Uses CyLR tool to do live forensic on the host.
Note this requires syncing the CyLR binary from the host.
name: Generic.Forensics.CyLR
description: |
Uses CyLR tool to do live forensic on the host.
Note this requires syncing the CyLR binary from the host.
tools:
- name: Cylr_amd64
serve_locally: true
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: TargetDir
type: string
default: "%SystemDrive%\\"
- name: ZipPassword
type: string
default: ""
- name: ToolInfo
type: hidden
description: Override Tool information.
sources:
- query: |
LET os_info <= SELECT Architecture,Hostname FROM info()
// Get the path to the binary.
LET bin <= SELECT * FROM Artifact.Generic.Utils.FetchBinary(
ToolName= "Cylr_" + os_info[0].Architecture,
ToolInfo=ToolInfo)
// Set necessary variables
LET hostname = os_info[0].Hostname
LET outputDir <= expand(path=TargetDir)
LET outputFile = upcase(string=hostname)+".zip"
LET logFile <= outputDir + "\\" + "CylR.log"
LET fullOutputFile <= outputDir + "\\" + outputFile
// Call the binary and return all its output in a single row.
LET output <= SELECT * FROM execve(argv=[bin[0].FullPath, '-od', outputDir, ], cwd=outputDir, length=10000000)
// Upload the forensic file and report additional data.
SELECT upload(file=logFile) AS LogFile, upload(file=fullOutputFile) AS ForensicFile FROM scope()