Integration Thor with Velociraptor

Question

Integration Thor with Velociraptor

Closed this issue 5 months ago · 6 comments

Hello everyone,
I downloaded the yaml files from the repository, compressed them into a zip file and uploaded them to velociraptor. I cannot use any of the preconfigured scanners as they ask for api keys which I do not have. I have to give a talk on this and need to show the functionality.
Thank you.

Answer 1 · 2024-04-30T12:25:38.000Z

hi @coos60 ,
the artifact Generic.Scanner.ThorZIP does not ask for api-keys/tokens. It just needs the THOR zip file (e.g. THOR lite which is free) and optionally additional cmdline args.

So for THOR lite you would download THOR lite, unpack it, add your THOR lite license, repack (everything) and upload it to the Generic.Scanner.ThorZIP artifact 'Tools -> ThorZIP'.

Answer 2 · 2024-04-30T13:28:10.000Z

hi @coos60 ,
you can also try THOR cloud lite with Generic.Scanner.ThorCloud
(you get the token param from the "Launcher" options http URL)

this might be easier/faster :)

Answer 3 · 2024-05-02T07:35:02.000Z

thanks for the support. I solved it. The only problem with thor cloud lite running in velociraptor is the timeout. It fails to complete operations.

Answer 4 · 2024-05-02T07:39:25.000Z

hi @coos60 ,
nice to hear that!
true, the default timeout is not enough for running THOR. thats why we recommend a timeout of 30000 sec (~8.5h), e.g. here .

Answer 5 · 2024-05-02T08:35:57.000Z

Thanks @pH-T. I'm trying it now

Answer 6 · 2024-05-02T12:54:29.000Z

Thanks @pH-T. it works!!!!!!!!