Generic.Collection.UAC :: Velociraptor

Generic.Collection.UAC
This artifact leverages UAC (Unix-like Artifacts Collector) to collect artifacts from Unix-like systems, and then upload the output to the Velociraptor server.

name: Generic.Collection.UAC
author: Thiago Canozzo Lahr - @tclahr
description: |
    This artifact leverages UAC (Unix-like Artifacts Collector) to collect artifacts
    from Unix-like systems, and then upload the output to the Velociraptor server.

reference:
    - https://github.com/tclahr/uac

type: CLIENT

tools:
    - name: uac
      github_project: tclahr/uac
      github_asset_regex: uac-.+\.tar\.gz

precondition: SELECT OS FROM info() WHERE OS = "darwin" OR OS = "freebsd" OR OS = "linux"

parameters:
    - name: CommandLineOptions
      default: -p ir_triage
      type: string
      description: Command line options.

sources:
    - query: |
        // fetch uac .tar.gz package
        LET uac_package <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(ToolName="uac", IsExecutable=FALSE, TemporaryOnly=TRUE)
        // create temp dir
        LET temp_dir <= tempdir(remove_last=true)
        // uncompress the .tar.gz container
        LET uncompress_tar_gz <= SELECT * FROM execve(argv=['tar', 'zxf', uac_package.OSPath[0]], cwd=temp_dir)
        // search for the correct uac source directory name
        LET uac_source_directory <= SELECT OSPath FROM glob(globs=["uac-*"], root=temp_dir) WHERE IsDir = true
        // run uac
        LET run_uac <= SELECT * FROM execve(argv=[
                                                "/bin/sh",
                                                "-c",
                                                "./uac -u " + CommandLineOptions + " ."
                                            ],
                                            cwd=uac_source_directory.OSPath[0],
                                            sep="\n",
                                            length=2048
                                        )
        // upload output and log file
        LET upload_output_files <= SELECT OSPath, upload(accessor="file", file=OSPath, name=OSPath.Basename) AS Upload FROM glob(globs=["uac-*.log", "uac-*.tar.gz"], root=uac_source_directory.OSPath[0])
        SELECT * FROM chain(
            a=run_uac,
            b=upload_output_files
        )

# CHANGELOG:
# 2023-10-01: v3.0 released
#   - FetchBinary now uses TemporaryOnly=TRUE to use a temporary directory to hold the binary and remove it afterward.
#   - The FullPath column of the Glob plugin is deprecated so it was replaced by OSPath.
# 2023-03-01: v2.0 released
#   - UAC tool needs to be either fetched via upstream URL or manually provided as a .tar.gz package.
# 2023-02-19: v1.0 released
#   - Initial release.