CollectRaptor
is a simple Python command-line utility to automatically
generate a Velociraptor
standalone binary to collect forensic artifacts.
CollectRaptor
currently supports the following target operating systems and
collection profiles:
-
Windows
(x86 / x64) endpoints withVelociraptor
built-inWindows.KapeFiles.Targets
artifact.Template files:
-
Linux
(x64) endpoints with artifact definitions retrieved from the ForensicArtifacts's artifacts repository and collected with theLinux.Search.FileFinder
artifact.Template file:
-
Windows
(x86 / x64) domain controllers, to notably retrieve event logs and theUser Access Logging
artifact.Template file:
CollectRaptor [-h] [-t TEMPLATE] [--tools-csv TOOLS_CSV] [-o OUTPUT] [--only-conf ONLY_CONF] [--velo-path VELO_PATH] {Windows,Linux}
CollectRaptor Windows [-h] [-a {x86,x64}] {kape_light,kape_full} ...
positional arguments:
{kape_light,kape_full,kape_dc}
common arguments:
-h, --help show this help message and exit
-t TEMPLATE, --template TEMPLATE
Template file to parametrize
--tools-csv TOOLS_CSV
CSV file containing the tools to download
-o OUTPUT, --output OUTPUT
Output directory for the config file and packed Velociraptor binary
--only-conf ONLY_CONF
Only generate a config file, not the packed Velociraptor binary
--velo-path VELO_PATH
Path to a folder containing the Velociraptor binaries to use for packing the collector
Windows arguments:
-h, --help show this help message and exit
-a {x86,x64}, --architecture {x86,x64}
Target operating system architecture
CollectRaptor Linux [-h] [-a {x64}] {forensic_artifacts}
positional arguments:
{forensic_artifacts}
common arguments:
-h, --help show this help message and exit
-t TEMPLATE, --template TEMPLATE
Template file to parametrize
--tools-csv TOOLS_CSV
CSV file containing the tools to download
-o OUTPUT, --output OUTPUT
Output directory for the config file and packed Velociraptor binary
--only-conf ONLY_CONF
Only generate a config file, not the packed Velociraptor binary
--velo-path VELO_PATH
Path to a folder containing the Velociraptor binaries to use for packing the collector
forensic_artifacts options:
-u YAML_URLS [YAML_URLS ...], --url YAML_URLS [YAML_URLS ...]
One or more URL(s) to retrieve YAML files from
-f YAML_FILES [YAML_FILES ...], --file YAML_FILES [YAML_FILES ...]
One or more artifacts YAML file(s)
Thanks to koromodako
(from CERT-EDF
) for the idea on the Linux
collector!
CC BY 4.0 licence - https://creativecommons.org/licenses/by/4.0/