Help Installing Velociraptor!

TheITGuy69
New Contributor III

Can someone with more experience assist me in creating a package with Composer to install Velociraptor?

 

Here is the information i was provided, the only thing i was given plus the client.config.yaml file. 

 

Due to restrictions with Mac OS, a binary with a custom configuration file bundled is unable to
be compiled. For this reason, the install requires specifying a config file when launching the
agent.
The service install directive can be used to install the agent on Mac client. The following
command installs binary & config to /usr/local/sbin.
• <velociraptor_file> --config client.config.yaml service install
Note: The “client.config.yaml” file will be provided by Stroz Friedberg and included in the upload
portal.
The service can be uninstalled with the following command:
• /usr/local/sbin/velociraptor service remove --
config=/usr/local/sbin/velociraptor.config.yaml
• Confirm with ps -eaf | grep velo and sudo launchctl list | grep velo

 

 

I am assuming i need to start composer put the client.config.yaml file in a shared folder, drag it into composer 

then run a post script to run <velociraptor_file> --config client.config.yaml service install

 

the website has a slightly different script to run

https://docs.velociraptor.app/docs/deployment/clients/

 

Mac

The service install directive can be used to install Velociraptor on Mac client. The following command installs binary & config to /usr/local/sbin. Persistence is via launchd (check with ps -eaf | grep velo and sudo launchctl list | grep velo)

# velociraptor --config client.config.yaml service install

The service can be uninstalled with the following command:

# /usr/local/sbin/velociraptor service remove --config=/usr/local/sbin/velociraptor.config.yaml

Confirm with ps -eaf | grep velo and sudo launchctl list | grep velo.

 

I am unsure if there is a package i should be adding but i cannot find it on the github to download and add to the package. 

 

1 ACCEPTED SOLUTION

TheITGuy69
New Contributor III

Only way we could install it was to lower the security and allow applications downloaded from anywhere. 

View solution in original post

5 REPLIES 5

Ruthlewis
New Contributor

To install the Velociraptor server to a new version, simply download the latest release binary from the GitHub Release Page and regenerate a new Debian package as described above, but using the existing configuration file. It's a fully functional Velociraptor system that is deployed only to your local machine. Just download the Velociraptor executable for your platform from the GitHub project's releases page and run the gui command. The gui command automatically creates new server and client configuration files.

TheITGuy69
New Contributor III

What i am trying to do is install the client to my macs and the documentation out there is very minimal. plus its not signed so it doesnt silently install. thats what i need help with. 

TheITGuy69
New Contributor III

Only way we could install it was to lower the security and allow applications downloaded from anywhere. 

auser
New Contributor III

Hi, i am embarking on this install now. Can you please share more in detail the steps you took to install via Jamf? thanks 

TheITGuy69
New Contributor III

So I'm not saying my way is the "correct" way to do it, but this is how i accomplished this. 

On the device I have "Composer" on I downloaded both installers for Intel and Apple Silicon and put them in the /users/shared folder with the yaml file and I created a .pkg with composer.

Make sure you set the permissions for the top folder and subfolders as 

Owner - Root (0)

Group - wheel (0)

 

create post install script - sudo path to file -config path to yaml file service install

Also add 

sudo chmod -R 755 /usr/local/sbin (this is because it doesnt apply the correct permissions to the folder it installs VR in. 

Create 2 packages 1 for Intel, and 1 for Apple silicon and then create 2 policies to run .

Create Ext attribute to see if its running:

#!/bin/sh


agentloaded=$(sudo launchctl list | grep com.velocidex.velociraptor)

#if string is not empty
if [ -n "${agentloaded}" ]; then
echo "<result>Loaded</result>"
else
echo "<result>not loaded or installed</result>"
fi

 

Then create 2 smart groups (intel and apple silicon) to show which devices are not running VR and scope them out to the policies you created. 

Make sure you run a recon after install so that it populates the Ext attribute to show its running. or you can set your policy to run once , up to you. 

 

Hope this helps. Also from what i posted above you will need to lower your gatekeeper to install silently. I created a 2nd Configuration Profile and applied my smart groups to them, if they showed not running VR, they got the CP with Gatekeeper off, once showing VR running they got put back in the original CP with Gatekeeper on.