Copy File Upon Process Execution

[Eric Simpson]

Is there a way to trigger a file copy to Velociraptor server when a particular process: example.exe is executed on the system? I was thinking something with Client Monitoring using Windows.ETW.FileCreation, but I can't figure out how to link that to a file collector to triage the process.

Thanks,

Eric

[Mike Cohen]

Thanks for asking about this...

The VQL function that uploads files to the server is called upload() https://docs.velociraptor.app/vql_reference/plugin/upload/

This also works for event artifacts in that the file will end up in the client's folder under the F.Monitoring flow (this is a constant flow id for all client event monitoring artifacts).

Unfortunately currently it is not as easy to find the file that is uploaded (we have https://github.com/Velocidex/velociraptor/issues/2184 to track it)

The main issue is that while a regular artifact has a definite duration - start and end time, we can store the uploads within that time frame and be able to separate it between different collections. The event artifacts are collected constantly and so if they e.g. upload notepad.exe once a day they all get stored in the same place.

You can see how this works by doing a small experiment - I added a trivial event artifact

```

name: Custom.TestUpload
type: CLIENT_EVENT

sources:
  - query: |
      SELECT upload(file="C:/Windows/notepad.exe") FROM scope()

```

Then I can find the file 

```

SELECT OSPath,
       Size
FROM glob(accessor="fs",
          root="fs:/clients/C.568be4353e07ad04-O123",
          globs="**")
WHERE OSPath =~ "notepad.exe"

```

The file is stored in fs:/clients/C.568be4353e07ad04-O123/collections/F.Monitoring/uploads/auto/C:/Windows/notepad.exe

We dont have a GUI for fetching the file right now and i dont think the uploads() plugin works either (perhaps it should?) but the file is actually stored on the server. You can create a download using VQL though and fetch it with the browser:

The URL will be 

https://localhost:8889/downloads/C.568be4353e07ad04-O123/F.Monitoring/WIN-2VKA2DK38DT-C.568be4353e07ad04-O123-F.Monitoring.zip?org_id=O123

The location of the uploads is probably going to change in future because it is currently shared by all client monitoring artifacts.

Anyway that is why the issue above exists because this is not currently that used and the GUI is not yet polished around it.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/CALRmF234wYd1KpM9ht6hZV08XcjyO1VzBvhiQ-gZ_GJ5FE0pSQ%40mail.gmail.com.