Linux.Collection.CatScale

This is a simple artifact that leverages Cat-Scale to collect many different artifacts from a Linux host, then uploads the results to the Velociraptor server.

From the project’s description:

“Linux CatScale is a bash script that uses live of the land tools to collect extensive data from Linux based hosts. The data aims to help DFIR professionals triage and scope incidents. An Elk Stack instance also is configured to consume the output and assist the analysis process.”

https://github.com/FSecureLABS/LinuxCatScale

https://labs.f-secure.com/tools/cat-scale-linux-incident-response-collection/


name: Linux.Collection.CatScale
author: Wes Lambert -- @therealwlambert
description: |
    This is a simple artifact that leverages Cat-Scale to collect many
    different artifacts from a Linux host, then uploads the results to
    the Velociraptor server.

    From the project's description:

    "Linux CatScale is a bash script that uses live of the land tools
    to collect extensive data from Linux based hosts. The data aims to
    help DFIR professionals triage and scope incidents. An Elk Stack
    instance also is configured to consume the output and assist the
    analysis process."

    https://github.com/FSecureLABS/LinuxCatScale

    https://labs.f-secure.com/tools/cat-scale-linux-incident-response-collection/

tools:
  - name: CatScale
    url: https://raw.githubusercontent.com/FSecureLABS/LinuxCatScale/master/Cat-Scale.sh
    serve_locally: true
parameters:
  - name: Outfile
    default: collection
    type: string
    description: Name of resultant collection file (will have `.tar.gz` appended)
  - name: OutfilePrefix
    default: catscale_
    type: string
    description: Prefix of collection file (Ex. catscale_ -- useful for parsing the filename later or other identification purposes)
  - name: OutDir
    default: catscale_out
    type: string
    description: Staging directory (modification likely not needed in most cases)
precondition: SELECT OS From info() where OS = 'linux'
sources:
  - query: |
        LET CS <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="CatScale", IsExecutable=TRUE)
        LET TmpDir <= tempdir(remove_last=TRUE)
        Let RunIt = SELECT *, TmpDir + '/' + OutfilePrefix + Outfile + '.tar.gz' AS TarFile
                    FROM execve(argv=[
                        CS.FullPath[0],
                        "-d", OutDir,
                        "-o", TmpDir,
                        "-f", Outfile,
                        "-p", OutfilePrefix
                     ])
        SELECT upload(accessor="file", file=TarFile) AS Upload FROM RunIt