def run(config, queue, event, columns):
# Fill in the SSL params from the api_client config file. You can get such a file:
# velociraptor --config server.config.yaml config api_client > api_client.conf.yaml
creds = grpc.ssl_channel_credentials(
root_certificates=config["ca_certificate"].encode("utf8"),
private_key=config["client_private_key"].encode("utf8"),
certificate_chain=config["client_cert"].encode("utf8"))
# This option is required to connect to the grpc server by IP - we
# use self signed certs.
options = ((
'grpc.ssl_target_name_override',
"VelociraptorServer",
), )
# The first step is to open a gRPC channel to the server..
with grpc.secure_channel(config["api_connection_string"], creds,
options) as channel:
stub = api_pb2_grpc.APIStub(channel)
# The request consists of one or more VQL queries. Note that
# you can collect artifacts by simply naming them using the
# "Artifact" plugin.
request = api_pb2.VQLResponse(Response=event,
Columns=columns,
Query=api_pb2.VQLRequest(Name=queue))
err = stub.WriteEvent(request)
print(err)
def run(config, query, env_dict):
# Fill in the SSL params from the api_client config file. You can get such a file:
# velociraptor --config server.config.yaml config api_client > api_client.conf.yaml
creds = grpc.ssl_channel_credentials(
root_certificates=config["ca_certificate"].encode("utf8"),
private_key=config["client_private_key"].encode("utf8"),
certificate_chain=config["client_cert"].encode("utf8"))
# This option is required to connect to the grpc server by IP - we
# use self signed certs.
options = (('grpc.ssl_target_name_override', "VelociraptorServer",),)
env = []
for k, v in env_dict.items():
env.append(dict(key=k, value=v))
# The first step is to open a gRPC channel to the server..
with grpc.secure_channel(config["api_connection_string"],
creds, options) as channel:
stub = api_pb2_grpc.APIStub(channel)
# The request consists of one or more VQL queries. Note that
# you can collect artifacts by simply naming them using the
# "Artifact" plugin.
request = api_pb2.VQLCollectorArgs(
max_wait=1,
max_row=100,
Query=[api_pb2.VQLRequest(
Name="Test",
VQL=query,
)],
env=env,
)
# This will block as responses are streamed from the
# server. If the query is an event query we will run this loop
# forever.
for response in stub.Query(request):
if response.Response:
# Each response represents a list of rows. The columns
# are provided in their own field as an array, to
# ensure column order is preserved if required. If you
# dont care about column order just ignore the Columns
# field. Note that although JSON does not specify the
# order of keys in a dict Velociraptor always
# maintains this order so an alternative to the
# Columns field is to use a JSON parser that preserves
# field ordering.
# print("Columns %s:" % response.Columns)
# The actual payload is a list of dicts. Each dict has
# column names as keys and arbitrary (possibly nested)
# values.
package = json.loads(response.Response)
print (package)
elif response.log:
# Query execution logs are sent in their own messages.
print ("%s: %s" % (time.ctime(response.timestamp / 1000000), response.log))
def DataFrameQuery(query, timeout=600, config=None, **kw):
if config is None:
config = pyvelociraptor.LoadConfigFile()
creds = grpc.ssl_channel_credentials(
root_certificates=config["ca_certificate"].encode("utf8"),
private_key=config["client_private_key"].encode("utf8"),
certificate_chain=config["client_cert"].encode("utf8"))
# This option is required to connect to the grpc server by IP - we
# use self signed certs.
options = ((
'grpc.ssl_target_name_override',
"VelociraptorServer",
), )
# The first step is to open a gRPC channel to the server..
with grpc.secure_channel(config["api_connection_string"], creds,
options) as channel:
stub = api_pb2_grpc.APIStub(channel)
# The request consists of one or more VQL queries. Note that
# you can collect server artifacts by simply naming them using the
# "Artifact" plugin (i.e. `SELECT * FROM Artifact.Server.Hunts.List()` )
request = api_pb2.VQLCollectorArgs(
max_wait=1,
env=[api_pb2.VQLEnv(key=k, value=v) for k, v in kw.items()],
Query=[api_pb2.VQLRequest(
Name="Query",
VQL=query,
)])
result = {}
for response in stub.Query(request):
if not response.Response:
continue
for row in json.loads(response.Response):
for c in response.Columns:
result.setdefault(c, []).append(row.get(c))
return result
def run(config, vfs_path):
# Fill in the SSL params from the api_client config file. You can get such a file:
# velociraptor --config server.config.yaml config api_client > api_client.conf.yaml
creds = grpc.ssl_channel_credentials(
root_certificates=config["ca_certificate"].encode("utf8"),
private_key=config["client_private_key"].encode("utf8"),
certificate_chain=config["client_cert"].encode("utf8"))
# This option is required to connect to the grpc server by IP - we
# use self signed certs.
options = ((
'grpc.ssl_target_name_override',
"VelociraptorServer",
), )
# The first step is to open a gRPC channel to the server..
with grpc.secure_channel(config["api_connection_string"], creds,
options) as channel:
stub = api_pb2_grpc.APIStub(channel)
# The request consists of one or more VQL queries. Note that
# you can collect artifacts by simply naming them using the
# "Artifact" plugin.
offset = 0
while 1:
request = api_pb2.VFSFileBuffer(
vfs_path=vfs_path,
# For demonstration we set a small buffer but you
# should use a larger one in practice.
length=1024,
offset=offset,
)
res = stub.VFSGetBuffer(request)
if len(res.data) == 0:
break
sys.stdout.buffer.write(res.data)
offset += len(res.data)
def run(self):
Responder.run(self)
creds = grpc.ssl_channel_credentials(
root_certificates=self.config["ca_certificate"].encode("utf8"),
private_key=self.config["client_private_key"].encode("utf8"),
certificate_chain=self.config["client_cert"].encode("utf8"))
options = ((
'grpc.ssl_target_name_override',
"VelociraptorServer",
), )
with grpc.secure_channel(self.config["api_connection_string"], creds,
options) as channel:
stub = api_pb2_grpc.APIStub(channel)
if self.observable_type == "ip":
client_query = "select client_id from clients() where last_ip =~ '" + self.observable + "'"
elif re.search(r'fqdn|other', self.observable_type):
client_query = "select client_id from clients(search='host:" + self.observable + "')"
else:
self.report({'message': "Not a valid data type!"})
return
# Send initial request
client_request = api_pb2.VQLCollectorArgs(
max_wait=1,
Query=[
api_pb2.VQLRequest(
Name="TheHive-ClientQuery",
VQL=client_query,
)
])
for client_response in stub.Query(client_request):
try:
client_results = json.loads(client_response.Response)
global client_id
client_id = client_results[0]['client_id']
except:
self.report(
{'message': 'Could not find a suitable client.'})
pass
# Define initial query
init_query = "SELECT collect_client(client_id='" + client_id + "',artifacts=['" + self.artifact + "']) FROM scope()"
# Send initial request
request = api_pb2.VQLCollectorArgs(max_wait=1,
Query=[
api_pb2.VQLRequest(
Name="TheHive-Query",
VQL=init_query,
)
])
for response in stub.Query(request):
try:
init_results = json.loads(response.Response)
flow = list(init_results[0].values())[0]
self.report({'message': init_results})
# Define second query
flow_query = "SELECT * from flows(client_id='" + str(
flow['request']['client_id']) + "', flow_id='" + str(
flow['flow_id']) + "')"
state = 0
# Check to see if the flow has completed
while (state == 0):
followup_request = api_pb2.VQLCollectorArgs(
max_wait=1,
Query=[
api_pb2.VQLRequest(
Name="TheHive-QueryForFlow",
VQL=flow_query,
)
])
for followup_response in stub.Query(followup_request):
try:
flow_results = json.loads(
followup_response.Response)
except:
pass
state = flow_results[0]['state']
if state == 1:
time.sleep(5)
break
# Grab the source from the artifact
source_query = "SELECT * from source(client_id='" + str(
flow['request']['client_id']) + "', flow_id='" + str(
flow['flow_id']
) + "', artifact='" + self.artifact + "')"
source_request = api_pb2.VQLCollectorArgs(
max_wait=1,
Query=[
api_pb2.VQLRequest(
Name="TheHive-SourceQuery",
VQL=source_query,
)
])
source_results = []
for source_response in stub.Query(source_request):
try:
source_result = json.loads(
source_response.Response)
source_results += source_result
self.report({'message': source_results})
except:
pass
except:
pass