Run any Velociraptor Artifact on a Windows or Linux Endpoint
Remove artifact collection via Velociraptor
Get started with Velociraptor: Video Tutorial
The module is built for the below Asset types:
- Windows
- Linux
- Mount the api.config.yaml file in DFIR-IRIS docker-compose for both Worker and Web-App
cp api.config.yaml /opt/iris-web/docker/api.config.yamlnano /opt/iris-web/docker-compose.yml
Web-App
app:
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:latest
command: ['nohup', './iris-entrypoint.sh', 'iriswebapp']
volumes:
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
- "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"
Worker
worker:
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:latest
command: ['./wait-for-iriswebapp.sh', 'app:8000', './iris-entrypoint.sh', 'iris-worker']
volumes:
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
- "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"
- Restart the DFIR-IRIS docker-compose
docker-compose downdocker-compose up -d
Currently, the Velociraptor Artifact module can be ran as DFIR-IRIS Module.
Get started with DFIR-IRIS: Video Tutorial
- Fetch the
Velociraptor Artifact ModuleRepogit clone https://github.com/socfortress/iris-velociraptorartifact-module cd iris-velociraptorartifact-module - Install the module
./buildnpush2iris.sh -a
Once installed, configure the module to include:
- Path to api.config.yaml
- Velociraptor Artifact to run
- Navigate to
Advanced -> Modules
- Add a new module
- Input the Module name:
iris_velociraptorartifact_module
- Configure the module
- Configure artifact to run
To run the module select Case -> Asset and select the dropdown menu.
Currently supports Asset of type:
Windows, Linux
If you are experiencing issues, please contact us at
info@socfortress.co