Linux.Triage.UAC #
This artifact is built automatically from the UAC project project.
You can download the artifact for manual import into Velociraptor.
The description below explains how to use this artifact in practice.
The artifact will generate a list of globs and prepend the device name
to each glob. Velociraptor’s glob() plugin implementation is very
efficient and minimizes the number of passes it needs to make over the
filesystem, when using multiple glob expressions at the same time.
Therefore the artifact first traverses all the rules to build a large list of glob expressions, which it uses to search for candidate files.
Parameters #
MaxFileSize: Sometimes we encounter very large files in unexpected location (e.g. browser cache). This setting ensures that very large files will not be collected. By default the setting is disabled (i.e. we collect any file size), but it is a good idea to limit it as very large files are not often useful.
UPLOAD_IS_RESUMABLE: This setting controls how uploads are send from the Velociraptor client to the server. When enabled, the client will send upload information in advance so that if the collection times out or the client is restarted, the uploads may be resumed.
The setting only has an effect when collecting this artifact remotely from a client (i.e. does nothing for offline collections).
Following these parameters, there are many checkboxes for each possible collection target.
Artifact #
name: Linux.Triage.UAC
description: |
NOTE:
This artifact was built from [The Velociraptor Triage
Repository](https://triage.velocidex.com/docs/)
Commit 0ead1ac on 2026-03-01T01:11:37Z
parameters:
- name: HighLevelTargets
description: A shorter list of Meta-Targets
type: multichoice
default: "[]"
choices:
- _All
- name: Targets
type: multichoice
description: All targets available
default: "[]"
choices:
- _All
- Acct
- Addressbook
- Advanced_log_search
- Anydesk
- Apache
- Apple_notes
- Apt
- Ark
- Aspera_connect
- Atftp
- Authorized_keys
- Aws_ssm_agent
- Azure_vm_agent
- Biome
- Box
- Brave
- Cache
- Chrome
- Chromium
- Config
- Coreanalytics
- Coredump
- Deleted
- Desktop
- Dev_db
- Dev_shm
- Discord
- Dnf
- Dolphin
- Dpkg
- Dragon_player
- Dropbox
- Ds_store
- Edge
- Etc
- Facebook_messenger
- Filezilla
- Findmy
- Firefox
- Geany
- Gedit
- Git
- Gnome_text_editor
- Google_drive
- Google_earth
- Gvfs_metadata
- Gwenview
- History
- Icloud
- Imessage
- Installed_applications
- Itunes_backup
- Job_scheduler
- Journal
- Kactivitymanagerd
- Katesession
- Kde_mru
- Keychain
- Knowledgec
- Known_hosts
- Konqueror
- Lesshst
- Library_preferences
- Libreoffice_mru
- Linux_mru
- Locate_db
- Macos
- Macos_mru
- Macos_unified_logs
- Microsoft_office_mru
- Microsoft_teams
- Nano
- Netscaler
- Network_application_usage
- Networkmanager
- Nginx
- Okular
- Opera
- Photos
- Php
- Pkg_contents
- Powerlog
- Qnap_qsync
- Quarantine_events
- Rc
- Rclone
- Recovery_account_info
- Relink
- Rhosts
- Run_log
- Run_shm
- Rustdesk
- Safari
- Saved_application_state
- Security_backups
- Sessions
- Signal
- Skype
- Slack
- Solaris
- Splashtop
- Startup_items
- Steam
- Svc
- Synology_drive
- System_version
- Systemd
- Tcc
- Teamviewer
- Telegram
- Thinlinc
- Thunderbird
- Tmp
- Tomcat
- Tracker
- Trash_info
- Udev
- Upstart
- User_accounts
- Utmp
- Var_adm
- Var_ld
- Var_log
- Var_run_log
- Var_spool
- Var_tmp
- Viber
- Viminfo
- Vivaldi
- Vlc
- Vyatta
- Wget
- Whatsapp
- Wps_office_mru
- Xdg_autostart
- Xsession_errors
- Yum
- name: TrustedPathRegex
type: regex
default: "^/usr/bin/"
description: |
Do not hash or upload any adaptive files matching this regex.
- name: MaxFileSize
type: int
default: 18446744073709551615
description: |
The max size in bytes of the individual files to collect.
Set to 0 to disable it.
- name: MaxHashSize
type: int
default: "100000000"
description: |
The max size in bytes of the individual files to hash.
- name: DropVerySlowRules
type: bool
default: Y
description: Ignore inefficient targets
- name: SlowGlobRegex
type: hidden
default: "^/**"
description: A regex to eliminate slow globs.
- name: WORKERS
type: int
default: "5"
description: |
Number of concurrent workers to use for parsing and compressing.
- name: UPLOAD_IS_RESUMABLE
type: bool
default: Y
description: |
If set the uploads can be resumed if the flow times out or
errors.
- name: PreferredAccessor
default: auto
description: The accessor to use.
- name: RootDirectory
default: /
description: The root directory to start searching from (can use a mount point for deaddisk analysis).
export: |
-- We need to materialize into a scope variable. If this is too
-- large, VQL will use too much memory keeping these objects alive.
LET VQL_MATERIALIZE_ROW_LIMIT <= 10
LET NTFS_CACHE_TIME <= 100000
LET NTFS_DISABLE_FULL_PATH_RESOLUTION <= TRUE
// Initialize libmagic before we call it from multiple threads.
LET _ <= magic(path="", accessor="data")
LET S = scope()
LET Verbose <= S.Verbose || FALSE
LET MaybeLOG(Message, Args) = if(condition=Verbose,
then=log(message=Message, level="DEBUG", dedup= -1, args=Args),
else=TRUE)
// Only enable resuming if the upload() plugin version is recent
// enough. Earlier versions could lead to crashes in some cases.
LET UPLOAD_IS_RESUMABLE <= S.UPLOAD_IS_RESUMABLE && version(
function="upload") > 2
LET CollectionPolicy <= S.CollectionPolicy || "ExcludeSigned"
// Helper for VQL targets - try to download the file, but if failed,
// we return an empty row to record the filename.
LET TryToDownload(OSPath, Row) = SELECT *,
Data + dict(Details=GetDetails(OSPath=OSPath) || dict()) AS Data
FROM switch(
a={
SELECT *, "auto" AS Accessor, Row AS Data
FROM stat(filename=OSPath, accessor="auto")
}, b={
SELECT OSPath,
0 AS Size,
NULL AS Btime,
NULL AS Ctime,
NULL AS Mtime,
NULL AS Atime,
"" AS Accessor,
Row AS Data
FROM scope()
})
LET GlobTable <= gunzip(string=base64decode(string="H4sIAAAAAAAC/+x93XPcuPHge/6KqXnkUeRdUnfvsmT7fCt7vZbWSSqXQmFIDAc7IMAFwJHGKt/ffoXGB0EOOZ9Koq2fH6QBuhvdjQ/is9H402z2gGVFdPqlZSR9z8Qi/UKWf5rNrotCp+RJE16SEqmt0qRGuChEyzXlFVpSRhRaSlGjkixxyzRiosCaCp7O8w2WOS7rnDzhotB5Mk89y11OhahrzEu0wMpIausayy3w94wsba7wxnDbxwu0GiQzaZKjE5V13hxMESsZpzyc2VYReTinrZJdTstSEqUWQqzTDzWuSJD6nK9ETfIkzX9VRKo8+Z7f0YXEcptfNw2jtjZm923TCKlzx+iNEOscGKkd/h+JxiXW+CVEeF47QgzQlMCF/KNwkuFFUZYLV/LlBvOClIiJCimCZbFKjagk+8cd++c/fhb//Mf76p9pP5olaQ8bR/5xr/753bLm25KodVoIvqRVK0E7pIhS5leSQsiS8kohVUhCuFoJjYoV1si0by1xsbfyMmzZ90RVTCwwQ32Jhl0hOCcFRPuciS7yMU6RTnuUcCmTrOFVP/kwl/u4JKN52VtQyubKlJapuH3M82u+vR0yt4Xgk7oPionK5ygDApukwcWKpBHNMy4KopRJnqQ2nEGYSCkk6oIA/T7BBQNkNoj/uQOstG5K30E0DSOIC01U+lXQgqCPpBYK+c/DZ+PET6QQdYYN62xjmNaGZ/4lFHh+w0RbdvEsfDWROieo8F6KtpndCK4x5QZXGUDWaQEc809Ck3stJMnU74xq4mXq1DfYRpu/zLTzrLRYuU4nPhQz0rBcrbAkOZZr06AI19BkQtJ3DOsGr6FV3XPcoA2RpvVNfXzQ/zbNbAypOG7GBamGSOy/xdQgEKNKT37hQJ87+tzQA/kYMyaqI9m45jXGxBZ3aFTH87MgB8m6jlwvdTNVLdgg0YoqLeTWkrd6JST9Rkq0Jls1lVCpVY77pK6FPCqkVI1wRbgedLu9/q7G3wTPlapHkrmCDF9loM2TLBTbt1YStPFJsB9DtBTtghG1EgLG7wGvRwz0U2zIEylabcb6QtJGK0R5wVroPJUuiZTQOpUuRas9V7rwXHPZ8is3O8pL8ciZwOWYmGEGDRbo3lBRQw/VSLrBmgBJucgXBm4pxFO6O7YMWk0o6n0dzxvxBH+hqZzG+sRublRaPG74xHeiUp56lHCP4N20Em9IWlJJCi0kPUtxw+JeLPWj6bwgdvVGikdFZP781sy3bSf1jjIyu4f5Y/qBl+SJlLdv0jvT8c1MT4orkt7b8VR9H1cuam2ndoa23vYpO9vXicIotDDk2T5y6FaB7EWyfm5T2lcjZnpZY7lWSXojxJoSlaS37lP0M9w06D4LNO/whhaCqyT937Y7TNI7UVE+u8UaJ+lHUlI8C6hPRD8KuZ5dw3xu9lmSkppK7DCfTX0pTbie3WusSfpZkiWRhBdEpb+0QuOPmOOKyCT9Qky2KK9mmJezT2/vkvSeFK0kcZL7lZC6aLVK0vstL4xWbmj+S/ogmtk91SYbD7JVevYg1sRk5StVVJNydkf5WqV/JYtrZZS6dd9yYkA2gzvV8odqiz8q/YJKv4FZMdQPWtgCR4WBId81bfd/o8BA7avvY+Vc0ugMpxdsc/l5DKNWaSYCgh+hWVQ6Nysp6n9d8VRCVIxcFSDlcIFY8swqlR/LYtAs3kOC3DIZZpW29WRmz1wP5EJWWeGYZ16K097Dp+uuCAls9YX4rd00s9mK8vG2rC77bj7SQgollnpmWB3JeaQpuOLZ2wBqL+uKlNURLSDQZ0aZfIxJpPA7KslSPJ1WGl4z8Y0yhvOl5XEp10EZvzuV60Wtz+Ulc3nJR3M43QRDsl4HMl1APwn+e0ukkGcV/JoKs+p5OX4+9QtwXJfEbxo0jepY2xKNBPwMa+hLWohp7cJwUa6PzoDnsTIu7ppB9uEPEsisavmhhNCYhNsoiJuSGOTsHi+xpGcWX7eT1O0hWYa5mWSMlXNM9FJqHOT+lW4wKy9j73gcz/XiZrGx/A83DEeYOYXyw8mheWw8ea+BbOJ8wsB92Rq6Nwe4cOm4q8/pY6FdoFw0G3qRTJy5AB4U54/VzyWrn6gm/jMN6Uf1XVp9tK17/cGLrhyOWCq8QF9gsmDb4L9d+R/t75L2Bz3AxDHJc5YgzCgcnWcJYqZ0XEC02oQaKeDILktkkWaBtlCrkkqVZmu1SjOXzqcKaXRhsN8c+pvHfwsE39SK8I1XVBLMMdtqWsCxTm/P/JbiigulaWGLVuVJVghJUEgSmJRt3aTXb7489IwpVCMEy/FC6tkgftU2piVZsK4bAA64wbCGhERrE+8xLiRWqz45KNYRWpsWpc0HU4uyNaDC085zQORJnuQOmXukO9fdz3eDJXDz6ghJjk7H6MIZ4pTRYZGDdGqYQGZ53hJGNClT0RB3XobEEtWY0YKKVpn2UhBlTTFMWbp4zqjSKCRCJbHnV0KqTD9px1qttZg6Ckyy0uId7QaVC39SLluel2STFeViDzZCqlVtsCXZ5GpVu+K6paoQskztDNlUFiMbwsoFeqH95tIKODz+OkLcNNntnjTQTTra/Dmxa4A8SZO815vnLhu56xH6+TxzhufFdptNnm2v0M5nPJoFK4gvx85tUctLIhHRBSr5EjWsrSg3dKjsLaKILvKSL/OOwFkHGL62VfYYdswU6q8xSr68chjLQLBmRXl6oBVYKjT47XF4cUuDvUKbdZWOWLmUzboKx9BApDTWrerR0QXQ5RZlSSWuBEcNw1siDxUG0FpSWYwkf/mSGJMomoV4mlK1tGhLqpCZLsAJeHZ7j8ACBTBvy+rCNWh/m/XCOdtQnXNXDhfux75AJs7sR4al+WMSecEksquI/1Q7+lF9l1SfLmKTHaKLGNwq098XmA0RPvoOF2QhxBrVZmbHq8lefe/36NOamZyzEDQ9ApwZHBgllp4uf06yp5olaeILyeWw43Rcq4zXpIF7I8VvpNDZuyPE8bLepifu+C4hVZbkt2RDC6I6Gzh31nN4/MgGhyz588J9GAtcrNtGeYtYGKWCtkdy31d/7y4T+JLHVYcPpk5R8szxJZQHLkvBVZakXqbyFqlpYXuhEPcWdx2EhOEx+00Jni5ddxUIXI7QkNVSyNqZRQbYmmzNt5XCetsxbIisqc17oGsYLiJWjSRLQ502Umhr/90hrbV7F6UVFzzJfCgitCP4ldryIgnQR7LATaNiO92jS3+3rZ9V1LJc/ij4iYL/N3+VPz6Vc2rsPcF8e2CErAxN7no5AEZJX3wNleQ9sYmTVVJ9jHl9ZQivajdpMwNslP7FdZ2SRnX6nmq0EmLtV/pViMf7BUmeVVTngPBZpd5yHNJUVLvY9O2GUFFUu8ILnIgudlkQXeQBGEiPkjRIxkVNkCZPGpmSEPKYKvINqdpgSTHXE5xevLLG5cJpFCol3ZDURW5NBE3fZzjicBJYvLuH7eVdOXoVWZTrFdaosHYEZgVkehRnf74QrUaYMSSWCNLYqZ1NsgJLQkI4arDUFDO2RUKiQtQNI5qwLTLzE1IiLVAvY0IizLeOmeelLCt3gcKmMiINu1YTiR5XlJE+o+umQY9YIdlybtZsD3G2MFPCbmeMZcqwlkJotBSsJFIh011FUploS9Qqw7Un0m3TItw0F9cNyG/CcsmZ+of1w4vUGNWkVoOctosQFtLtBv4Hsp/kNYXbYsfmW/UyPlGpNsNQ7yWi/FB2YL/fJcIKPRLGzG/MWxKGowYJN1KVv6P6EqXgL5H6qx6LZDbG4f8eLMgBp2GJEiz1Kj1X49lbkzxPsrUfZGKup26c2EN4SLtnJO5kbZYqZO+oYXizVGFctCweCd9Q8nhoruHI3O5pSHXSynvPgN1n7/Zm9hxgurldmiUhVAi16uAljmMkjjCi1ErpNOM9GtWPFXHsSfA4+s2HksyFOHlMl7SjsbO4D/CJpe6j6H8/Zy5BKdy8zK8dy1gMVPTx3YLt4QZjFq2NFFLa40LzYVuuYbwxHZPtFCWpBYxngdTqdnqeINmtKJSfC+TlIn8uGCVcm681VURuiDRBV641UQpXJMVa42JVE64PFOVHm0Dl112KPiu4Mrz/guMOM5MmdCcfuNKYMVKaYcDnUaVLgRo4CIViouNE87hcVOjnZrlodJ6AOaPROP/AlyIDdi8gciSHfS32FMHJOgHQfddeOzud9Sy/kILQBhjGxDFr3XKikN3fOWc7UiwoI/dbXuRvgAdw/T9igVSxImXLiEwxx4WMPs/IbMBixtJ0V+HjG5JY76eNWI9R7qhhALPgJKKLWR4Tumm8UH0HEzo3MEfaSo6Z82vwm4uF0P+zX9tPuNB0Q/W2trvc5TEjzXqYKJdEiVYW7srzT1gT97UfdT2bC76tRauydZdwh9HLX9aeFlsSVMv2GN2/wG3vW1G0XbfzE9kWK0y59+2xdvHhR+HpVG4P0TJP2OfiZl9DLnu+j8DYMuLikZGyIsXINd8bIcltS3QeqPK1D914C4uIw41gjBQadUSXeiM4JJijlVB6773wdUdmu+tg/Z96K+nDG/G9Bh7M/p9HjzNDXPWON88RO3nh4Jgt712B+7Zfp0WN7OM91czv4SWpIfWzn3jj7iw1Jgp6IJoJRUq3ssEbUnbKROIHik2e6cEn5Pf6BO+ftw3zcHhDpitIN4MO2XBz3JgZaH1kjVjq37C9yXLn5rJT5WjRR5HaIjdlkZ+eDBTsJbOfc7SQV76vi0DeBU1k19PNDeL799HxqRmqgCjNXOD7pETXL54icU/XdKQSRCyXtNg3POzr64DDz8Ahf7aOQtj2qlWkzJ4WhKWSVFRpua1FSZd+epU9Fe24AhcbsLGO4ezg8UBEnEUZmR5gowTn5Za3T3sKepejTSYKDFsK3lywXMBpuCaZH6mA7iMuhDqzHrsjYPg4Su+k5SUZN0IzWq10FiwKTuI+aM939/eg6TvKyB1V2jXw/lk2kTtgW8jQD+/gFC3JAkvwThN/J/9pFWMtWk6X1Dr6Uql1YGQnW+hOVApd39+NTu/BR4piWbmYjcKZqEYReeJOFEak/+oiIPjXXz/cjkouF3nb0lKTJ30UI01rYhbtU8zKYGetck97HGOJC7L5yzF8k8wRd4xT3JZUl7EzHIDExZMuFdmYWXNwHuios4CYualx/lWwtiYqTyJkj1efQ8/UPCaDQSNevB5x5hAz8VZM6OhxIG7lfUMo15d2a+AzuA8uQ3bMk/5dyGktkkyBEVM3/xpTSBNcq8ssjAOz/MEwiyyN94i53Ei7E9tZEIICp9isTSeAkQ7UzoPB9nimjnBbd0rxBYvLyEXVfpl/rLKM8jeet0PT9FMK0x3yXFmmsEg4JPSPVJrHZu9CU/9hqU6b/O8V/MdqpxNXM8azKV6qwZpRK1y0mRLzRyrIQxlSx16cP7b0jhD0x2qIrJumfMJcTC3qOeai54DxE9GqwIzINLpMxj0QcYWqlqbzPIByC/KyxpJvsIxYMFEFl88dF4AeYrJpfMJNs0vsJn3jTh+XDKtVzlVkO+M2iOIJIGrhhMhMln41oVHvg8gntCRRE0Mm4T7DhJV4RJj3JCrCS7BDMCsXuiHWoSsSGyLhqI1bYYM59yOVhBGlQkP31uEqD8o7O7MDeeVEt686qw5amnWGV3Yka+70IY2uLjmMM9m3xBXlTz1HvknsyTeJXfkmkS/fZOjMd4cRNwDXJn9etwzL1P6MNMj93YSAZG7z8BAr9OInIWPig2FFZAtS+mOO4cmyaAgnpalnyjWRGKyZHqleOQsUlxccOKANJY9EoqWQ6Kfbt0fsPyZOy7wUhdGrX+7/Vm3Rv8D+cjxzDZH4Miv/xDruueza1o4elw+MpzsfOuRw6CWyeOa81xfyjztNF9xpimrgVTavH5V7QeV+Xgktps5wP9NCt5Ko3FL5w56sgSjzO1gQ6zmH/7ya9DPerPpexj+vK5i6gDVRZzXT4GKNK6Ji4yC3wdmsK3uLLp559Ni4xEjjBSNILAOmZ5Nh+DTtglG1IjJPTPxkVtEH8YnoN/e36H/8d+vQAGsiezrP4PofCF1XZiGa/7ebnz89vP30cG/FikcimahSLIsV3ZCp/d3G0YWO7w3WmsjtHV2S/NqmVXmSfb67/+Uuq771mZ/D9KaVknDteVjOtqJ/MV/+72rLi6n6/iXsax+mjacVv3y6/pxHiVssMdeUE2Q3mU/c3LUnEne45cXqnkh7K7Bj+hZ4fv0zyPpS7LNpcLOxLwUTnBww4JRAZOlJYSbXW2+sC9N0k3ywj/4ZNnx1/nxd1pQbjj5lZ/KV3shto4VBdsDvTgyjfO0vm9qilADL10Rywlws7Ex+2WvEIQFrCVtu5t+GUrYc5tlJQDg3HwbRufn40ioNz3t00/pjNvRNsvBCyPE8+ofi04xOegvlKy2JGHCy7gSPtyTxmbPpkvzZDTze+6iQ9ewrZi1xM54B/yOmPnscLw5OG4IO160W7yhjN0JKd70qST3wl5aG4wYAmtVkEcZZa8aXrXTN0jf9w4l0KN83WCbaclQmYLoZIlieAuwBL2BEh+72DRPFmkgzrlI42gpjvRNwG26x2XjE0QK6MR4r7aaYDvWZSDOWRl2GGaHtGfYNmLsYXRyxzRYAjKoPooFxOP4GT6/Af3m1/Fcsf2fhc9wHBKQu9aZvRovAPCc9VIMbUs56axAw6nmGu3AwBX2kvBSPPh82hhLAOb3NFJDqLfKGZW7+4KL5c5I5K1wfyNQK//l//q80yQo7Rnchh/Kc7ZJqyrY/ybwxZwiBm7K+Fd09rThmsfk3uujc0fLLI34ZF9SsCo8Qd/lSxPI/bF6jgC7bQ25v1AH+yp3o5MlYvtzA6HL2EoXXndXuMn39RRQfy3r97UHeb0rwM09kXMkMj9Qm+L/2QprIxqVv8LhCUr+zvFz01m6jAl57KY3n4YJDfVc+4TxqyPH1f1vRqdP9etuQKW97lxzaAePZUkjvUvAE53h7lbq8eJVhvxSSUd4+Hd5wAvLsBm4/7SlkQ3VyHi/9VveVd+fiZ0zWqy7GSHWGi/WFw6FhEY+GQ5Yv8MEalkcUgSHLpoltCYC6gwHQqnyhNZItiDEbpDH+r7NUhhZGTvNL7IpssUyZ2+wIeI3lsl/5C/t0Wz7TdkEjQl5n29ln9eMyIS5rRD2DmD7L11gk4+peZLXTlcMk09fZOOI5ESjtHARd9tU4JlNsX2dROBV9aQiGJVUpw0qbxjxwUuuuQpV17gh6idSm6I1YkGJTRFvEnrLVdfMUM7d2QvlGMKwpIzkQ9JI8kkVLd9gDtFednnwooa/+Y8e/YVittGjS+4d7uOl+F12PPrUdeGZJHnMbCIrGF5MP0ehcdQkja6guSWfMjyScGY6/kbrrs73TaMBx7J3VA1kyImYXFEnw+zOuxaAcQuvSWOq2sf5Q0uvKbgCNGpSFsoDjHUsaLiiMIU8VsO/IYj/bW0xqwY9T3NFOaO6wIzJ87ANcytwvydEC6Qgr8NLmXNB0h7HW+kavCHJHZ8ieZIMJzlLimozYipWL6DDiqSkyBtkoc5BhbwUl0ZWGe01wncJ/dPLZymgLNKz8RdCVrpl90GjKHKVvdnKWNr0jqBcXf+4YNaHHD7OJfWYTsY3EiZVxVCv4UfqnlT7eYI0lapxFyqklb5N3TwWewPTob2tcRoVrgqDKjtZZwX+TUJ3A6LCe43xpbWaqwU8IEsu45+ddGBKeKxs3jW35zmpoWEwvocVIUR4Se8lGCwjoFkHH8BvRcMCgbpmmDSPHT0QyqNbZkeKSbFMuL5J3uEwiGZsixZwuSXTVH9692RR57RCzsF7wkJCU6JUokXJzDmVmKrtsgMgm2XLBRLV17vo674u8tNbt+0rRJwZHdnnw1HYJz70ldZS4S5pnT0CYVJ/EP5tiApc7vPe5zoapO06XxBtZOdxXSxzP99xrSOMNj+jCv4406z2VZH+tMV0En0XO9SfJd7AtvN3d4ZxP1h3sLryXBa80mD/1BPfIGiKtx8Zelg/sv/vsHXQkawnHBWqJuaJmtq5pTaTX1eDyJKgcqMAgoBANAXMAqMc0ySDp954AIIJvYSABjRXJGfzdpHiUnUdCioeiSA+saLvVyMPNTf5wE5wZubRne4QYsiO4tvcSouNCuDflHKMYMQffO47rVgeOsDwGjtHGfiSQ+7tF1t8Kd2Y+x5reGU5fgVP+fBMlp7wQNeVVpp+0N9JFnValUQWcb2MzkVqTLQA6bgm6s2pb+NfEeZvzUTcbNdHvJ2bJ3/mJy+jV6O5mvt1FLjMvB+/AgT1qJOUa/SYW6qhHLqIq0htIG47RXljwZBM8R64754XraJEOxQrrk6WbRKZCgOe/Vot9hT+lBiOVxPUZPYpPGg53majCzn3ge/5uclyinp0TddgMQbsE/nHAfddeLWWwRehlY0U5o7xIv95/RNbDKMKVGTdMLv5KFgjsnqnSbkLwgWsil7ggww/+WbNHsuguCaY2XtYQ2aga2PqIc2bafaReD+vwFJiPeKnaNznSjkWfn8vTOBvR6NwnC4/+DJOaUdsbKUd57qXtj30r8Kq/oLJMI0+r6EONm4+YMsgXBI6YS0bM8uck9twK5g6eJ0Rs4Ps5SlxwKKI7SbOjn854OJDIttwXyHu/4k2eIq/qJ5d/RjlN3YDzQGuS9N/RcI7zztHiD1AB52Z+7Pb0KaWOF0Ksw2shFRMLzK6cx2J11ZmaDd4sOVKR11/wl+W/hqtfOryp6wD+aCBCiLrA1sVhfO87uum90ropr+J74BbSXQBPC6wxoxxnonXW3w8SF+s9z2HCdpC2RH/J7Vz6ObluSyrAojwJPmNt9B14LwY3sBD3l+Js7F4s9SOWxMbguggEa6Jx5zr7QWK1Cjd+Do7Nhjo31NaBl1qZMDD6tSSbFJ5KaUuyyWXLjCKuQH9tYIvEO194pCVBDoamV9mUUz2D0FNZ5a2lj5e9DtQfc7wsu6Rxo9V+YXtWuU6E5QyOwJyndecZzjteP+mb9olCIOnZiPbljD/gYHIX31JnoqrcUw72AYYaFz/fd37asYJrRRsiY2fuimhNeaUGPi+HftuUbQNclETlt2SJW6ZhiW7Wet2+ya/aflD+weVW19al9lcsES5rj8Olv4dlEKwMDhLKDiiq1GlhH6m2J/9jPveSXqIB8S6R7C6LeT37BOA+O439ce+iYh36JFERdP1JhIhTRgR0QaTf9D9zWw14fL7Jk/wa+KhJ3hf0807IYYuPjSG05NN9OxBNKHypaaovjmdnlGa6PqtU6PvGBL2ysjmovV619YJjytTl7eYh8OrVxFDEq2s+I3rX+0a0jUU70g1mJb3MY4ZjcqE/iRFVzn1pd2NZHVPOQJi9bA7ObolOiR9H0Bf4TehVwr+/Af2ou0vqjhUH7u1vWHF4gbUxk32Gefb17mZP98kK83f1u76ifiurezby6xZr+4iUaHS+gRjMxSNrwL9WZNIR/GNF9NXKX9H/6wprhZsmdbt6xwxW76Vom1l0g7wygIwTnT06dhnwvW4a51S7L+uiaxuec3RzIzC+0KI9sJ42av9ro4536LtTUEn22CjnRd25PDeS4KjAP345kHCxJfBPZh0hlvpwl/HYqOyQH/jHRl15N/CWFuSkIy7hzdeOJcFZsXQ7qH8rK4RbLXbXnH+7fd9hemtNs8IMmHiNGYAjrO0SsyEFXdJigvmeIovkHXzv5hItEBcaXp9EYgl4pTEvsSzRotVmJVmixXaPT7WhuleqkLRxX/bf/BIbtj4m3XU8OTK7Q2KT/r2tx87Y3UusRBdo29aoYW1FuaFDZe9s0lTbtq3zjiArA1+rYo9hqyRidBEx7V818Of227a+cnhgh64ZS6+LQqfzOfwGWFlKotRCiDWgumhHscHwOJpZktq3gS3lDjik4FvwBWKobDBgGnDKYRAQ6uANI6aKTXObx9GOwqredJpLK0F23FVDJPbHmIDsQQKdXuoG0CYQoK1eCUm/kRKtydbq0QcFykeFlKrtyQrQxYBA9a2VBG1ish7E072hooYigUCAiieAiacAkXhj6UzAQ298gd7E5Xmzko6pDfXgtK0DhrZ1wEErBgyEOrgkmGO21bRQFh0BYqqyrRtPYMIed2vf3jQoF+wwMJJaDAQ7zAaVC4swoRiuVrVHqFXQ/5aqQkgrxQYDhi8BypcBIlizohygNhgwzRrKwPwGmMQVvKmCt0QCMgZ0VKJZ2FpzwYBxr5QCyoU97m1ZAdz8BpguAKQLD3mHC3BUj2qiFOGVVWMXGugpI7A/DWQ+0mF5WW8tyoQ6uH1SHRAQ9Bj7/vZ8bgMdtKTaQksa2vN7B4sgOw8uG/wQGKjjR2ENYRQf0NgHSTsaiAea3kOihigGBCr/6qchcGGP8092zuc+6DHudcr53IUC3L+8aDAuHHATbxbOJzAhXe+FQEMeAzxV/4W8+bwP6Kjsc3iAh6DH7D6IN5/vAjvq7oE6oAvRQOHekjNYGwwY/8CbQblwwHUvrhlsiMV4/zCaI3DRQBGeoDJ4H/FY//DTfO6DATPy0pKh2gXHKeJXiRx1BOoo/Ys+QOMiARse7jFYH/FY+3zHfG4DPajnGCJ9bO+Jk0AWQwP92PsbJsUIfDeN9SDeIweQpwSn3PM5/AZYcGVtED4SYSdcOFvqceQgtfeS3CVxkEAHfo0N2gQ81DnWnc9dKMDBTacBm4CHOv+O87kLdfDGAsP32XN7aFBRPNB4N4IG78IeF7n3m8+jWMDvePAzZEOgp/4CXL4UXRzc7QHMhAJ81K2eIRtDdKnASx6QmVCAhw/3S++b9b7vDMIGY4wb7V2wwziHc4CyYY9zHqrmcxfq4OO+p4BwFBVSDn1HmSQDWEfrPDwBjQ0HnPVzYjAQCnDwLmHAJhCgcNvVQE0gQN1dTAO3wYAJFwANzkcCtncVzVDEgI6K4NpiCQ6lfb+BBnO/CS1mYOpskD1IR9ezZga6GNKnKzuCMNY8FCD7oQiyI1s0gwixDu+MuQBrwwHnzYEMzoU7XGdcAOgQDRR2gvvQzW3dMbsBQijA3Tm5QdhghPGn1RbpYh4Ph9DzOfwGmDsPNmAbDJjeOavBx4BApa3i5tfD/IHmfO6DMYaVHsHKHtx+py4YY2T3FUfRmMIePTo8RGKsU9EFAwaObwzcBDpo7QvQBTuM3TkGDAQDhkGlf2Whvt32oAFCyMNhS3A+h98A8/tmBu7CAdffhjIUPYin6295zOd9QKAabEYYuj7IU/7dLuT+3tZ/+v8BAAD//7G/sauuvAAA"))
LET SlowGlobRegex <= if(condition=S.DropVerySlowRules,
then=SlowGlobRegex, else="RunSlowFileGlobs!!!")
-- Group the targets for faster searching.
LET TargetTable <= SELECT Target,
enumerate(items=dict(Rule=Rule, Glob=Glob, Ref=Ref)) AS Rules
FROM parse_csv(accessor="data",
filename=GlobTable)
GROUP BY Target
// Build a lookup cache on target.
LET Lookup <= memoize(query={
SELECT * FROM TargetTable
}, key="Target")
-- Extract all rules within the required target. Uses the memoized
-- structure above.
LET FilterTable(Required) =
SELECT Required AS Target, *
FROM flatten(query={
SELECT * FROM foreach(row=get(item=Lookup, field=Required).Rules)
})
WHERE if(condition=Glob =~ SlowGlobRegex,
then=log(level="INFO",
message="Dropping rule %v/%v because it is too slow: %v",
dedup=-1,
args=[Target, Rule, Glob]) AND FALSE,
else=TRUE)
LET Expand(FilteredTable) = SELECT * FROM foreach(
row=FilteredTable,
query={
-- If there is a reference, resolve it from the table recursively.
SELECT *
FROM if(condition=Ref AND MaybeLOG(
Message="%v/%v: Resolving Ref %v",
Args=[Target, Rule, Ref]),
then={
SELECT * FROM Expand(
FilteredTable={
SELECT * FROM FilterTable(Required=Ref)
})
}, else={
SELECT Target, Rule, Glob FROM scope()
WHERE (Glob && MaybeLOG(
Message="%v/%v: Glob is %v",
Args=[Target, Rule, Glob])) || TRUE
})
})
-- Collect all the top level targets that the user selected.
LET Collections(Targets) = SELECT Target + "/" + Rule AS Rule, Glob
FROM Expand(FilteredTable={
SELECT Target,
Rules.Rule AS Rule,
Rules.Glob AS Glob,
Rules.Ref AS Ref
FROM flatten(query={
SELECT * FROM TargetTable
WHERE get(item=Targets, field=Target)
AND MaybeLOG(
Message="Collecting target %v, Rules: %v",
Args=[Target, Rules.Rule])
})
})
GROUP BY Rule, Glob
// In ExcludeSigned and HashOnly we dont upload signed binaries.
LET ShouldUploadSignedBinary <= dict(
ShouldUpload = NOT CollectionPolicy =~ "ExcludeSigned|HashOnly")
// In HashOnly mode we never upload anything.
LET ShouldUploadAnyFile <= dict(
ShouldUpload = NOT CollectionPolicy =~ "HashOnly")
LET DoNotUpload <= dict(ShouldUpload=FALSE)
// Determine if we should upload the file based on signature.
LET ShouldUpload(Details) = if(
condition=OSPath =~ TrustedPathRegex AND
MaxFileSize > 0 AND Details.Stat.Size > MaxFileSize,
then= Details + DoNotUpload,
else=if(
// What to do about binaries? If they have an issuer name then
// they are signed.
condition=Details.Signatures.IssuerName,
then=Details + ShouldUploadSignedBinary,
else=Details + ShouldUploadAnyFile))
// If the file is a binary, also add authenticode information.
LET MaybeBinary(OSPath, Details) = ShouldUpload(Details=if(
condition=Details.Magic =~ "PE.+executable",
then=Details + dict(Signatures=authenticode(filename=OSPath)),
else=Details))
// Hash the file if it is not too large
LET MaybeHash(OSPath, Details) = if(
condition=NOT OSPath =~ TrustedPathRegex AND
Details.Stat AND Details.Stat.Size < MaxHashSize,
then=Details + dict(Hashes=hash(path=OSPath),
Magic=magic(path=OSPath)),
else=Details)
// Calculate the details column with hashes and magic.
LET _GetDetails(OSPath) = MaybeBinary(
OSPath=OSPath,
Details=MaybeHash(
OSPath=OSPath,
Details=dict(filename=OSPath,
Stat=OSPath && stat(filename=OSPath))))
// Cache the hashing for speedup.
LET GetDetails(OSPath) = cache(
period=100000,
func= _GetDetails(OSPath=OSPath),
name="GetDetails", key=OSPath.String)
// Extract the binary from the command line
LET ExpandPath(Path) = expand(path=Path)
sources:
- name: SearchGlobs
notebook:
- type: none
query: |
LET Targets <= to_dict(item={
SELECT _value AS _key, TRUE AS _value
FROM foreach(row=Targets + HighLevelTargets)
})
LET AllCollections <= Collections(Targets=Targets)
LET GlobLookup <= memoize(query=AllCollections, key="Glob")
LET _ <= MaxFileSize > 0 && MaybeLOG(
Message="Limiting file acquisition to MaxFileSize %v bytes (%v)",
Args=[MaxFileSize, humanize(bytes=MaxFileSize)])
SELECT * FROM AllCollections
--WHERE Glob
- name: All Matches Metadata
query: |
LET AutoGlobs = SELECT * FROM AllCollections
WHERE Glob
// UAC globs may be directories in which case we fetch all the files in them.
LET AllGlobs = SELECT Type,
Size,
OSPath AS SourceFile,
Btime AS Created,
Ctime AS Changed,
Mtime AS Modified,
Atime AS LastAccessed,
Data,
get(item=GlobLookup, field=Globs[0]).Rule AS Rule,
PreferredAccessor AS Accessor,
dict(Globs=Globs) AS Data,
"Glob" AS Type
FROM foreach(row={
SELECT *
FROM glob(globs=AutoGlobs.Glob,
accessor=PreferredAccessor,
root=RootDirectory)
}, query={
SELECT * FROM if(condition=IsDir,
then={
SELECT *
FROM glob(globs="**", root=OSPath,
accessor=PreferredAccessor)
}, else={
SELECT *, Globs
FROM stat(accessor=PreferredAccessor, filename=OSPath)
})
})
LET AllResults <= SELECT Type,
SourceFile,
Size,
Created,
Changed,
Modified,
LastAccessed,
Accessor,
Data
FROM chain(async=WORKERS > 0,
Globs=AllGlobs
)
WHERE log(level="INFO", message="Found %v for rule %v", args=[
SourceFile, Rule], dedup=10)
SELECT * FROM AllResults
- name: Uploads
notebook:
- type: vql
template: |
// This cell generates other cells to preview the collected
// data. DO NOT recalculate this cell - each time new cells
// will be added. Instead delete the notebook and allow
// Velociraptor to recreate the entire notebook.
LET ArtifactsWithResults <=
SELECT pathspec(accessor="fs", parse=Data.VFSPath)[4] AS Artifact ,
pathspec(accessor="fs", parse=Data.VFSPath)[-1][:-5] AS Source ,
stat(accessor="fs", filename=Data.VFSPath + ".index").Size / 8 AS Records
FROM enumerate_flow(client_id=ClientId, flow_id=FlowId)
WHERE Type =~ "Result" AND Records > 0
LET _ <= SELECT notebook_update_cell(notebook_id=NotebookId, type="vql",
input=format(format='''
/*
# Results From %v
*/
SELECT * FROM source(source=%q)
''', args=[Source, Source]),
output=format(format='''
<i>Recalculate</i> to show Results from <b>%v</b> with <b>%v</b> rows
''', args=[Source, Records])) AS NotebookModification
FROM ArtifactsWithResults
/*
# Results Overview
*/
SELECT Source, Records FROM ArtifactsWithResults ORDER BY Source
- type: vql_suggestion
name: Post process collection
template: |
/*
# Post process this collection.
Uncomment the following and evaluate the cell to create new
collections based on the files collected from this artifact.
The below VQL will apply remapping so standard artifacts will
see the KapeFiles.Targets collection below as a virtual
Windows Client. The artifacts will be collected to a temporary
container and then re-imported as new collections into this
client.
NOTE: This is only a stop gap in case the proper artifacts
were not collected in the first place. Parsing artifacts
through a remapped collection is not as accurate as parsing
directly on the endpoint. See
https://docs.velociraptor.app/training/playbooks/preservation/
for more info.
*/
LET _ <= import(artifact="Windows.KapeFiles.Remapping")
LET tmp <= tempfile()
LET Results = SELECT import_collection(filename=Container, client_id=ClientId) AS Import
FROM collect(artifacts=[
"Windows.Forensics.Usn",
"Windows.NTFS.MFT",
],
args=dict(`Windows.Forensics.Usn`=dict(),
`Windows.NTFS.MFT`=dict()),
output=tmp,
remapping=GetRemapping(FlowId=FlowId, ClientId=ClientId))
// SELECT * FROM Results
query: |
-- Upload the files. Split into workers so the files are uploaded
-- in parallel.
LET uploaded_files = SELECT *
FROM foreach(row={
SELECT *
FROM AllResults
WHERE Size > 0
GROUP BY SourceFile
},
workers=WORKERS,
// Do the heavy lifting in a thread
query={
SELECT * FROM foreach(row={
SELECT GetDetails(OSPath=SourceFile) AS Details
FROM scope()
}, query={
SELECT timestamp(epoch=now()) AS CopiedOnTimestamp,
Created,
Changed,
LastAccessed,
Modified,
SourceFile,
Size,
Details,
if(condition=Details.ShouldUpload,
then=upload(file=SourceFile,
accessor=Accessor,
mtime=Modified)) AS Upload
FROM scope()
})
})
-- Separate the hashes into their own column.
SELECT CopiedOnTimestamp,
SourceFile,
Upload.Path AS DestinationFile,
Size AS FileSize,
Details.Hash.SHA256 AS SourceFileSha256,
Created,
Changed,
Modified,
LastAccessed,
Details,
Upload
FROM uploaded_files
column_types:
- name: CopiedOnTimestamp
type: timestamp
- name: Data
type: json/1
- name: Details
type: json/1