Windows.Vhdx.VirtualClientRemover :: Velociraptor

Windows.Vhdx.VirtualClientRemover

Kill the Velociraptor agent used for the VHDX profiles virtual host.

This artifact is part of the Vhdx Suite. This suite requires to have the custom Windows.Sys.Users override the server to work properly.


name: Windows.Vhdx.VirtualClientRemover
description: |
   Kill the Velociraptor agent used for the VHDX profiles virtual host.   
   
   This artifact is part of the Vhdx Suite. This suite requires to 
   have the custom `Windows.Sys.Users` override the server to work properly.

author: Yann Malherbe - @mirwitch

reference: 
  - https://labs.infoguard.ch/posts/automation_of_vhdx_investigations/

type: CLIENT

implied_permissions:
  - EXECVE
  - FILESYSTEM_WRITE
  
parameters:
   - name: RemappingFile
     type: string
     default: "\\\\Vhdx\\\\Remapping\\\\"
     description: "Specific remapping file or directory to target."
     
   - name: RemoveConfiguration
     description: "If enabled, deletes Vhdx folder and its subfolders."
     type: bool
     
   - name: ReallyKillProcess
     description: "If enabled, terminates running Velociraptor processes."
     type: bool

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
    
        LET targets = SELECT Name as ProcessName, Exe, CommandLine, Pid 
            FROM Artifact.Windows.System.Pslist(ProcessRegex="Velociraptor", CommandLineRegex=RemappingFile)
    
        LET kill_targets = SELECT * FROM foreach(
          row= targets,
          query={
             SELECT ProcessName,Exe,CommandLine,Pid,
                 dict(ReturnCode=ReturnCode,Complete=Complete,Stdout=Stdout,Stderr=Stderr) as Execve,
                 if(condition= Stdout=~'^SUCCESS',
                    then= TRUE,
                    else= FALSE) as Killed
             FROM execve(
               argv=["taskkill", "/PID", Pid, "/T", "/F"])
        })
        
        
        
        // Retrieve the directory from the running Velociraptor executable
        LET veloInfo = SELECT Exe FROM info()
        LET veloExe = SELECT * FROM glob(globs=veloInfo.Exe)
        LET vhdxFolder = SELECT * FROM glob(globs=strip(string=veloExe.OSPath.Dirname.String, suffix=" ") + '\\Vhdx{,\\**}') ORDER BY OSPath DESC
        
      
        LET deleteVhdxFolder = SELECT *, rm(filename=OSPath) as Removed 
            FROM vhdxFolder 
            WHERE log(message="Removing " + OSPath)
        
        LET RemoveConfiguration <= SELECT * FROM if(condition=RemoveConfiguration,
            then=deleteVhdxFolder, 
            else= {SELECT *, FALSE as Deleted FROM vhdxFolder})
        
        SELECT * 
        FROM if(condition=ReallyKillProcess,
                then= kill_targets,
                else= { SELECT *, FALSE as Killed FROM targets } )