Upload tool and artifact collection from cli

[Paolo Leoni Work]

Hi everyone, 

I need to upload a tool binary and a collection of artifacts definitions from the cli.

How can I do?

About tool binary, I'm trying this command (without success):

.\velociraptor-windows-amd64.exe -a "velociraptor_api.config.yaml" tools upload --name "MY_TOOL_NAME" --filename "my_tool.zip" <MY_TOOL_ZIP_LOCAL_PATH>

"velociraptor-windows-amd64.exe: error: tools upload: Unable to load config file: Unable to load config from any source."

Thanks in advance.

~p

[Mike Cohen]

Hi Paolo,

  There are two ways to run the CLI binary -

The first way is with the --config flag on the actual server - where the binary directly accesses the filestore and uploads the file locally. 

The second way is with the -a flag we use the API config to make an API connection to the server (from remotely). This is only used by the query command though.

The way you ran the command `tools upload ` in the example you provided is without a config file - instead you provided an API config file (which is ignored since this command does not use the api). This means it does not know which filestore to upload it to and the error is that it can not load a valid config file at all.

If you are running on the server itself you can upload a tool binary like this

velociraptor.exe --config server.config.yaml tools upload --name NameOfTool /path/to/binary

Because the config file is provided , the CLI program knows where to put the binary and how to update the inventory files in the datastore.

If you want to upload a tool with an API call you can use the VQL inventory_add() function https://docs.velociraptor.app/vql_reference/server/inventory_add/ and provide a filename (on the actual server) to take the binary from. Note that when making an API call the query is actually running on the server itself and the filename needs to be accessible from there. You can use the accessor parameter to get creative on how to actually fetch the file onto the server (e.g. via SMB or S3 or SSH ) but the server needs to get the file there by itself.

Hope this helps clarify matters

Mike 

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/CA%2Br9Bf%2Bm3Vhr9z5b%2BjBxj0V3M9uyimjRx%2B8cUdLq45sA0xWoDg%40mail.gmail.com.

[Paolo Leoni Work]

Now everything is clear, thank you again Mike.

~p

[Paolo Leoni Work]

Hello Mike,

still need for a little info about artifact definitions: can I import artifact definitions through API call for a specific org if zip file is stored on the server?

What is the function to import the collection?

Thanks in advance.
Paolo L.

[Mike Cohen]

Hi Paolo,

You can import artifact definitions using the vql https://docs.velociraptor.app/vql_reference/server/artifact_set/ if you want to import them individually for example

`SELECT artifact_set(definition=read_file(filename="/path/to/my/artifact.yaml")) FROM scope()`

If you have lots of artifacts in a zip file you can use glob like this extract taken from https://docs.velociraptor.app/artifact_references/pages/server.import.artifactexchange/

```

SELECT artifact_set(definition=read_file(accessor="zip", filename=OSPath)) AS Definition
          FROM glob(
             globs='/**/*.yaml',
             root=pathspec(
                DelegateAccessor="auto",
                DelegatePath="/path/to/zip/file.zip"),
             accessor="zip")

```

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

[Paolo Leoni Work]

Thank you Mike, that was exactly what I needed.

Paolo L.