Msoheem patch 1 #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also introduced a mail() VQL function in addition to the plugin
When two VFS ListDirectory artifacts were running rows would get mixed up because the generator was named the same and they all used the same one. This can cause rows to be missing in each collection.
This makes it a lot easier to use them later when creating the downloads export. Previously the download code had to derive the client's original components from the filestore components but this is not always possible to do reliably. Carrying the original client's path components through makes it more reliable and easier.
fix: upgrade axios from 1.2.3 to 1.2.4 Snyk has created this PR to upgrade axios from 1.2.3 to 1.2.4. See this package in npm: https://www.npmjs.com/package/axios See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: snyk-bot <[email protected]>
fix: upgrade axios from 1.2.4 to 1.2.5 Snyk has created this PR to upgrade axios from 1.2.4 to 1.2.5. See this package in npm: https://www.npmjs.com/package/axios See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr
fix: upgrade ace-builds from 1.14.0 to 1.15.0 Snyk has created this PR to upgrade ace-builds from 1.14.0 to 1.15.0. See this package in npm: https://www.npmjs.com/package/ace-builds See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr Co-authored-by: Mike Cohen <[email protected]>
fix: upgrade axios from 1.2.5 to 1.2.6 Snyk has created this PR to upgrade axios from 1.2.5 to 1.2.6. See this package in npm: https://www.npmjs.com/package/axios See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr
Previously repacking (as used by the offline collector) was implemented in VQL by calling the main binary with the repack command. This is problematic on servers which remove the execve() functionality. This PR implements the repack functionality in VQL and therefore makes it available for use in restricted environments. It also simplifies the CreateCollector artifact. Also added a Server.Utils.CreateMSI artifact which automatically prepares an MSI for use within an org.
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.7.0. - [Release notes](https://github.com/golang/net/releases) - [Commits](golang/net@v0.5.0...v0.7.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Updated Windows.Search.Yara to use new OSPath Also updated log() function to deduplicate multiple messages at the same time. Each message will be throttled in time separately so it is now easy to make progress logs for large queries.
This is a case insensitive file accessor for case sensitive systems.
…2471) * Allow the quarantine button to be disabled * When creating a hunt, use a session id based on the hunt id. This makes all requests have the same flow id, but the flow id is still unique. * Propagate the total logs in the collection details - This fixes the GUI not refreshing for new log lines. * Preserve the original creator of the hunt for each flow.
Flow IDs have the requirements that they are sortable with creation time. We can reuse the hunt id in this context.
feat: adding label names for screen readers
Also inject the Responder into the VQL context so it can be passed into VQL plugins.
* chore: adding linter, lint scripts * chore: fixing linting errors dupe imports, semicolon * chore: allowing unescaped entities
GUI did not present the option of viewing the padded version of the file.
Rather than the notification service. Sometimes it would race with a second notification service which exists on another org.
feat: adding labels, alt text for screen readers chore: fixing minor linting issues
fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FASTXMLPARSER-3325616 Co-authored-by: snyk-bot <[email protected]>
…x#2487) Previously the launcher stored it and the server artifact runner loaded it immediately. This causes problems with distributed storage where writes may not be immediately visible to readers.
Hex columns were encoding the string value in the column. Generally this is incorrect as the string valu comes from JSON and if the VQL query emits raw binary data into the JSON then it will be corrupted while contecting to UTF8. This PR requires a column declared as "hex" to be actually hex encoded similarly to the base64 columns. This helps to correct the VQL because non-encoded data will simply not show up. This is preferable to almost correct data which has UTF8 errors in it.
Where multiple glob expressions were used and the same file was found by multiple expressions the path was not properly deduplicated. Also improved locking on the upload deduplication. When one thread is uploading, other threads should wait on it to complete. Raw Registry accessor repeated the names of keys that have values of the same name (i.e. default value for a key name). This go dudplicated leading to loss of the value name. This fix returns a RawRegValueInfo object which also behaves as a key (looks like a directory) so it can be recursed into but also can be read as a Value (file). Also this PR refactores the server artifact runner so it does not require scheduling a task but it gets launched immediately.
The gopsutils library shells out to various programs (like ps, lsof) under some situations. This makes it unpredictable how expensive an operation is. This PR wraps gopsutils carefully ensuring that no expensive operations occur. Fixes: Velocidex#2822
1. Add release binaries for Linux/arm64 2. Have Server.Utils.ImportCollection trigger System.Flow.Completion 3. Overuse of red color when no errors occur 4. Deprecate flag --config_override 5. Start Velociraptor service after ClientSysVRPM install 6. Boolean artifact parameters are not checked when their default state is true Fixes: Velocidex#2811, Velocidex#2751, Velocidex#2742, Velocidex#2721, Velocidex#2792, Velocidex#2798
Only mtime was set but on Windows we can also set the Ctime and Atime.
…cidex#2832) Also some optimizations and bug fix around paging reader not properly closing goroutines when LRU expired
…elocidex#2833) This makes VSS analysis a lot simpler since the VQL just needs to use the 'ntfs_vss' accessor and will suddenly see distinct files from all the VSS returned by a glob in the same directory. Further analysis of these artifacts will use the ntfs_vss to open these files transparenly.
Uploading to the cloud may have failed so it is better to leave the collection behind and let the user remove it when they are sure the upload succeeded. Also added a filename template which allows specifying the filename using environment variables or any template.
Add Windows.Forensics.RDPCache to enable upload of RDP cache and user targetting. Add Windows.Registry.RDP to enable collecting RDP mru and server data from user hives.
Also updated translations
…dex#2842) These help to protect the server when a notebook query uses too much memory. When a new notebook query is started, the notebook checks if the current memory use is smaller than the low water mark, if not, the notebook will wait for a while until this is ok. Once started the notebook will run a nanny to ensure the memory does not exceed the high water mark. If the memory exceeds the high water mark, the notebook will abort the query with insufficient resources.
This PR adds a plugin to post events to a Humio ingestion endpoint.
Some edge cases with include and exclude labels were not working.
Snyk has created this PR to upgrade humanize-duration from 3.28.0 to 3.29.0. See this package in npm: https://www.npmjs.com/package/humanize-duration See this project in Snyk: https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr
Detects registry changes and sends an alert.
Artifact type wrong which resulted in artifact not listing within hunt manager
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Artifact type wrong which resulted in artifact not being listed in Hunt Manager or artifact collection with type client