Skip to content

Create Generic.Remediation.UploadFile.Glob.yaml#574

Open
Che4ter wants to merge 3 commits intoVelocidex:masterfrom
Che4ter:patch-1
Open

Create Generic.Remediation.UploadFile.Glob.yaml#574
Che4ter wants to merge 3 commits intoVelocidex:masterfrom
Che4ter:patch-1

Conversation

@Che4ter
Copy link
Copy Markdown

@Che4ter Che4ter commented Apr 24, 2023

Create an artifact to upload a file to the target destination. If the target already exists, it will be overridden. The artefact uses the glob, so you can upload the file to multiple locations at once.

@Che4ter
Create Generic.Remediation.UploadFile.Glob.yaml
83fb508 
Create an artifact to upload a file to the target destination. If the target already exists, it will be overridden. 
The artefact uses the glob, so you can upload the file to multiple locations at once.
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 24, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

scudette
scudette reviewed Apr 24, 2023
View reviewed changes
Comment thread content/exchange/artifacts/Generic.Remediation.UploadFile.Glob.yaml Outdated
@Che4ter
Update Generic.Remediation.UploadFile.Glob.yaml
3bfe5ef 
Fix copy past error in the directory exclusion
scudette
scudette reviewed Apr 28, 2023
View reviewed changes
Comment thread content/exchange/artifacts/Generic.Remediation.UploadFile.Glob.yaml Outdated
SELECT OSPath,Overridden,Size,Mtime,Ctime,Btime,IsDir,IsLink
FROM if(condition=ReallyDoIt,
then= upload_targets,
else= { SELECT *, FALSE as Overridden FROM upload_targets } )
Copy link
Copy Markdown
Collaborator

@scudette scudette Apr 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tested this actually stops it from overriding? I think it might be safer to just use an if() here:

if(condition = ReallyDoIt, then=copy(filename=UploadedFile.FullPath[0], accessor="file", dest=OSPath)) AS Overwritten

Copy link
Copy Markdown
Author

@Che4ter Che4ter May 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it works fine. I used it multiple times during my last engagement. Most of the logic is copied from another artefact: https://docs.velociraptor.app/exchange/artifacts/pages/globremediation/

Copy link
Copy Markdown
Collaborator

@scudette scudette May 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its not really the same as that artifact - you can see in GlobRemediation the bottom query is

SELECT ...
      FROM if(condition=ReallyDoIt,
            then= delete_targets,
            else= { SELECT *, FALSE as Removed FROM targets } )

So depending on the condition it will choose a completely different query - one for delete and one for just showing.

But in this artifact it chooses the same query in both cases, it just replaces the column that removes with FALSE. This generally also works because VQL is generally lazy and wont evaluate a column that got replaced but it is quite fragile and potentially dangerous in this case.

Copy link
Copy Markdown
Author

@Che4ter Che4ter May 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your explanations. I've changed it to an if statement and simplified the query a bit.

@Che4ter
Update Generic.Remediation.UploadFile.Glob.yaml
7c26096 
Fixed unsafe override protection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scudette scudette scudette left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Che4ter @CLAassistant @scudette