Windows.Vhdx.VirtualClientRunner :: Velociraptor

Windows.Vhdx.VirtualClientRunner

Run the Velociraptor agent using the remapping configuration created. This agent allow to virtually map the VHDX profiles into virtual Velociraptor agents.

Two ways to execute agents exist:

Using native VQL using workers that will be kill once the max execution time is reached.
Leveraging PowerShell Start-Process cmdlet allowing to run the agents in the background and independant from the running artifact.

There is no persistence mechanism to keep the process running after reboot. The artifact need to be re-run to have the virtual Velociraptor agents back.

This artifact is part of the Vhdx Suite. This suite requires to have the Windows.Sys.Users override on the server to work properly.

Read the dedicated blog post before using this artifact.


name: Windows.Vhdx.VirtualClientRunner
description: |
   Run the Velociraptor agent using the remapping configuration created. This 
   agent allow to virtually map the VHDX profiles into virtual Velociraptor agents.
   
   Two ways to execute agents exist:
   - Using native VQL using workers that will be kill once the max execution 
   time is reached.
   - Leveraging PowerShell `Start-Process` cmdlet allowing to run the agents
   in the background and independant from the running artifact.
   
   There is no persistence mechanism to keep the process running after reboot. 
   The artifact need to be re-run to have the virtual Velociraptor agents back.
   
   This artifact is part of the Vhdx Suite. This suite requires to have 
   the `Windows.Sys.Users` override on the server to work properly.

   Read the dedicated blog post before using this artifact.

author: Yann Malherbe - @mirwitch

reference: 
  - https://labs.infoguard.ch/posts/automation_of_vhdx_investigations/

type: CLIENT

implied_permissions:
  - EXECVE
  - FILESYSTEM_WRITE

parameters:
   - name: customLabel
     type: string
     default: "remapped_profile"
     description: "Label to assign to virtual clients (must match label used in Windows.Sys.Users)"
     
   - name: remappingFile
     type: regex
     default: "."
     description: "One or more remapping YAML files to launch."
     
   - name: workers
     type: int
     default: 100
     description: "Number of workers for the native VQL runner."
     
   - name: PowerShellRunner
     type: bool
     default: FALSE
     description: "Choose to run the agent using PowerShell Start-Process cmdlet."

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
        // Retrieve the directory from the running Velociraptor executable
        LET veloInfo = SELECT Exe FROM info()
        LET veloFolderPath = pathspec(parse=veloInfo[0].Exe).Dirname
        
        // Create Writeback directory
        LET copyFile <= SELECT copy(
                filename="",
                accessor="data",
                dest=veloFolderPath + "\\Vhdx\\Writeback\\empty", 
                create_directories=TRUE) 
            FROM scope()

        // Extract username from filename
        LET GetUsername(Filename) = regex_replace(source=Filename, re="\\.yaml", replace="")
            
        // Get the config file paths 
        LET configFiles = SELECT OSPath.String AS RemappingFile,
             "C:\\Windows\\Temp\\velociraptor_Vhdx_Buffer_" + GetUsername(Filename=Name) + ".bin" AS LocalBufferPath,
             veloFolderPath.Path + "\\Vhdx\\Writeback\\Vhdx_" + GetUsername(Filename=Name) + ".yaml" AS WritebackFilename
            FROM glob(globs=veloFolderPath + "\\Vhdx\\Remapping\\*") 
            WHERE Name =~ remappingFile


        // Run the agent using PowerShell Start-Process cmdlet
        LET powerShellAgentRunner = SELECT RemappingFile, Complete, ReturnCode, Stdout, Stderr FROM execve(argv=[
            "powershell", 
            "-ExecutionPolicy", "Bypass", 
            "-NoProfile", 
            "-Command", 
            "Start-Process -FilePath '"+ veloInfo[0].Exe +"' -ArgumentList '--config client.config.yaml --config.client-writeback-windows=\"" + WritebackFilename + "\" --config.client-local-buffer-filename-windows=\"" + LocalBufferPath + "\" --remap \"" + RemappingFile + "\" --config.client-labels=" + customLabel + " client' -WorkingDirectory '" + veloFolderPath.Path + "' -WindowStyle Hidden"
            ])

        // Run the agent using the native VQL
        LET agentRunner = SELECT *
         FROM execve(argv=[veloInfo[0].Exe, 
            "--remap", RemappingFile, 
            "--config", "client.config.yaml", 
            "--config.client-writeback-linux", WritebackFilename,
            "--config.client-writeback-windows", WritebackFilename,
            "--config.client-writeback-darwin", WritebackFilename,
            "--config.client-local-buffer-filename-windows", LocalBufferPath,
            "--config.client-labels", customLabel, 
            "-v", "client"],
              cwd=veloFolderPath,
                     sep="\n") 
         
        
        // Run the agent for each remapping file using PowerShell Start-Process cmdlet
        LET powerShellAgentRunners = SELECT * FROM foreach(
            row=configFiles,
            query=powerShellAgentRunner
        ) WHERE log(message="Running agent using PowerShell Start-Process cmdlet for " + RemappingFile)

        // Run the agent using the native Velociraptor binary
        LET agentRunners = SELECT * FROM foreach(
            row=configFiles,
            query=agentRunner,
            async=TRUE,
            workers=workers
        )
        
        // Run the virtual Velociraptor agent via PowerShell or native VQL 
        SELECT * FROM if(condition=PowerShellRunner, then=powerShellAgentRunners, else=agentRunners)