-
Notifications
You must be signed in to change notification settings - Fork 501
Tips and hints
Releases are tagged using a consistent naming scheme but there may be deviations (for example if a bugfix is released). The best way to automatically get the latest binary is using the GitHub APIs. For example the latest windows amd64 binary can be downloaded from:
curl https://api.github.com/repos/velocidex/velociraptor/releases/latest | jq 'limit(1 ; ( .assets[].browser_download_url | select ( contains("windows-amd64.exe") )))'
Sometimes it is useful to inspect the certificates embedded in the config file using e.g. openssl. Since the certificates are in the yaml file you can just copy them out and using an editor un-indent them but this is somewhat quicker:
velociraptor --config ~/client.config.yaml config show --json | jq -r ".Client.ca_certificate" | openssl x509 -text
It relies on exporting the config to json and then using jq to extract the right field into stdout.
I haven't tested completely why this isn't working, but if you attempt to execute a Stand-alone Collector via CrowdStrike RTR nothing happens. As an example, let's assume you created a collector for a Mini Timeline (ex. vr_mini_timeline.exe) and upload it to CrowdStrikes cloud, calling it via PUT
files it executes successfully, but no output is generated.
A quick work around is simply calling it via PowerShell, another quick example, if you use PUT
files and drop the collector in the C:\CrowdStrike\Files
directory, you can use RUNSCRIPT
to execute the collector.
The below will execute the collector defined in the previous example just fine and produce an output:
Start-Process -FilePath "C:\CrowdStrike\Files\vr_mini_timeline.exe"
You can simply grab the file and go, or upload to a cloud resource as the Velocidex team have included it into their Stand-alone Collector build tool.