This artifact uses glob to remove a file or folder.
To recursively target a folder: C:\folder\path{,\**}
To target multiple folders: C:\{folder2\path2{,\**},folder\path{,\**}}
however advised to just run 2 collections…
WARNING: There has been a bug in older versions of Velociraptor that \**
glob path will select all files. PLEASE SCOPE FIRST and use appropriate targeting.
name: Windows.Remediation.Glob
author: Matt Green - @mgreen27
description: |
This artifact uses glob to remove a file or folder.
To recursively target a folder: ```C:\folder\path{,\**}```
To target multiple folders: ```C:\{folder2\path2{,\**},folder\path{,\**}}```
however advised to just run 2 collections...
WARNING: There has been a bug in older versions of Velociraptor that ```\**```
glob path will select all files. PLEASE SCOPE FIRST and use appropriate targeting.
type: CLIENT
parameters:
- name: TargetGlob
default: C:\Path\to\File
- name: NoDir
description: Do not scope folders
type: bool
- name: ReallyDoIt
description: When selected will really remove!
type: bool
sources:
- query: |
LET targets = SELECT * FROM glob(globs=TargetGlob)
WHERE NOT if(condition=NoDir,
then= IsDir,
else= FALSE)
ORDER BY OSPath DESC -- need to order by path to ensure recursive delete works.
LET delete_targets = SELECT *, rm(filename=OSPath) as Removed FROM targets
SELECT OSPath,Removed,Size,Mtime,Ctime,Btime,IsDir,IsLink
FROM if(condition=ReallyDoIt,
then= delete_targets,
else= { SELECT *, FALSE as Removed FROM targets } )