJ{EFmX+3$W=B`eG&$+NJN=Gti6c3NfH19XPAMyaCkc;(79qF4#8zz}v}w?)^AA79IQ+K^U>lSGe@V zTStZad@pS{iC_&l%OeW)`q^|`MHV3sa$(G&*Ho(pS22$ZwT}I)UBi)+9vF}vCq`qK ztlsIU=pplc|L{8Zcg?eJv>%)A4}3xS)1o-fKJ>QRWsgg5-B4J&eqVqvCFa$)Kmz<6b;OW zt9Q--oBt_Z^qCnveQp(V>ml8X%C-ZAhx-|MDyyCfCH@Khw>_>r5ZcZrui*29U){(T zh%>TojZdQOFVJBuE*FUzQ4BY6tpFJUif*X z-0elD{G%8FLFW5j86R=i^On>u1ktliz7Sd0$ZtzZfo&RG@J&pZvUqfM=R!ntmTLb_ zF*)fV_~?#UR|HVrNKAjnpYwXb$QyA`&M#GJlwZSj>8#wiznpg&S>g#QC$dmevQ+;D=ylncyDvOr}G-_GW=caaX z=MV~eb2g7zBg49AzPxMC;lzp8TKNJ>CDXy7&jFwAxjy)YalKwSR9sHw{?27N+{UnTcS|!_Ox=#!eNY#&peGK4Y4z)4G-P#Vv zN70k9PtDt(M^sNH@DCvtQBs3GzDm+~NuY!peQJ_3{6nR=cCag;T*Oy}qVVPB1I>%* zdRoCpjlLEu5Axl(&6tUOP5zH@C!E%Kh*weyjSKtNea5FT=BJEr`hT2{8)vRte-{=8 zcHFD9%9$WPFt|?H?62nugRn?%gUwPip_Ser+*j+e;chHV=xwZ!=fvE%v*l$2c;d`ucHBW^#k=Zc`60f z&uczY8gN*oWkoE+SYnJs%r!VVH&aiBlP39&a28Qvta7;sUNc8Qs73*aEmhw> zec>s)rJ==R{Pod=%0}p|cG5g4)a#v`8_*^-V-mR%a9$%L&`+^}a6nZ0Em?S!g`@r) zukP2kW?`piH;+`;LgP}_LxGZvuA_fGNj=7z6C0Rbgq>}_4q76tgdB87ro4$%VUxH7 za1rv}b)zi!2lyMsn~cVd)%Fs?I2r@yk^rT2NhW>UeY4;z?j~iEBt{7kUG%N6a0MEb9Qt~0=Fw~%!5|oarL6sf z1aPD~hFyH|7WuQ@D7oq|W7uJj?)gIne;mKGs3(H?FQH>SG$A%#k0U@pFM9MCp=vYJtDo0C3-w9e78uA8 z-eqtf7~oIl55grpRZ}RR>D(%v>^zypfS#{wFtzGtrjd@H|Fj#e(RkrD;w(se`x^Z7 z;)g7sE9TvZXtvUp@sA(RxtbIxb^4~v3RjO2+7MP}g!Lxr*%hg@((lLAiMFZT14^pg zXkVpr-TgkO^nePqHzX;5G;;Gq?!YYLhL)a8ZVX#Y(g^R-Y*Xx2qpLaHDx;siiKcxk zCq=g@H*$sp<;kbjx7qGJxszxd1u~})glZQ}!wY`Ro*dBtj)v#h&W=n^MNVZ2V79tX z@lH5l?ddoH{uwp`GP_S$J8*qJG)Bldg6I3}dE0gKm0X$!sV^!+=fSE*Pe-q??g5}S zmq2G^oU2k%ECEu#=8M0LC3!&dg#FuJ$)CS6)LxhNME^Uh_|T3{v?t~H+Omrw_niqK z5j3E(Q)k;y_E*KJ+tc5V0I26*%v>MLpgl6v;y_>^1d?um8`&hW00FG3mv|S04&?RN7^L6QN`k8# z)A=T#@MWmS)e(JDTtrnnUW+@UfBivJ`BIpE$9m|`Y$Lh!IG!cM8eXf(`gP za!K{!= znibaaBY&$$&WnOr(!A*{Ds-^sMJQ37uA4a`O|nk`jqBWPnn-#e7+1Hrs}3A7p{}yh zfi?V|)slS0IT0-I1BC|uft+=3bsC3CnG0e=CoIE&8lCSkm+lr9ryEPAZtWh|7;x#} z3xO?B1Yn~18IHP6ZeGmKldw{LQTXs@g7RGO*;d1SofoIq9=tNa#Xb;pC~;FvXXRyM zJ_9Js6X-x8GpA>vO|W?|n8_QG{{}E6)v+UAGk34t3Ve0ZfHL#)CS@J@Vt!LI@X7!S z;8eQzd$dbQzQzEHECIl=wHKfo5^!qeWl+jiYEebd?kf6*NX`ig0ykE3?nqo`tn$h& z8uOk~mN%&VLI|Vw_8jZ_QGo#h*iX%mmP%LI$ZFq)bn?SFA@ql$jGmCnNK)$yNXfsZv5LSTOMN~jvKIf%UACErP-@$CYQS2JXmXwh+p+6WBz)`6rHl@0&;d3;oN(lwp32g) zSP?M6{8Uy?&k1^$jZZ-*tKQuna*9w_I>T>c0?+(C59}DJaOyxemY~4eCRXC~HbzLr z*>5j2-bWX_mcpj$8C>&~6F{f*X_S5aa|=f*tbH%*32!$bFp=<)S;V?+xzP~)*6?e! z+SA!9?vi6$snB876d!{t6e;QSvK_4`(xqwlnor9&>X}okVkt2gQ`@6pw{6EWH9+Sl zk|&1Q&MS;0;_TDRk=hR?aKf%CALs6~gyszR2i6*8Q`fo)@;E}n7yN45?Cj*hiQlL z*-^|RUD8PzobL<#PUHfsqzZ5@fUY^q-@dq*Vp(X-T!jniIg!AlKeV(NEs=gM^xCR~ zHLpui2JeN^ZIKE+^3p*pCGDl+u!bkFeIwLcbbCMQOM}wa592B{&4r%66I1zdO1nqG z*hjnis&7o21>pELufOL>|9G9XHF#J2^uP(gsMR)XLp-{tlM=Z6z&j0uGT6L=(7F|= z&`HF4J>@h(p-Z{NEY-RB*|$wqXsN`J{#;k~xLl%k6rvey|K=9F7r{LMD5!$x2^=bf?z1|L!SYxx9Q24B?Elry3f%ts;z|~44@*UfQX^+`O%(6%+mh8 z7AfI;{YjLNif^oEAm%8fSSY=lFd_b_ulXEDw7&_D5c+PvE|8~$1=41i>)ZCZ&NT5Z zk0uveT)#_K3Iyz*X_Z`hlAra;OFs%LL`PonOB$%dU-gst2a3+UJTtKGJ6cZqVHr)xQ^9itYSS5Gn*= zcfWJM1)SpQvelH8?E2fA<9)Koki+1i?W0}Rs-N4G-J?=;b-#~b-4I#7`o=*aR6IX6 zHa;>c?pdKf;NS{0w&fQ?n<05&o+ld$S1n2w2h>~6r)G;!MBy8AI!-o3Jt-~2Hm7Ha zWIY_J$2VRhGlb^?$u>Jmy=9Zaw-(%U^;h%?eM1^EOR>=ALFm#&A~--JL>N*aA|*B; znqy=8WlG&Xhj)jmA_AYgs-Ew1yy=h}$f|mr8)P9k^tC{}7FtY>3CvS(d5kvrsrqQK z{(Kx8(X0kt<`=GXo>)>1O}aWD$^WAOVQTER^h)joT@VNZCzr7Is+@|>o*T-PcB1dL z(z4TSR1=0{?)L;cg_QBd--se*Z=ODQ#M&B?mnPJd8`WaJA_poN&_>3WNpkuq%xM+}Rt`Nf-KrwW(d1__mS&)gkS|AIbHxnLU;Bo7z(dE#~zZVZ_`UyLp#L1u6c4 zaO!kH#-9^1tc&0Wv|a*34ZjhK_k*!XA4?N6^G>e|0zeMwN)iKWA*sFQOh*$aSjhd$ zVGen=?laDxWrk=sOfqYu0xV!DH^i5-R|`ad2xsWFS33+f6YGN)z5{i2W$Y9WS9$a( zi*Tn*VIOh#0JnH`tPYh@6GAcDM?fHI@Fg{+2a0jz;(iXCTC8og(VAJG9(&vitj1Kw z_k>xpn?m=G?6^*udZsm`Ifa42ygB~oc!!kM2D7>#D+jhM9@9+&Uj%VuOcx;;$02h* zou9b1O}#@7(RExu6LZvWS||qgM$TNG<}v_8XMCJuRj$d+5tPz)=h|~j%p`CPaOCc< zRRXDxI!OsoO?cGb)-NEvsZi-l`7uVlcZdOi}g7<;JbrqPo#ymNzWKw{HSc-3)4@YZjMA zfhjTyy{!`Jy{6Vio3GE`$;=Ai1ar`Up;b?o65I!~3`NfjRsrv;k`3sJaz0NnGHRC7xE=iNcUfo?DU_e97FU2vv z>})XVM7LO50$r8{2MmYCTaLLm(ds-Q=v|kwj-DrewU7$E1WUkgZnpL_F50L`Fwqc8FeU9i)U{C(J-QIWE^H) z9Tm_ixvp1HYF0s05Cj4)?snbbow*wSsOBMh3F+M@lKaTqIa?~OcZPu9Z55@!q z+^4Y_i!u`_lcu)<4yG$o*%HwNaYt*xt}<;7!K+S|4Y>`Rf`T7H{C8b+$-TKmN0uTM zqI&CShwTsXyo>$S@_PjAouwY@XRnjaqEvWS6;+t!;y+$%^a*Qkun`Y>@FMW?;8@OL z@4a*DT*J~X*Dp!|h2(23`X6HKlWXnl%|@_1R1IwC4t%`k06C`Zd-bDm+)Y3T`$v~y zuxI+KP}wgTyB;2F^ww?4bDKTIU8%t9Er|m@D!Y<7LYr(i&_+cGH}@p8md2MQ8%D!> zj*r|@Io%dEgc~AvA7Y2)$tj*!!r+6XzooO%ssbrlsAHill?u(Acs#m3VdVr+g8_S|?X z^Ci>187wPh8pN`rS?- z&$`JdYK z>6CllJJ*?{h)31ZE;N2U6b%DKZd0@T+SY)fdcr)DpCK-8xL9YeTQxAcss&rdjo~f`3aL+@ z4vG~xb9G=;Hy^F=PzRMB1i*;$rkPV&^Lf(;pK&6GXxv*s5we0jeXxcmS$M0a2Q zUUg^+TRJsYnY^5E>y=XLOwmsdxap-AcfS}oQ+6lP%^p@QvC5{GW&$ZUGH;se5nFij z?bZu7kgc1##zaDO71=9anK>3$vgjE0Pdoan<#O z0WU38*eS_qMk;k`;AJqX)9U%OR3=n3AgVCnb`=%XdEjjxs(dQo)g!7Cd;`=}*Qmn( e{{WplqPqwt#XaK5&s82O0+Zp literal 0 HcmV?d00001 diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/__init__.py new file mode 100644 index 0000000000..797e426edf --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/__init__.py @@ -0,0 +1 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/__init__.py new file mode 100644 index 0000000000..f3bd269977 --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/__init__.py @@ -0,0 +1,4 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + +from .run.action import Run + diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/__init__.py new file mode 100644 index 0000000000..598a34c70c --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +from .action import Run diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/action.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/action.py new file mode 100644 index 0000000000..a2a9e4c585 --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/action.py @@ -0,0 +1,85 @@ +import json +import paramiko +import base64 +import grpc +import io +import time +from pyvelociraptor import api_pb2 +from pyvelociraptor import api_pb2_grpc +import insightconnect_plugin_runtime +from .schema import RunInput, RunOutput, Input, Output, Component +# Custom imports below + + +class Run(insightconnect_plugin_runtime.Action): + + def __init__(self): + super(self.__class__, self).__init__( + name="run", + description=Component.DESCRIPTION, + input=RunInput(), + output=RunOutput()) + + def run(self, params={}): + # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION + # END INPUT BINDING - DO NOT REMOVE + # TODO - If input bindings for connection can be done check to same if it you can do the same here + """Runs a VQL query against the Velociraptor server. + + Args: + config: A dictionary containing the configuration parameters for the Velociraptor server. + query: The VQL query to run. + + Returns: + A tuple containing the query, the response, and the query execution logs. + """ + results = {} + try: + # Fill in the SSL params from the api_client config file. You can get such a file: + # velociraptor --config server.config.yaml config api_client > api_client.conf.yaml + api_connection_string = self.connection.api_connection_string + root_certificates_decoded = self.connection.root_certificates_decoded + private_key_decoded = self.connection.private_key_decoded + certificate_chain_decoded = self.connection.certificate_chain_decoded + query = params.get(Input.COMMAND) + creds = grpc.ssl_channel_credentials( + root_certificates = root_certificates_decoded, + private_key = private_key_decoded, + certificate_chain = certificate_chain_decoded) + # This option is required to connect to the grpc server by IP - we + # use self signed certs. + options = (('grpc.ssl_target_name_override', "VelociraptorServer",),) + # The first step is to open a gRPC channel to the server.. + with grpc.secure_channel(api_connection_string, + creds, options) as channel: + stub = api_pb2_grpc.APIStub(channel) + # The request consists of one or more VQL queries. Note that you can collect artifacts by simply naming them using the + # "Artifact" plugin. + request = api_pb2.VQLCollectorArgs( + max_wait=1, + max_row=100, + Query=[api_pb2.VQLRequest( + Name="ICON Plugin Request", + VQL=query, + )], + ) + # This will block as responses are streamed from the + # server. If the query is an event query we will run this loop + # forever. + logs_list = [] + for response in stub.Query(request): + if response.Response: + package = json.loads(response.Response) + logs_list.append(package) + + elif response.log: + # Query execution logs are sent in their own messages. + package = time.ctime(response.timestamp / 1000000), response.log + self.logger.info("Command Sent") + results["logs_list"] = logs_list[0] + return {Output.RESULTS: results} + except grpc.RpcError as e: + self.logger.info("Error: ",e) + results["logs_list"] = e + return {Output.RESULTS: results} + diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/schema.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/schema.py new file mode 100644 index 0000000000..62aa3c09fe --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/actions/run/schema.py @@ -0,0 +1,78 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +import insightconnect_plugin_runtime +import json + + +class Component: + DESCRIPTION = "Run Velociraptor command" + + +class Input: + COMMAND = "command" + + +class Output: + RESULTS = "results" + + +class RunInput(insightconnect_plugin_runtime.Input): + schema = json.loads(r""" + { + "type": "object", + "title": "Variables", + "properties": { + "command": { + "type": "string", + "description": "Command to execute on Velociraptor host", + "order": 1 + } + }, + "required": [ + "command" + ], + "definitions": {} +} + """) + + def __init__(self): + super(self.__class__, self).__init__(self.schema) + + +class RunOutput(insightconnect_plugin_runtime.Output): + schema = json.loads(r""" + { + "type": "object", + "title": "Variables", + "properties": { + "results": { + "$ref": "#/definitions/results", + "title": "Results", + "description": "Results", + "order": 1 + } + }, + "required": [ + "results" + ], + "definitions": { + "results": { + "type": "object", + "title": "results", + "properties": { + "logs_list": { + "type": "array", + "title": "LOGS_LIST", + "description": "Logs List", + "items": { + "type": "object" + }, + "order": 1 + } + } + } + } +} + """) + + def __init__(self): + super(self.__class__, self).__init__(self.schema) diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/__init__.py new file mode 100644 index 0000000000..c78d3356be --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +from .connection import Connection diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/connection.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/connection.py new file mode 100644 index 0000000000..7fb063d436 --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/connection.py @@ -0,0 +1,90 @@ +import json +import paramiko +import base64 +import grpc +import io +import time +from pyvelociraptor import api_pb2 +from pyvelociraptor import api_pb2_grpc +import insightconnect_plugin_runtime +from .schema import ConnectionSchema, Input +# Custom imports below + + +class Connection(insightconnect_plugin_runtime.Connection): + + def __init__(self): + super(self.__class__, self).__init__(input=ConnectionSchema()) + + def connect(self, params): + # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION + # TODO: generate bound input variables for the user, to help handhold the user + # TODO: ex. self.api_key = params.get(Input.API_KEY) + # END INPUT BINDING - DO NOT REMOVE + self.logger.info("Connect: Connecting...") + """Runs a VQL query against the Velociraptor server. + + Args: + config: A dictionary containing the configuration parameters for the Velociraptor server. + query: The VQL query to run. + + Returns: + A tuple containing the query, the response, and the query execution logs. + """ + + try: + # Fill in the SSL params from the api_client config file. You can get such a file: + # velociraptor --config server.config.yaml config api_client > api_client.conf.yaml + api_connection_string = self.parameters["api_connection_string"] + root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"]) + private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"]) + certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"]) + query = "SELECT * FROM info()" + creds = grpc.ssl_channel_credentials( + root_certificates = root_certificates_decoded, + private_key = private_key_decoded, + certificate_chain = certificate_chain_decoded) + # This option is required to connect to the grpc server by IP - we + # use self signed certs. + options = (('grpc.ssl_target_name_override', "VelociraptorServer",),) + # The first step is to open a gRPC channel to the server.. + with grpc.secure_channel(api_connection_string, + creds, options) as channel: + stub = api_pb2_grpc.APIStub(channel) + + # The request consists of one or more VQL queries. Note that + # you can collect artifacts by simply naming them using the + # "Artifact" plugin. + request = api_pb2.VQLCollectorArgs( + max_wait=1, + max_row=100, + Query=[api_pb2.VQLRequest( + Name="ICON Plugin Request", + VQL=query, + )], + ) + # This will block as responses are streamed from the + # server. If the query is an event query we will run this loop + # forever. + logs_list = [] + for response in stub.Query(request): + if response.Response: + package = json.loads(response.Response) + logs_list.append(package) + + elif response.log: + # Query execution logs are sent in their own messages. + package = time.ctime(response.timestamp / 1000000), response.log + self.logger.info("Connection Successful") + self.api_connection_string = self.parameters["api_connection_string"] + self.root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"]) + self.private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"]) + self.certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"]) + self.username = self.parameters["username"] + except grpc.RpcError as e: + self.logger.info("Error: ",e) + self.api_connection_string = self.parameters["api_connection_string"] + self.root_certificates_decoded = base64.b64decode(self.parameters["ca_certificate"]["secretKey"]) + self.private_key_decoded = base64.b64decode(self.parameters["client_private_key"]["secretKey"]) + self.certificate_chain_decoded = base64.b64decode(self.parameters["client_cert"]["secretKey"]) + self.username = self.parameters["username"] diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/schema.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/schema.py new file mode 100644 index 0000000000..284dca21b6 --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/connection/schema.py @@ -0,0 +1,77 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +import insightconnect_plugin_runtime +import json + + +class Input: + API_CONNECTION_STRING = "api_connection_string" + CA_CERTIFICATE = "ca_certificate" + CLIENT_CERT = "client_cert" + CLIENT_PRIVATE_KEY = "client_private_key" + USERNAME = "username" + + +class ConnectionSchema(insightconnect_plugin_runtime.Input): + schema = json.loads(r""" + { + "type": "object", + "title": "Variables", + "properties": { + "api_connection_string": { + "type": "string", + "description": "Velociraptor API Connection Address", + "order": 2 + }, + "ca_certificate": { + "$ref": "#/definitions/credential_secret_key", + "description": "A base64 encoded CA_Certificate Key", + "order": 3 + }, + "client_cert": { + "$ref": "#/definitions/credential_secret_key", + "description": "A base64 encoded Client_Cert Key", + "order": 4 + }, + "client_private_key": { + "$ref": "#/definitions/credential_secret_key", + "description": "A base64 encoded Client_Private Key", + "order": 5 + }, + "username": { + "type": "string", + "description": "User to run command as", + "order": 1 + } + }, + "required": [ + "api_connection_string", + "ca_certificate", + "client_cert", + "client_private_key", + "username" + ], + "definitions": { + "credential_secret_key": { + "id": "credential_secret_key", + "type": "object", + "title": "Credential: Secret Key", + "description": "A shared secret key", + "required": [ + "secretKey" + ], + "properties": { + "secretKey": { + "type": "string", + "title": "Secret Key", + "description": "The shared secret key", + "format": "password", + "displayType": "password" + } + } + } + } +} + """) + + def __init__(self): + super(self.__class__, self).__init__(self.schema) diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/tasks/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/tasks/__init__.py new file mode 100644 index 0000000000..7020c9a4ad --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/tasks/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/triggers/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/triggers/__init__.py new file mode 100644 index 0000000000..7020c9a4ad --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/triggers/__init__.py @@ -0,0 +1,2 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT + diff --git a/plugins/velociraptor_legacy/icon_velociraptor_legacy/util/__init__.py b/plugins/velociraptor_legacy/icon_velociraptor_legacy/util/__init__.py new file mode 100644 index 0000000000..797e426edf --- /dev/null +++ b/plugins/velociraptor_legacy/icon_velociraptor_legacy/util/__init__.py @@ -0,0 +1 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT diff --git a/plugins/velociraptor_legacy/plugin.spec.yaml b/plugins/velociraptor_legacy/plugin.spec.yaml new file mode 100644 index 0000000000..52bfac3fc1 --- /dev/null +++ b/plugins/velociraptor_legacy/plugin.spec.yaml @@ -0,0 +1,84 @@ +plugin_spec_version: v2 +extension: plugin +products: [insightconnect] +name: velociraptor_legacy +title: Velociraptor Legacy +description: Velociraptor is a unique, advanced open-source endpoint monitoring, digital + forensic and cyber response platform. It provides you with the ability to more effectively + respond to a wide range of digital forensic and cyber incident response investigations + and data breaches +version: 1.0.0 +version_history: ['1.0.0 - Initial plugin'] +requirements: ['Velociraptor API Conf(velociraptor --config velociraptor.config.yaml + config api_client --name rapid7 --role administrator api.config.yaml)'] +key_features: ['dfir'] +supported_versions: ['1.0.0'] +references: ['[Velociraptor Product Page](https://docs.velociraptor.app)', '[Base64 + Encode/Decode Page](https://www.base64encode.org/)'] +Links: ['#https://docs.velociraptor.app'] +vendor: jbauvinet +support: community +status: [] +enable_cache: true +resources: + vendor_url: https://docs.velociraptor.app/ + license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE +tags: +- dfir +- velociraptor +hub_tags: + use_cases: ['threat_detection_and_response'] + keywords: ['dfir'] + features: [] +sdk: + type: full + version: 5 + user: nobody +types: + results: + logs_list: + title: LOGS_LIST + description: Logs List + type: '[]object' +connection: + username: + type: string + description: User to run command as + required: true + example: rapid7 + api_connection_string: + type: string + description: Velociraptor API Connection Address + required: true + example: x.x.x.x:8001 + ca_certificate: + type: credential_secret_key + description: A base64 encoded CA_Certificate Key + required: true + example: {privateKey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==} + client_cert: + type: credential_secret_key + description: A base64 encoded Client_Cert Key + required: true + example: {privateKey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==} + client_private_key: + type: credential_secret_key + description: A base64 encoded Client_Private Key + required: true + example: {privateKey: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBakdub1V0ZlBIcXZYM1BJVTZOOUZLbXdRM1psK05vYVdiNHlNTGh1ZGtkRUJKM0F1CitJOFFkbHFES0JtNjU2VWVPQ2gzci9pOWUwVUxLeGtYREZmS21jM3AyV3YrMGxWT1lHdnhaRktVd0tIMHJpQUwKQTRpbXlZdUwvZndlT1NHU25RbGdZS3I5OUhjaVRCSWRMMTVTWjMyVGpZYitQRFpCbCs2elFzdzJIWU5KY3FNagppY2lDN0NBajZnQjlTTzh4MXZNc1JrVStycUt1YzJyOFVrK3FoRUN3OHpSNEs2NndGdVlNMTdzR1VNWFVxL3BICldkaUV2TzNxL21kSzQ3TnJ4NWkyYmFDN281UlhzcEtIWXk2WGVyNFZibmlwbDREZ0FLa2FOT0wwMmErWnYzOFEKbCt4eTl3ZG1XcVVJYk1pcVNiai9rNnh4RGlQUWtUUisvMDMyZVFJREFRQUJBb0lCQUVrUHpwQlV0UFFickozTgo1UzFyQjcxVUw4NXUwT3FrUzJETnZCODl4VmFiYjBOTEwxV3NjMzl5QjI3MVBIak9SUlFwa21XaFEwOENGUmFlCjNveFFuaDQ3cytPck94UE15WlNJZGptaWNyNXRSempYZVlPa05rMEc3SmdDK09MM1lpZU9PblR5WkdReEhVcUIKM21mSVo0NXNIRHYzTXhDM2xwZnMzNS94VEhNOEUvZ1cvZ1RmdlUzUWJvUWFMMXEvdGFSUVlFSHZnaXV0d2RaMApzRUZ0SjhlQXdPQkFCWGlWM1FQeG5BUWdJcHdZcGJpY2wzQUsxNWdzNUVOSzRSbmdpMmJJN2hkbU13RFdhNnQvCmcwQ1AwVGl0eUZxMDVKVW1uYXo0d2VrWHhENUVCbTc3NkVZTlNveFRDYVN6VE1Zd1pDSVRycVhsNlk0L29nZVQKdVZTbTlaRUNnWUVBN0c4Q3l5REtEVEJZb0l5RWtuSlZLU3d1ZWxPQTJlZHhtVnlLTDhoTG9QaXExUW9TSC9OMQozMG5OL0dWY3ZEN1FFRDRwL3UwWGFNdVBtMkhWaHVYd3h1L3Q5ajExRFZsS1A3UXNIOXU0cEpLeml3Nk5tVjVOCi85K21jamRXQUg1QnFhSnRtcEYwdW9ac1drNDFKVmUwZkE3YTNGQ3JYcDFVL0dEOUJLU0FEMDBDZ1lFQW1BaW8KQ2hFaDcrcEQ3dnV0Rjg1dStGcWJkalkrS215RmVUUGQyNzE3UDZpNVY2QzZsVnBjbk03dm9abEd5MGZqb2FsZAplOW50bTBWVThGWmtVSWloS1B6VzkvTFNBVjhCZ08rdlNRck4vSU1FbURxb2w5NTlJeHhJLzZ5emtZNUp3WVJQCm1sd29OelUwZWtjSHpnMGV1N0RBMXV6UmZ2NEYxTlVXK1F5bFJkMENnWUVBenIwN09oZFAxanlDSXREOFUzbjYKRVdoNnM2ZzBzVlY1dGRwL1VzelhwTWdMeVFGblc5enRJdlJNVS9qbUlBemtybTlORllhSHc3REx2OWpLZDR5MAovNTlvK3JvK2tnK1RweVNLdU1qT0tjbkZpVUNPZko5RG9Rd1ZaU1lSNDVpREhpdlRueWExWlN5SnJtVllmM0N6CmR3OGVQU3VremJUUlRXWVptR2VuT3JrQ2dZRUFob082TWRZQXdlWHpIMEo4WHNEZVBFem1tY3ZhYXV6RGwzNUYKZ0lPQXhjMUIxMzgxTnFuUm9VZ1NpMWN6Wk82QlArcTY5TGJYM1BhVjlXTnF0RHArNU9YNFNUOEZnZ01PTUlkZwovbTVaM0Y0THRhakl2RDQxVjloUjJpMXlYNG1XUm1zTGgxYWNtbVF2dnpTVGVrTHZlejhqRDhaT2dWNjl5QmFWCmtkc1hhOTBDZ1lFQWsrNmdocFhOa3UxMlVBTmY5TUg4bG9OKzM1L2lQZWVvcWYwTVk1Rk1WUll4MTBaQTkxTGgKaWVBY3pWaGlxenhDdEhXaExBNFN4RTk2MmVnK2ppL2F3a1M0a1hMQ011WklFU0UrakZjN3B0VW1KamxzT1dqdgo4L2RxVUg1eWpSS3MycXhrQldHNEhtVDNOeDZBOHNZSXJVWXh5cVZMQnBHOHlLbmdibmFZUFY0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==} +actions: + run: + title: Run Velociraptor Command + description: Run Velociraptor command + input: + command: + description: Command to execute on Velociraptor host + type: string + required: true + example: SELECT * FROM host() + output: + results: + title: Results + description: Results + type: results + required: true diff --git a/plugins/velociraptor_legacy/requirements.txt b/plugins/velociraptor_legacy/requirements.txt new file mode 100644 index 0000000000..5c7104eb96 --- /dev/null +++ b/plugins/velociraptor_legacy/requirements.txt @@ -0,0 +1,7 @@ +# List third-party dependencies here, separated by newlines. +# All dependencies must be version-pinned, eg. requests==1.2.0 +# See: https://pip.pypa.io/en/stable/user_guide/#requirements-files +paramiko==3.3.1 +grpcio==1.59.2 +grpcio.tools==1.59.2 +pyvelociraptor==0.1.8 diff --git a/plugins/velociraptor_legacy/setup.py b/plugins/velociraptor_legacy/setup.py new file mode 100644 index 0000000000..ac1849c407 --- /dev/null +++ b/plugins/velociraptor_legacy/setup.py @@ -0,0 +1,14 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT +from setuptools import setup, find_packages + + +setup(name="velociraptor_legacy-jbauvinet-plugin", + version="1.0.0", + description="Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches", + author="jbauvinet", + author_email="", + url="", + packages=find_packages(), + install_requires=['insightconnect-plugin-runtime'], # Add third-party dependencies to requirements.txt, not here! + scripts=['bin/icon_velociraptor_legacy'] + ) diff --git a/plugins/velociraptor_legacy/unit_test/__init__.py b/plugins/velociraptor_legacy/unit_test/__init__.py new file mode 100644 index 0000000000..797e426edf --- /dev/null +++ b/plugins/velociraptor_legacy/unit_test/__init__.py @@ -0,0 +1 @@ +# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT diff --git a/plugins/velociraptor_legacy/unit_test/test_run.py b/plugins/velociraptor_legacy/unit_test/test_run.py new file mode 100644 index 0000000000..7d985eb070 --- /dev/null +++ b/plugins/velociraptor_legacy/unit_test/test_run.py @@ -0,0 +1,20 @@ +import sys +import os +sys.path.append(os.path.abspath('../')) + +from unittest import TestCase +from icon_velociraptor_legacy.connection.connection import Connection +from icon_velociraptor_legacy.actions.run import Run +import json +import logging + + +class TestRun(TestCase): + def test_run(self): + """ + DO NOT USE PRODUCTION/SENSITIVE DATA FOR UNIT TESTS + + TODO: Implement test cases here + """ + + self.fail("Unimplemented Test Case")