CERT-W/CollectRaptor

CollectRaptor

CollectRaptor is a simple Python command-line utility to automatically generate a Velociraptor standalone binary to collect forensic artifacts.

Description

CollectRaptor currently supports the following target operating systems and collection profiles:

• Windows (x86 / x64) endpoints with Velociraptor built-in Windows.KapeFiles.Targets artifact.

  Template files:

  • Windows_collector_KAPE_light.template
  • Windows_collector_KAPE_full.template

• Linux (x64) endpoints with artifact definitions retrieved from the ForensicArtifacts's artifacts repository and collected with the Linux.Search.FileFinder artifact.

  Template file:

  • Linux_collector.template

• Windows (x86 / x64) domain controllers, to notably retrieve event logs and the User Access Logging artifact.

  Template file:

  • Windows_collector_KAPE_ADDS_DC.template

Usage

Quick usage

CollectRaptor [-h] [-t TEMPLATE] [--tools-csv TOOLS_CSV] [-o OUTPUT] [--only-conf ONLY_CONF] [--velo-path VELO_PATH] {Windows,Linux}

Windows collector

CollectRaptor Windows [-h] [-a {x86,x64}] {kape_light,kape_full} ...

positional arguments:
  {kape_light,kape_full,kape_dc}

common arguments:
    -h, --help            show this help message and exit
    -t TEMPLATE, --template TEMPLATE
                          Template file to parametrize
    --tools-csv TOOLS_CSV
                          CSV file containing the tools to download
    -o OUTPUT, --output OUTPUT
                          Output directory for the config file and packed Velociraptor binary
    --only-conf ONLY_CONF
                          Only generate a config file, not the packed Velociraptor binary
    --velo-path VELO_PATH
                          Path to a folder containing the Velociraptor binaries to use for packing the collector

Windows arguments:
  -h, --help            show this help message and exit
  -a {x86,x64}, --architecture {x86,x64}
                        Target operating system architecture

Linux collector

CollectRaptor Linux [-h] [-a {x64}] {forensic_artifacts}

positional arguments:
  {forensic_artifacts}

common arguments:
    -h, --help            show this help message and exit
    -t TEMPLATE, --template TEMPLATE
                          Template file to parametrize
    --tools-csv TOOLS_CSV
                          CSV file containing the tools to download
    -o OUTPUT, --output OUTPUT
                          Output directory for the config file and packed Velociraptor binary
    --only-conf ONLY_CONF
                          Only generate a config file, not the packed Velociraptor binary
    --velo-path VELO_PATH
                          Path to a folder containing the Velociraptor binaries to use for packing the collector

forensic_artifacts options:
  -u YAML_URLS [YAML_URLS ...], --url YAML_URLS [YAML_URLS ...]
                        One or more URL(s) to retrieve YAML files from
  -f YAML_FILES [YAML_FILES ...], --file YAML_FILES [YAML_FILES ...]
                        One or more artifacts YAML file(s)

Acknowledgements

Thanks to koromodako (from CERT-EDF) for the idea on the Linux collector!

Authors

Thomas DIOT (Qazeer)

Licence

CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/