8000 Implemented static analysis for client side permissions by scudette · Pull Request #4246 · Velocidex/velociraptor · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Implemented static analysis for client side permissions #4246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
May 20, 2025
Merged

Implemented static analysis for client side permissions #4246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
31d8614
Implemented static analysis for client side permissions
scudette May 20, 2025
fa1399d
Fixed test
scudette May 20, 2025
53ee09f
fix: upgrade webpack from 5.99.6 to 5.99.7
snyk-bot May 19, 2025
a515319
fix: upgrade axios from 1.8.4 to 1.9.0
snyk-bot May 19, 2025
bd21750
fix: upgrade ace-builds from 1.40.0 to 1.40.1
snyk-bot May 19, 2025
84e1556
Fixed test
scudette May 20, 2025
4bf2ccf
Fix tests
scudette May 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions accessors/pst/cache.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//go:build !linux && !386
// +build !linux,!386
//go:build !386
// +build !386

package pst

Expand Down
4 changes: 2 additions & 2 deletions accessors/pst/pst_accessor.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//go:build !linux && !386
// +build !linux,!386
//go:build !386
// +build !386

package pst

Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Admin/Client/UpdateClientConfig.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ parameters:
default: Y
description: Should the client rekey its client ID.

required_permissions:
- EXECVE
- FILESYSTEM_WRITE

sources:
- query: |

Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Admin/Client/Upgrade/Debian.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ parameters:
description: |
The name of the service to restart after the upgrade.

implied_permissions:
- EXECVE
- FILESYSTEM_WRITE

sources:
- precondition:
SELECT OS From info() where OS =~ 'linux'
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Admin/Client/Upgrade/RedHat.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ parameters:
description: |
The name of the service to restart after the upgrade.

implied_permissions:
- EXECVE

sources:
- precondition:
SELECT OS From info() where OS =~ 'linux'
Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Admin/Client/Upgrade/Windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ parameters:
overwhelm the server so we stagger the download over this many
seconds.

implied_permissions:
- EXECVE
- FILESYSTEM_WRITE

sources:
- precondition:
SELECT OS From info() where OS = 'windows'
Expand Down
2 changes: 2 additions & 0 deletions artifacts/definitions/Generic/Client/CleanupTemp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ parameters:
- name: ReadllyDoIt
type: bool

required_permissions:
- FILESYSTEM_WRITE

sources:
- query: |
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Generic/Client/DiskSpace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ description: |
1. On Linux and MacOS we call `df -h`.
2. On Windows we use WMI

implied_permissions:
- EXECVE

sources:
- query: |
LET NonWindows = SELECT * FROM foreach(row={
Expand Down
2 changes: 1 addition & 1 deletion artifacts/definitions/Generic/Client/VQL.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ description: |
Run arbitrary VQL on the endpoint.

required_permissions:
- EXECVE
- IMPERSONATION

parameters:
- name: Command
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Generic/Forensic/LocalHashes/Init.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ parameters:
description: Name of the local hash database
default: hashdb.sqlite

implied_permissions:
- FILESYSTEM_WRITE

sources:
- query: |
LET SQL = "
Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Generic/Utils/FetchBinary.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ parameters:
- name: Version
description: The version of the tool to fetch

implied_permissions:
- SERVER_ADMIN
- FILESYSTEM_WRITE

sources:
- query: |
-- The following VQL is particularly ancient because it is
Expand Down
9 changes: 6 additions & 3 deletions artifacts/definitions/Linux/Network/PacketCapture.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,26 +6,29 @@ description: |
The `Duration` parameter is used to define how long (in seconds) the capture should be. Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.

A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.

Read more about BPF expressions here: https://biot.com/capstats/bpf.html

required_permissions:
- EXECVE

implied_permissions:
- FILESYSTEM_WRITE

parameters:
- name: Duration
type: integer
description: Duration (in seconds) of PCAP to be recorded.
default: 10

- name: Interface
type: string
default: any

- name: BPF
type: string
default:

precondition:
SELECT * FROM info() where OS = 'linux'

Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Linux/RHEL/Packages.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
name: Linux.RHEL.Packages
description: |
Parse packages installed from dnf or yum

implied_permissions:
- EXECVE

sources:
- precondition: |
SELECT OS From info() where OS = 'linux'
Expand Down
7 changes: 5 additions & 2 deletions artifacts/definitions/Linux/SuSE/Packages.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ author: Hilko Bengen <bengen@hilluzination.de>
description: |
Parse list of installed packages from zypper output

implied_permissions:
- EXECVE

sources:
- precondition: |
SELECT OS From info() WHERE OS = 'linux'
Expand All @@ -12,11 +15,11 @@ sources:
FROM execve(
length=1000000,
argv=["zypper", "--xmlout", "search", "--installed-only", "--details", "--type=package"])

LET xml = parse_xml(
file=str(str=zypper_output.Stdout),
accessor="data")

SELECT *
FROM foreach(
row=xml.stream.`search-result`.`solvable-list`.solvable,
Expand Down
11 changes: 6 additions & 5 deletions artifacts/definitions/Linux/Sys/Services.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
name: Linux.Sys.Services
description: Parse services from systemctl
description: Parse services from systemctl

implied_permissions:
- EXECVE

sources:
- precondition: |
SELECT OS From info() where OS = 'linux'
queries:
- |
LET services = SELECT Stdout FROM execve(argv=['systemctl', 'list-units', '--type=service'])

LET all_services = SELECT grok(grok="%{NOTSPACE:Unit}%{SPACE}%{NOTSPACE:Load}%{SPACE}%{NOTSPACE:Active}%{SPACE}%{NOTSPACE:Sub}%{SPACE}%{GREEDYDATA:Description}", data=Line) AS Parsed
FROM parse_lines(accessor="data", filename=services.Stdout)

SELECT * FROM foreach(row=all_services, column="Parsed") WHERE Unit =~ ".service"


3 changes: 3 additions & 0 deletions artifacts/definitions/Linux/Users/RootUsers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ author: George-Andrei Iosif (@iosifache)

type: CLIENT

implied_permissions:
- EXECVE

sources:
- precondition: |
SELECT OS
Expand Down
1 change: 1 addition & 0 deletions artifacts/definitions/Linux/Utils/InstallDeb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ type: CLIENT

required_permissions:
- EXECVE
- FILESYSTEM_WRITE

reference:
- https://manpages.debian.org/bookworm/debconf-doc/debconf-devel.7.en.html#Type
Expand Down
9 changes: 6 additions & 3 deletions artifacts/definitions/MacOS/Network/PacketCapture.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,26 +6,29 @@ description: |
The `Duration` parameter is used to define how long (in seconds) the capture should be. Specific interfaces can be defined using the `Interface` parameter, otherwise the artifact defaults to an interface assignment of `any`.

A `BPF` (Berkeley Packet Filter) expression can also be supplied to filter the captured traffic as desired.

Read more about BPF expressions here: https://biot.com/capstats/bpf.html

required_permissions:
- EXECVE

implied_permissions:
- FILESYSTEM_WRITE

parameters:
- name: Duration
type: integer
description: Duration (in seconds) of PCAP to be recorded.
default: 10

- name: Interface
type: string
default: any

- name: BPF
type: string
default:

precondition:
SELECT * FROM info() where OS = 'darwin'

Expand Down
13 changes: 9 additions & 4 deletions artifacts/definitions/MacOS/System/Packages.yaml
View file < 10000 /a>
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,29 @@
name: MacOS.System.Packages
description: |
Parse packages installed on Macs

parameters:
- name: Length
description: Size (in bytes) of output that will be returned
type: int
default: "100000000"

implied_permissions:
- EXECVE

sources:
- precondition: |
SELECT OS From info() where OS = 'darwin'
query: |
LET packages = SELECT parse_json(data=Stdout) AS Json
LET packages = SELECT parse_json(data=Stdout) AS Json
FROM execve(argv=[
"system_profiler", "-json", "SPApplicationsDataType"
], length=Length)

SELECT _name AS Name,
get(field="version") AS Version,
path AS Path,
lastModified AS LastModified,
get(field="version") AS Version,
path AS Path,
lastModified AS LastModified,
obtained_from AS ObtainedFrom,
get(field="signed_by") AS SignedBy,
arch_kind AS _Architecture
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/ActiveDirectory/BloodHound.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ reference:
required_permissions:
- EXECVE

implied_permissions:
- FILESYSTEM_WRITE

tools:
- name: SharpHound
url: https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe
Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Windows/Applications/NirsoftBrowserViewer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ parameters:
default: LOCAL
description: Default timezone for parsing timestamps

implied_permissions:
- EXECVE
- FILESYSTEM_WRITE

sources:
- precondition:
SELECT OS From info() where OS = 'windows'
Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Windows/Applications/SBECmd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ tools:

precondition: SELECT OS From info() where OS = 'windows'

implied_permissions:
- EXECVE
- FILESYSTEM_WRITE

parameters:
- name: userRegex
default: .
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/Forensics/BulkExtractor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,9 @@ author: Matt Green - @mgreen27
required_permissions:
- EXECVE

implied_permissions:
- FILESYSTEM_WRITE

tools:
- name: Bulk_Extractor_Binary
url: https://github.com/Velocidex/Tools/raw/main/BulkExtractor/bulk_extractor.exe
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/Memory/Acquisition.yaml
View file
Open in desktop
F438
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ description: |
go-winpmem.exe expand image.compressed image.raw
```

implied_permissions:
- FILESYSTEM_WRITE

precondition: |
SELECT OS FROM info()
WHERE OS = 'windows'
Expand Down
4 changes: 4 additions & 0 deletions artifacts/definitions/Windows/Network/PacketCapture.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ tools:
- name: etl2pcapng
url: https://github.com/microsoft/etl2pcapng/releases/download/v1.4.0/etl2pcapng.zip

implied_permissions:
- FILESYSTEM_WRITE
- EXECVE

parameters:
- name: StartTrace
type: bool
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/Remediation/Sinkhole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ author: Matt Green - @mgreen27
required_permissions:
- EXECVE

implied_permissions:
- FILESYSTEM_WRITE

type: CLIENT

parameters:
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/Sys/Interfaces.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ description: |
Report information about the systems interfaces. This artifact
simply parses the output from ipconfig /all.

implied_permissions:
- EXECVE

sources:
- precondition:
SELECT OS from info() where OS = "windows"
Expand Down
3 changes: 3 additions & 0 deletions artifacts/definitions/Windows/Sysinternals/Autoruns.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ tools:

precondition: SELECT OS From info() where OS = 'windows'

implied_permissions:
- EXECVE

parameters:
- name: All
type: bool
Expand Down
Loading
Loading
0