Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ianhelle/velociraptor provider 2023 05 19 #668

Merged
merged 6 commits into from
Jul 3, 2023
Merged

Ianhelle/velociraptor provider 2023 05 19 #668

merged 6 commits into from
Jul 3, 2023

Conversation

ianhelle
Copy link
Contributor

Velociraptor data provider

The Velociraptor data provider can read Velociraptor log files and provide convenient query functions for each data set in the output logs.

The provider can read files from one or more hosts, stored in in separate folders. The files are read, converted to pandas DataFrames and grouped by table/event. Multiple log files of the same type (when reading in data from multiple hosts) are concatenated into a single DataFrame.

To use the Velociraptor provider, you need to create an QueryProvider instance, passing the string "Velociraptor" (or "VelociraptorLogs") as the data_environment parameter. You also need to add the data_paths parameter to specify specific folders that you want to search for log file (although you can set these paths in msticpyconfig.yaml, if you do this frequently).

You can specify multiple folders to have the logs from different hosts.

    qry_prov = mp.QueryProvider("VelociraptorLogs", data_paths=["~/my_logs"])

Calling the connect method triggers the provider to read the locations of the
log files (although the contents are not read until a query function is run).

    qry_prov.connect()


## Listing Velociraptor tables

```python3
    qry_prov.list_queries()
    ['velociraptor.Custom_Windows_NetBIOS',
    'velociraptor.Custom_Windows_Patches',
    'velociraptor.Custom_Windows_Sysinternals_PSInfo',
    'velociraptor.Custom_Windows_Sysinternals_PSLoggedOn',
   ....

Each query returns the table of data types retrieved from the logs.

    qry_prov.vc_prov.velociraptor.Windows_Forensics_ProcessInfo()
Name PebBaseAddress Pid ImagePathName CommandLine CurrentDirectory Env
LogonUI.exe 0x95bd3d2000 804 C:\Windows\system32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3b92855 /state1:0x41c64e6d C:\Windows\system32\ {'ALLUSERSP
dwm.exe 0x6cf4351000 848 C:\Windows\system32\dwm.exe "dwm.exe" C:\Windows\system32\ {'ALLUSERSP
svchost.exe 0x6cd64d000 872 C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k termsvcs C:\Windows\system32\ {'ALLUSERSP
svchost.exe 0x7d18e99000 912 C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ {'ALLUSERSP
svchost.exe 0x5c762eb000 920 C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ {'ALLUSERSP

@ianhelle ianhelle added this to the Release 2.5.0 milestone May 19, 2023
@ianhelle ianhelle requested a review from juju4 May 19, 2023 22:44
@ianhelle ianhelle self-assigned this May 19, 2023
@ianhelle ianhelle modified the milestones: Release 2.5.0, Release 2.6.0 May 30, 2023
petebryan
petebryan approved these changes Jun 2, 2023
View reviewed changes
msticpy/data/drivers/local_velociraptor_driver.py Outdated Show resolved Hide resolved
msticpy/data/drivers/local_velociraptor_driver.py Outdated Show resolved Hide resolved
juju4
juju4 reviewed Jun 4, 2023
View reviewed changes
Copy link
Collaborator

@juju4 juju4 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @ianhelle and thanks for the multiple reviews.

docs/source/data_acquisition/DataProv-OSQuery.rst Outdated Show resolved Hide resolved
docs/source/data_acquisition/DataProv-Velociraptor.rst Outdated Show resolved Hide resolved
msticpy/data/core/query_defns.py Show resolved Hide resolved
msticpy/data/drivers/local_velociraptor_driver.py Outdated Show resolved Hide resolved
msticpy/data/drivers/local_velociraptor_driver.py Show resolved Hide resolved
docs/source/data_acquisition/DataProv-Velociraptor.rst Show resolved Hide resolved
This was referenced Jul 3, 2023
Closed
Closed
@ianhelle ianhelle merged commit 2908083 into main Jul 3, 2023
@ianhelle ianhelle deleted the ianhelle/velociraptor-provider-2023-05-19 branch July 3, 2023 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcobb-scwx rcobb-scwx rcobb-scwx left review comments

@juju4 juju4 juju4 left review comments

@petebryan petebryan petebryan approved these changes

Assignees

@ianhelle ianhelle

Labels
None yet
Projects
MSTICPy post-2.0 planning
Status: No status
Milestone
Release 2.6.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ianhelle @juju4 @petebryan @rcobb-scwx