Merge pull request #986 from weslambert/velociraptor_update_responder

nusantara-self · web-flow · commit d5e30a6709fc · 2025-10-06T18:27:14.000+08:00
Update Velociraptor Responder
diff --git a/responders/Velociraptor/velociraptor_flow.json b/responders/Velociraptor/velociraptor_flow.json
@@ -1,10 +1,10 @@
 {
-  "name": "Velociraptor_Flow",
-  "version": "0.1",
-  "author": "Wes Lambert",
+  "name": "Velociraptor",
+  "version": "0.2",
+  "author": "Wes Lambert, @therealwlambert",
   "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
   "license": "AGPL-V3",
-  "description": "Run Velociraptor flow",
+  "description": "Run Velociraptor artifact collection",
   "dataTypeList": ["thehive:case_artifact"],
   "command": "Velociraptor/velociraptor_flow.py",
   "baseConfig": "Velociraptor",
@@ -26,25 +26,12 @@
       "defaultValue": ""
     },
     {
-      "name": "upload_flow_results",
-      "description": "Upload the results of a flow as an observable",
-      "type": "boolean",
+      "name": "query_max_duration",
+      "description": "Max query duration (in seconds)",
+      "type": "number",
       "multi": false,
-      "required": true
-    },
-    {
-      "name": "thehive_url",
-      "description": "URL pointing to your TheHive installation, e.g. 'http://127.0.0.1:9000'",
-      "type": "string",
-      "multi": false,
-      "required": true
-    },
-    {
-      "name": "thehive_apikey",
-      "description": "TheHive API key (used to add the downloaded file back to the alert/case)",
-      "type": "string",
-      "multi": false,
-      "required": true
+      "required": false,
+      "defaultValue": "600"
     }
   ]
 }
diff --git a/responders/Velociraptor/velociraptor_flow.py b/responders/Velociraptor/velociraptor_flow.py
@@ -19,12 +19,12 @@ def __init__(self):
     self.configpath = self.get_param('config.velociraptor_client_config', None, "File path missing!")
     self.config = yaml.load(open(self.configpath).read(), Loader=yaml.FullLoader)
     self.artifact = self.get_param('config.velociraptor_artifact', None, 'Artifact missing!')
-    self.upload_flow_results = self.get_param('config.upload_flow_results', None, 'Upload decision missing!')
+    self.artifact_args = self.get_param('config.velociraptor_artifact_args', None)
     self.observable_type = self.get_param('data.dataType', None, "Data type is empty")
     self.observable = self.get_param('data.data', None, 'Data missing!')
-    self.thehive_url = self.get_param('config.thehive_url', None, "TheHive URL missing!")
-    self.thehive_apikey = self.get_param('config.thehive_apikey', None, "TheHive API key missing!")
-    
+    self.max_wait = self.get_param('config.query_max_duration', 600)
+    self.query = self.get_param('config.velociraptor_query', None)
+   
   def run(self):
     Responder.run(self)
     case_id = self.get_param('data._parent')
@@ -48,9 +48,10 @@ def run(self):
             self.report({'message': "Not a valid data type!" })
             return
       
-        # Send initial request
+        # Query to get client ID
         client_request = api_pb2.VQLCollectorArgs(
-            max_wait=1,
+            # Setting static max_wait here, because it should not take as long as other queries
+            max_wait=60,
             Query=[api_pb2.VQLRequest(
                 Name="TheHive-ClientQuery",
                 VQL=client_query,
@@ -64,121 +65,27 @@ def run(self):
           except:
               self.report({'message': 'Could not find a suitable client.'})
               pass
+       
+        # Free-form query
+        freeform_query = self.query  
+         
+        # Artifact query
+        artifact_query = "LET collection <= collect_client(client_id='"+ client_id +"',artifacts=['" + self.artifact + "'], spec=dict()) LET collection_completed <= SELECT * FROM watch_monitoring(artifact='System.Flow.Completion') WHERE FlowId = collection.flow_id  LIMIT 1 SELECT * FROM source(client_id=collection.request.client_id, flow_id=collection.flow_id, artifact=collection_completed.Flow.artifacts_with_results[0])"
 
-        # Define initial query
-        init_query = "SELECT collect_client(client_id='"+ client_id +"',artifacts=['" + self.artifact + "']) FROM scope()"
+        
 
-        # Send initial request
         request = api_pb2.VQLCollectorArgs(
-            max_wait=1,
+            max_wait=self.max_wait,
             Query=[api_pb2.VQLRequest(
                 Name="TheHive-Query",
-                VQL=init_query,
+                VQL=artifact_query,
             )])
 
         for response in stub.Query(request):
           try:
-            init_results = json.loads(response.Response)
-            flow=list(init_results[0].values())[0]
-            
-            flow_id = str(flow['flow_id']) 
-            # Define second query
-            flow_query = "SELECT * from flows(client_id='" + str(flow['request']['client_id']) + "', flow_id='" + flow_id + "')"
-         
-            state=0
-
-            # Check to see if the flow has completed        
-            while (state != 2):
-    
-              followup_request = api_pb2.VQLCollectorArgs(
-                max_wait=10,
-                Query=[api_pb2.VQLRequest(
-                     Name="TheHive-QueryForFlow",
-                     VQL=flow_query,
-                )])
-
-              for followup_response in stub.Query(followup_request):
-                try:
-                    flow_results = json.loads(followup_response.Response)
-                except:
-                  pass
-              state = flow_results[0]['state']
-              global artifact_results
-              artifact_results = flow_results[0]['artifacts_with_results']
-              self.report({'message': state })
-              if state == 2:
-                time.sleep(5)
-                break
-
-            # Grab the source from the artifact
-            source_results=[]
-            for artifact in artifact_results:
-              source_query="SELECT * from source(client_id='"+ str(flow['request']['client_id']) + "', flow_id='" + flow_id +  "', artifact='" + artifact + "')"
-              source_request = api_pb2.VQLCollectorArgs(
-              max_wait=10,
-              Query=[api_pb2.VQLRequest(
-                  Name="TheHive-SourceQuery",
-                  VQL=source_query,
-              )])
-              for source_response in stub.Query(source_request):
-                try:
-                  source_result = json.loads(source_response.Response)
-                  source_results += source_result
-                except:
-                  pass
-            self.report({'message': source_results })
-            
-            if self.upload_flow_results is True: 
-              # Create flow download
-              vfs_query = "SELECT create_flow_download(client_id='"+ str(flow['request']['client_id']) + "', flow_id='" + str(flow['flow_id']) +  "', wait='true') as VFSPath from scope()" 
-              vfs_request = api_pb2.VQLCollectorArgs(
-                max_wait=10,
-                Query=[api_pb2.VQLRequest(
-                    Name="TheHive-VFSQuery",
-                    VQL=vfs_query,
-              )])
-              for vfs_response in stub.Query(vfs_request):
-                  try:
-                    vfs_result = json.loads(vfs_response.Response)[0]['VFSPath']
-                  except:
-                    pass
-              # "Artifact" plugin.
-              offset = 0
-            
-              file_request = api_pb2.VFSFileBuffer(
-                  vfs_path=vfs_result,
-                  length=10000,
-                  offset=offset,
-              )
-
-              res = stub.VFSGetBuffer(file_request)
-              
-              if len(res.data) == 0:
-                 break
-                   
- 
-         
-              f = open("/tmp/" + self.artifact + "_" + client_id + "_" + flow_id + "_" + case_id + ".zip",'wb')
-              f.write(res.data)
-              offset+=len(res.data)
- 
-              #Upload file to TheHive
-              api = TheHiveApi(self.thehive_url, self.thehive_apikey, cert=False)
-
-              description = "Velociraptor flow for artifact" + self.artifact + "for client " + client_id + " via flow " + flow_id + "." 
-              filepath = '/tmp/' + self.artifact + "_" + client_id + "_" + flow_id + "_" + case_id + ".zip"
-              file_observable = CaseObservable(dataType='file',
-                   data=[filepath],
-                   tlp=self.get_param('data.tlp'),
-                   ioc=True,
-                   tags=['src:Velociraptor', client_id ],
-                   message=description
-              )
-            
-              response = api.create_case_observable(case_id, file_observable)
-              if response.status_code != 201:
-                self.error({'message': str(response.status_code) + " " + response.text})
-              os.remove(filepath)
+            query_results = json.loads(response.Response)
+            #flow=list(init_results[0].values())[0]
+            self.report({'message': query_results })
           except:
             pass
   def operations(self, raw):
