NextronSystems / velociraptor-artifacts-thor

Thor Artifacts for Velociraptor
MIT License
13 stars 1 forks source link

ThorZIP: executable file not found in %PATH% #7

Open simonstegard opened 1 week ago

simonstegard commented 1 week ago

I'm trying to run Generic.Scanner.ThorZIP but it's not working. I have uploaded the zip using ThorZIP tool, I tried both zip with included license and unmodified zip downloaded directly from website, but same problem.

{"client_time":1731337531,"level":"INFO","message":"Starting query execution for Generic.Scanner.ThorZIP/ThorExec.\n"}
{"client_time":1731337531,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp391399109\n"}
{"client_time":1731337531,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp391399109\n"}
{"client_time":1731337532,"level":"DEFAULT","message":"Sleeping 7 Seconds\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"URL for thor10.7lite-win-pack_nolic.zip is at https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip and has hash of c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"Fetching https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip\n"}
{"client_time":1731337539,"level":"DEFAULT","message":"http_client: Downloading https://xxx.azurewebsites.net/file/thor10.7lite-win-pack_nolic.zip into C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337542,"level":"DEFAULT","message":"downloaded hash of C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp: c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c, expected c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}
{"client_time":1731337542,"level":"DEFAULT","message":"copy: Copying file from C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp into C:\\Program Files\\Velociraptor\\Tools\\thor10.7lite-win-pack_nolic.zip\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp\n"}
{"client_time":1731337543,"level":"DEFAULT","message":"Adding global destructor for C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: Running external command [[C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\\thor64-lite.exe --json -e C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095] []]\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: exec: \"[C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095\\\\thor64-lite.exe --json -e C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095]\": executable file not found in %PATH%\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"Generic.Scanner.ThorZIP/ThorExec: Time 0: Generic.Scanner.ThorZIP/ThorExec: Sending response part 0 3 B (1 rows)."}
{"client_time":1731337544,"level":"DEFAULT","message":"read_file: Field filename Expecting a path arg type, not types.Null\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"Generic.Scanner.ThorZIP/ThorExec: Time 0: Generic.Scanner.ThorZIP/ThorResultsJson: Sending response part 0 12 B (1 rows)."}
{"client_time":1731337544,"level":"INFO","message":"Collection Generic.Scanner.ThorZIP/ThorExec is done after 13.4206963s\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"tempfile: removing tempfile C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"tempfile: removed tempfile C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"RemoveDirectory: removing tempdir C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337545,"level":"DEFAULT","message":"RemoveDirectory: removed tempdir C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337545,"level":"DEBUG","message":"Query Stats: {\"RowsScanned\":3061,\"PluginsCalled\":18,\"FunctionsCalled\":9,\"ProtocolSearch\":459,\"ScopeCopy\":6167}\n"}
Neo23x0 commented 1 week ago

Could you send us a screenshot of the directory structure inside of that ZIP file? The binary is probably just inside of a sub folder instead of the root folder.

simonstegard commented 1 week ago

HI! Here is a screenshot of the zip file

image

Neo23x0 commented 1 week ago

The structure looks okay.

As you can see the problem is that it doesn't find the executable after the extraction

{"client_time":1731337543,"level":"DEFAULT","message":"Adding global destructor for C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\n"}
{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: Running external command [[C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095\\thor64-lite.exe --json -e C:\\Program Files\\Velociraptor\\Tools\\tmp3319932095] []]\n"}
{"client_time":1731337544,"level":"DEFAULT","message":"execve: exec: \"[C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095\\\\thor64-lite.exe --json -e C:\\\\Program Files\\\\Velociraptor\\\\Tools\\\\tmp3319932095]\": executable file not found in %PATH%\n"}

It could be caused by:

simonstegard commented 1 week ago

Hi!

Thanks, I checked and there's nothing blocked by EDR, when we run ThorLite by itself it works. I have 17GB hard drive space left The zip file is downloaded correctly to C:\Program Files\Velociraptor\Tools, also seems like the hash is correct:

{"client_time":1731337542,"level":"DEFAULT","message":"downloaded hash of C:\\Program Files\\Velociraptor\\Tools\\tmp1158147984.tmp: c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c, expected c1a306af9e9162d14d52374e188a8dc20005752e6c5b580e8316f2323ce7591c\n"}

Neo23x0 commented 1 week ago

Do you have an idea what this message means?

{"client_time":1731337543,"level":"WARN","message":"Materialize of LET Unzip: Expand larger than 1000 rows, VQL will switch to tempfile backing on C:\\Program Files\\Velociraptor\\Tools\\VQL_Unzip_.jsonl1648725754 which will be much slower.\n"}

when we run ThorLite by itself it works.

It means something but not everything, because an EDR could behave differently when something runs in the SYSTEM context and in different folders.

Neo23x0 commented 1 week ago

Could you verify the SHA256 hash of the ZIP file before you upload it to the Azure storage?