Server.Enrichment.Strelka.FileScan :: Velociraptor

Server.Enrichment.Strelka.FileScan

Submit a file to Strelka for analysis using strelka-oneshot.

For more information about Strelka and strelka-oneshot, see:

https://target.github.io/strelka/#/?id=strelka-oneshot

This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.

Ex.

SELECT * from Artifact.Server.Enrichment.Strelka.FileScan(FileToScan=$YOURFILE)

NOTE: The default time to wait for scan results is set to 60 seconds. This timeout can be changed by altering the value for the StrelkaTimeout variable.


name: Server.Enrichment.Strelka.FileScan
author: Wes Lambert -- @therealwlambert, @weslambert@infosec.exchange
description: | 
  Submit a file to Strelka for analysis using `strelka-oneshot`.
  
  For more information about Strelka and `strelka-oneshot`, see:
  
  https://target.github.io/strelka/#/?id=strelka-oneshot
  
  This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.
  
  Ex.
  
    `SELECT * from Artifact.Server.Enrichment.Strelka.FileScan(FileToScan=$YOURFILE)`
  
  NOTE: The default time to wait for scan results is set to 60 seconds. This timeout can be changed by altering the value for the `StrelkaTimeout` variable.
  
type: SERVER

tools:
  - name: StrelkaOneshot
    url: https://github.com/target/strelka/releases/download/0.21.5.17/strelka-oneshot-linux

parameters:
    - name: FileToScan
      type: string
      description: The file to submit to Strelka
      default: 
    - name: StrelkaURL
      type: string
      description: String comprised of `host + ':' + port` of Strelka frontend
      default: StrelkaFrontend:57314
    - name: StrelkaCerticatePath
      description: Path of certificate to use for authentication
      default:
    - name: StrelkaTimeout
      description: Timeout for file scanning
      type: int 
      default: 60

sources:
  - query:
        LET StrelkaFrontend = if(
           condition=StrelkaURL,
           then=StrelkaURL,
           else=server_metadata().StrelkaURL)
        
        LET CertPath = if(
           condition=StrelkaCerticatePath, 
           then=StrelkaCerticatePath, 
           else=if(condition=server_metadata().StrelkaCertificatePath, then=server_metadata().StrelkaCertificatePath, else=""))
        
        LET StrelkaOneshot <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="StrelkaOneshot", IsExecutable=TRUE)
     
        LET ScanResults = SELECT *, parse_json(data=Stdout) AS Content 
                          FROM execve(argv=[    
                            StrelkaOneshot.FullPath[0], 
                            "-f", FileToScan, 
                            "-s", StrelkaFrontend,
                            "-c", CertPath,
                            "-l", "-",
                            "-t", StrelkaTimeout])
        
        SELECT 
            { SELECT Mtime FROM stat(filename=FileToScan)} AS Mtime,
            FileToScan AS File,
            Content.file as FileDetails, 
            Content.request as RequestDetails, 
            Content.scan as ScanResults 
        FROM ScanResults