271 lines
6.7 KiB
YAML
271 lines
6.7 KiB
YAML
# Velociraptor Offline Collector Configuration
|
|
# Configuration for creating standalone collectors that don't require server connection
|
|
|
|
# Collector metadata
|
|
collector_info:
|
|
name: "IR-Collector-Incident-Response"
|
|
version: "1.0"
|
|
description: |
|
|
Offline collector for incident response evidence gathering.
|
|
Collects key artifacts without requiring Velociraptor server.
|
|
|
|
created_by: "IR Team"
|
|
created_date: "2024-01-15"
|
|
incident_reference: "INC-12345"
|
|
|
|
# Target platform
|
|
# Options: windows, linux, macos, all
|
|
target_platform: windows
|
|
|
|
# Artifacts to collect
|
|
artifacts:
|
|
# System Information
|
|
- name: Generic.Client.Info
|
|
description: "Basic system information"
|
|
|
|
# Process Information
|
|
- name: Windows.System.Pslist
|
|
description: "Running processes"
|
|
parameters:
|
|
CalculateHashes: "Y"
|
|
|
|
# Network Connections
|
|
- name: Windows.Network.NetstatEnriched
|
|
description: "Network connections with process context"
|
|
|
|
# Persistence Mechanisms
|
|
- name: Windows.Persistence.PermanentRuns
|
|
description: "Registry Run keys and startup locations"
|
|
|
|
- name: Windows.System.TaskScheduler
|
|
description: "Scheduled tasks"
|
|
|
|
- name: Windows.System.Services
|
|
description: "Windows services"
|
|
|
|
# Event Logs
|
|
- name: Windows.EventLogs.EvtxHunter
|
|
description: "Security-relevant event logs"
|
|
parameters:
|
|
EvtxGlob: "C:/Windows/System32/winevt/Logs/{Security,System,Application}.evtx"
|
|
# Filter for last 7 days
|
|
DateAfter: "{{subtract (now) (duration \"168h\")}}"
|
|
|
|
# File System Timeline
|
|
- name: Windows.Forensics.Timeline
|
|
description: "Filesystem timeline"
|
|
parameters:
|
|
# Limit to key directories
|
|
PathGlob: |
|
|
C:/Users/*/AppData/**
|
|
C:/Windows/Temp/**
|
|
C:/ProgramData/**
|
|
DateAfter: "{{subtract (now) (duration \"168h\")}}"
|
|
|
|
# Prefetch Analysis
|
|
- name: Windows.Forensics.Prefetch
|
|
description: "Program execution artifacts"
|
|
|
|
# USB Device History
|
|
- name: Windows.Forensics.USBDevices
|
|
description: "USB device connection history"
|
|
|
|
# Browser History (if needed)
|
|
# - name: Windows.Browsers.Chrome
|
|
# description: "Chrome browser history"
|
|
|
|
# Registry Forensics
|
|
# - name: Windows.Registry.RecentDocs
|
|
# description: "Recently accessed files from registry"
|
|
|
|
# Collection Configuration
|
|
collection_config:
|
|
# Output options
|
|
output:
|
|
# Compression format: zip, tar
|
|
format: zip
|
|
|
|
# Output filename template
|
|
filename_template: "collection-{{.Hostname}}-{{.Now.Unix}}.zip"
|
|
|
|
# Encryption (optional)
|
|
# encryption:
|
|
# enabled: true
|
|
# public_key_file: "collector-public.pem"
|
|
|
|
# Output location
|
|
output_directory: "."
|
|
|
|
# Resource limits
|
|
resource_limits:
|
|
# Maximum CPU usage (percentage)
|
|
cpu_limit: 70
|
|
|
|
# Maximum memory usage (MB)
|
|
max_memory: 2048
|
|
|
|
# I/O operations per second limit
|
|
ops_per_second: 500
|
|
|
|
# Maximum collection time (seconds)
|
|
max_execution_time: 3600
|
|
|
|
# Maximum output size (bytes, 0 = unlimited)
|
|
max_output_size: 10737418240 # 10GB
|
|
|
|
# Progress reporting
|
|
progress:
|
|
# Show progress bar
|
|
show_progress: true
|
|
|
|
# Log file location
|
|
log_file: "collector.log"
|
|
|
|
# Log level: DEBUG, INFO, WARN, ERROR
|
|
log_level: INFO
|
|
|
|
# Artifact execution options
|
|
execution:
|
|
# Run artifacts in parallel (faster but more resource intensive)
|
|
parallel: false
|
|
|
|
# Number of concurrent artifacts (if parallel enabled)
|
|
max_parallel: 3
|
|
|
|
# Continue on artifact errors
|
|
continue_on_error: true
|
|
|
|
# Timeout per artifact (seconds)
|
|
artifact_timeout: 600
|
|
|
|
# Pre-collection Checks
|
|
pre_collection:
|
|
# Verify requirements before starting
|
|
checks:
|
|
# Minimum free disk space (bytes)
|
|
min_disk_space: 5368709120 # 5GB
|
|
|
|
# Check for admin/root privileges
|
|
require_admin: true
|
|
|
|
# Verify OS compatibility
|
|
verify_os: true
|
|
|
|
# Warnings (not blocking)
|
|
warnings:
|
|
# Warn if antivirus is active
|
|
warn_av_active: true
|
|
|
|
# Warn if disk space is limited
|
|
warn_disk_space_threshold: 10737418240 # 10GB
|
|
|
|
# Post-collection Actions
|
|
post_collection:
|
|
# Automatic uploads (if network available)
|
|
# uploads:
|
|
# - type: smb
|
|
# path: "\\\\evidence-server\\ir-collections\\"
|
|
# credentials_file: "smb-creds.json"
|
|
#
|
|
# - type: s3
|
|
# bucket: "ir-evidence-bucket"
|
|
# region: "us-east-1"
|
|
# credentials_file: "aws-creds.json"
|
|
|
|
# Hash the output file
|
|
generate_hash: true
|
|
hash_algorithms:
|
|
- sha256
|
|
- md5
|
|
|
|
# Generate collection report
|
|
generate_report: true
|
|
report_format: html
|
|
|
|
# Cleanup options
|
|
cleanup:
|
|
# Delete temp files after collection
|
|
delete_temp_files: true
|
|
|
|
# Secure delete collector binary after execution (optional)
|
|
# secure_delete_collector: false
|
|
|
|
# Deployment Options
|
|
deployment:
|
|
# Create executable for easy deployment
|
|
executable:
|
|
# Embed configuration in binary
|
|
embed_config: true
|
|
|
|
# Self-extracting executable
|
|
self_extracting: true
|
|
|
|
# Icon file (optional)
|
|
# icon_file: "collector-icon.ico"
|
|
|
|
# Code signing (optional)
|
|
# signing:
|
|
# certificate_file: "code-signing-cert.pfx"
|
|
# password_file: "cert-password.txt"
|
|
|
|
# Packaging
|
|
package:
|
|
# Include README with instructions
|
|
include_readme: true
|
|
|
|
# Include hash verification file
|
|
include_hashes: true
|
|
|
|
# Include deployment script
|
|
# include_deployment_script: true
|
|
|
|
# Usage Instructions (embedded in collector)
|
|
usage_instructions: |
|
|
VELOCIRAPTOR OFFLINE COLLECTOR
|
|
|
|
This collector gathers forensic artifacts for incident response.
|
|
No network connection or Velociraptor server required.
|
|
|
|
REQUIREMENTS:
|
|
- Administrator/root privileges
|
|
- Minimum 5GB free disk space
|
|
- Windows 7/Server 2008 R2 or later
|
|
|
|
USAGE:
|
|
collector.exe [OPTIONS]
|
|
|
|
OPTIONS:
|
|
--output DIR Output directory (default: current directory)
|
|
--verbose Enable verbose logging
|
|
--help Show this help message
|
|
|
|
EXAMPLE:
|
|
# Run with default settings
|
|
collector.exe
|
|
|
|
# Specify output directory
|
|
collector.exe --output C:\\Evidence\\
|
|
|
|
OUTPUT:
|
|
Collection results saved to: collection-[hostname]-[timestamp].zip
|
|
|
|
IMPORTANT:
|
|
- Preserve chain of custody
|
|
- Document collection time and collector version
|
|
- Securely transfer collection to analysis system
|
|
- Do not run on production systems without approval
|
|
|
|
For support: ir-team@company.com
|
|
|
|
# Sample command to create collector from this config
|
|
sample_command: |
|
|
velociraptor --config server.config.yaml artifacts collect \
|
|
Windows.System.Pslist \
|
|
Windows.Network.NetstatEnriched \
|
|
Windows.Persistence.PermanentRuns \
|
|
Windows.EventLogs.EvtxHunter \
|
|
Windows.Forensics.Timeline \
|
|
--output collector.zip \
|
|
--cpu_limit 70 \
|
|
--progress
|