-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCollectRaptor.py
142 lines (114 loc) · 6.63 KB
/
CollectRaptor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# -*- coding: UTF-8 -*-
import argparse
import os
import sys
from loguru import logger
from builder.CommonFromYara import CommonFromYara
from builder.LinuxFromForensicArtifacts import LinuxFromForensicArtifacts
from builder.WindowsFromKapeTargets import WindowsFromKapeTargets
from helpers.arguments import add_ForensicArtifacts_args, add_yara_args
from helpers.enum import OsArchitecture, OsSimpleName
from helpers.VelociraptorPacker import VelociraptorPacker
if __name__ == '__main__':
script_dir = os.path.dirname(os.path.realpath(__file__))
logger.remove(0)
logger.add(sys.stderr, format='{time:YYYY-MM-DDTHH:mm:ssZ} <level>[{level}] {message}</level>', colorize=True)
args_parser = argparse.ArgumentParser(prog='CollectRaptor')
# Common args.
args_parser.add_argument('-t', '--template',
dest='template',
help='Template file to parametrize')
args_parser.add_argument('--tools-csv',
dest='tools_csv',
help='CSV file containing the tools to download')
args_parser.add_argument('-o', '--output',
dest='output',
help='Output directory for the config file and packed Velociraptor binary')
args_parser.add_argument('--only-conf',
dest='only_conf',
help='Only generate a config file, not the packed Velociraptor binary')
args_parser.add_argument('-p', '--password',
dest='zip_password',
default='<PASSWORD>',
help='Password for the encrypted zip produced by the collector. Defaults to \'<PASSWORD>\'')
# Common args - Velociraptor packer.
# args_parser.add_argument('--velo-path',
# dest='velo_path',
# help='Path to a folder containing the Velociraptor binaries to use for packing the collector')
subparsers = args_parser.add_subparsers(dest='target_os',
required=True,
help='Target operating system')
# Subparser for Windows.
parser_windows = subparsers.add_parser(OsSimpleName.Windows.value)
parser_windows_subparsers = parser_windows.add_subparsers(dest='artifacts_set')
parser_windows_subparsers.add_parser('kape_light')
parser_windows_subparsers.add_parser('kape_full')
parser_windows_subparsers.add_parser('kape_dc')
parser_windows_yara = parser_windows_subparsers.add_parser('yara')
add_yara_args(parser_windows_yara)
parser_windows.add_argument('-a', '--architecture',
choices=['x86', 'x64'],
default='x64',
help='Target operating system architecture',
dest='os_architecture')
# Subparser for Linux.
parser_linux = subparsers.add_parser(OsSimpleName.Linux.value)
parser_linux_subparsers = parser_linux.add_subparsers(dest='artifacts_set')
parser_linux.add_argument('-a', '--architecture',
choices=['x64'],
default='x64',
help='Target operating system architecture',
dest='os_architecture')
parser_linux_forensic_artifacts = parser_linux_subparsers.add_parser('forensic_artifacts')
add_ForensicArtifacts_args(parser_linux_forensic_artifacts)
parser_linux_yara = parser_linux_subparsers.add_parser('yara')
add_yara_args(parser_linux_yara)
args = args_parser.parse_args()
if args.artifacts_set is None:
if args.target_os == OsSimpleName.Windows.value:
parser_windows.print_help()
elif args.target_os == OsSimpleName.Linux.value:
parser_linux.print_help()
exit(1)
if args.tools_csv and not os.path.isfile(args.tools_csv):
logger.error(f"'{args.tools_csv}' does not exist / is not a valid file.")
exit(1)
collector_builder = None
# Process both Windows and Linux target OS for yara rules scanning.
if args.artifacts_set == 'yara':
if not os.path.exists(args.yara_input):
logger.error(f"'{args.yara_input}' does not exist / is not a valid file or folder.")
exit(1)
target_os = OsArchitecture.Linux_x64 if args.target_os == OsSimpleName.Linux.value \
else (OsArchitecture.Windows_x64 if args.target_os == OsSimpleName.Windows.value and args.os_architecture == 'x64' else OsArchitecture.Windows_x86)
collector_builder = CommonFromYara(target_os,
args.zip_password,
args.yara_input,
template=args.template,
output_dir=args.output,
tools_csv=args.tools_csv)
# Process Windows target OS for collection.
elif args.target_os == OsSimpleName.Windows.value:
target_os = OsArchitecture.Windows_x64 if args.os_architecture == 'x64' else OsArchitecture.Windows_x86
if args.artifacts_set.startswith('kape'):
collector_builder = WindowsFromKapeTargets(target_os,
args.artifacts_set,
args.zip_password,
output_dir=args.output,
tools_csv=args.tools_csv)
# Process Linux target OS for collection.
elif args.target_os == OsSimpleName.Linux.value:
target_os = OsArchitecture.Linux_x64
if args.artifacts_set == 'forensic_artifacts':
collector_builder = LinuxFromForensicArtifacts(target_os,
args.zip_password,
template=args.template,
yaml_urls=args.yaml_urls,
yaml_files=args.yaml_files,
output_dir=args.output)
config_file_path = collector_builder.create_config()
logger.success(f'Collector configuration file written to \'{config_file_path}\'')
if args.only_conf:
logger.info(f'Command to build the Velociraptor collector: \'velociraptor config repack {os.path.basename(config_file_path)} <OUTPUT_BINARY> \'')
else:
collector_builder.create_collector()