Server artifact how to call client artifact

[Lili Lin]

Hi,

I'm using velociraptor for hunting endpoints. I'm wondering if there is a way that I can call client artifact inside a server artifact. 

So current situation is that I used the client artifact to hunt first, and send this hunt_id to the server artifact which I created, and then run this use this server artifact to hunt on server to further dig the result from the hunting with client artifact.. So this process needs 2 steps to set up hunting manually. So I wonder that if there is a way that I can use my custom server artifact to call that client artifact directly without set up a hunting for it. 

So I just set up hunting in 1 step for the server hunting directly and will call the client artifact.

Kind regards,

Lili

[Michael Cohen]

Client artifacts run on the client and server artifacts run on the server. So you would normally collect the client artifact from the client then on the server you can read the results with the flow_results() or source() plugins

You can schedule client collections using the vql collect_client() function.

Thanks

Mike 

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/db0c1e53-be3f-4b42-be1c-2867aaf1cdf2n%40googlegroups.com.

[Lili Lin]

So there is no way I can use server artifact on server side to call the client artifact to run on the client?

And for the scheduling client collections, even can use collect_client() function, I still need to send the hunt_id to flow_results or source() plugins to read results on the server, right? is there a way I can make this process automatic? 

Thanks

Lili

[Mike Cohen]

I'm not sure what you are asking about - the clients may not even be online at the time when the server artifact is called - the best you can do is schedule a collection for them and wait for the results. If the client is online it is almost instant but it may not be if the client is not online

Here is an example of VQL which does it all in one step - schedule the collection, wait for it to finish and read the results. The VQL is written for an API use case but it can be used in any other context including a server artifact. However since server artifacts have a 10 min time limit by default, if the client is not currently online it will time out 

https://docs.velociraptor.app/docs/server_automation/server_api/#putting-it-all-together

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

[Lili Lin]

Sorry for the unclear request.

1. So now I create hunting for all clients using hunting manager to create a new hunt, and then waiting it to finish.

2. Once the hunting finished, I will create a new collection on server using server artifact to read the result from the hunting result with hunt_id from 1. 

3. my question is that how to create a new collect on server using server artifact which allows me to do the hunting same step 1 which will hunt all clients, and also I can read the results after hunting all clients directly on server side as well.

thanks

[Mike Cohen]

So a hunt is just an automatically schedule collection of flows - you  can create a new hunt in VQL using the vql hunt() function - this will schedule and start a hunt and it is the equivalent of the gui 

https://docs.velociraptor.app/vql_reference/server/hunt/

A hunt never does not finish - it will schedule any new clients while it is active - in real life a client can appear on the network at any time and the hunt manager will add it to the hunt 

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

[Lili Lin]

On Thu, Aug 31, 2023 at 12:18 Lili Lin <lili...@jumpsec.com> wrote:

Hi,

I want to get the hunt_id and send it to the paramet hunt_id in source plugin. but I always could error hunt_flows:xxxxx as picture 1 showed.

But when I set the hunt_id as actual value, I can get result (picture 2). And you can see that the hunt_id is exist from picture 2 as well. So I think may due to the result returned from SELECT isn't string value, so I tried making it as string, but got the same errors.

Do you know what's the reason?

1.

2.

Thanks.

Lili

On Wed, 30 Aug 2023 at 05:49, Michael Cohen <scud...@gmail.com> wrote:

[Mike Cohen]

You are setting the variable id to be a query:

LET id = SELECT ...

Therefore the query will run each time the variable id is accessed. The variable contains a lazy query which can be thought of as an array of dicts so you need to access the row by index and then a column.

Try to first materialize the query 

LET id <= SELECT .. AS HuntId FROM ....

Then use it (assuming your artifact returns one row)

SELECT * FROM source(... hunt_id = id[0].HuntId)

Or if your artifact returns multiple rows you can use foreach()

SELECT * FROM foreach(row=id,

query={

  SELECT * FROM source(hunt_id=HuntId)

})

Here are some pointers

https://docs.velociraptor.app/docs/vql/#let-expressions

https://docs.velociraptor.app/docs/vql/#the-foreach-plugin

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

[Lili Lin]

Thanks, it worked. 

[Lili Lin]

btw, could you tell me why sometimes when I launched the server artifact, it will turn down the whole velociraptor for server and client. And I need to rerun the velociraptor.

Thanks

Lili

On Thu, 31 Aug 2023 at 13:22, Mike Cohen <mi...@velocidex.com> wrote: