This is a simple artifact that leverages Cat-Scale to collect many different artifacts from a Linux host, then uploads the results to the Velociraptor server.
From the project’s description:
“Linux CatScale is a bash script that uses live of the land tools to collect extensive data from Linux based hosts. The data aims to help DFIR professionals triage and scope incidents. An Elk Stack instance also is configured to consume the output and assist the analysis process.”
https://github.com/FSecureLABS/LinuxCatScale
https://labs.f-secure.com/tools/cat-scale-linux-incident-response-collection/
name: Linux.Collection.CatScale
author: Wes Lambert -- @therealwlambert
description: |
This is a simple artifact that leverages Cat-Scale to collect many
different artifacts from a Linux host, then uploads the results to
the Velociraptor server.
From the project's description:
"Linux CatScale is a bash script that uses live of the land tools
to collect extensive data from Linux based hosts. The data aims to
help DFIR professionals triage and scope incidents. An Elk Stack
instance also is configured to consume the output and assist the
analysis process."
https://github.com/FSecureLABS/LinuxCatScale
https://labs.f-secure.com/tools/cat-scale-linux-incident-response-collection/
tools:
- name: CatScale
url: https://raw.githubusercontent.com/FSecureLABS/LinuxCatScale/master/Cat-Scale.sh
serve_locally: true
parameters:
- name: Outfile
default: collection
type: string
description: Name of resultant collection file (will have `.tar.gz` appended)
- name: OutfilePrefix
default: catscale_
type: string
description: Prefix of collection file (Ex. catscale_ -- useful for parsing the filename later or other identification purposes)
- name: OutDir
default: catscale_out
type: string
description: Staging directory (modification likely not needed in most cases)
precondition: SELECT OS From info() where OS = 'linux'
sources:
- query: |
LET CS <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="CatScale", IsExecutable=TRUE)
LET TmpDir <= tempdir(remove_last=TRUE)
Let RunIt = SELECT *, TmpDir + '/' + OutfilePrefix + Outfile + '.tar.gz' AS TarFile
FROM execve(argv=[
CS.FullPath[0],
"-d", OutDir,
"-o", TmpDir,
"-f", Outfile,
"-p", OutfilePrefix
])
SELECT upload(accessor="file", file=TarFile) AS Upload FROM RunIt