Velociraptor can get an interactive shell on the endpoint by using the shell command. In order to use it, the user must be directly logged on the server.
Obviously being able to run arbitrary commands on the end point is a powerful feature and should be used sparingly. There is an audit trail for shell commands executed and their output available by streaming all shell commands to the “Shell” client evnt monitoring artifact.
This server event artifact centralizes all shell access from all clients into the same log file.
name: Server.Monitor.Shell
description: |
Velociraptor can get an interactive shell on the endpoint by using
the shell command. In order to use it, the user must be directly
logged on the server.
Obviously being able to run arbitrary commands on the end point is
a powerful feature and should be used sparingly. There is an audit
trail for shell commands executed and their output available by
streaming all shell commands to the "Shell" client evnt monitoring
artifact.
This server event artifact centralizes all shell access from all
clients into the same log file.
# Can be CLIENT, EVENT, SERVER, SERVER_EVENT
type: SERVER_EVENT
sources:
- query: |
-- Watch for shell flow completions.
LET collections = SELECT Flow
FROM watch_monitoring(artifact="System.Flow.Completion")
WHERE Flow.artifacts_with_results =~ "Windows.System.PowerShell|Windows.System.CmdShell"
-- Dump the command and the results.
SELECT * FROM foreach(row=collections,
query={
SELECT Flow.session_id AS FlowId,
Flow.client_id AS ClientId,
client_info(client_id=Flow.client_id).os_info.fqdn AS Hostname,
timestamp(epoch=Flow.create_time / 1000000) AS Created,
timestamp(epoch=Flow.active_time / 1000000) AS LastActive,
get_flow(flow_id=FlowId,
client_id=ClientId).request.parameters.env[0].value AS Command,
Stdout, Stderr FROM source(
client_id=Flow.client_id,
flow_id=Flow.session_id,
artifact=Flow.artifacts_with_results[0])
})
# Reports can be MONITORING_DAILY, CLIENT
reports:
- type: SERVER_EVENT
template: |
{{ .Description }}
{{ $rows := Query "SELECT ClientId, Hostname, \
timestamp(epoch=LastActive) AS Timestamp, Command, Stdout FROM source()" }}
{{ range $row := $rows }}
* On {{ Get $row "Timestamp" }} we ran {{ Get $row "Command" }} on {{ Get $row "Hostname" }}
```text
{{ Get $row "Stdout" }}
```
{{end}}