Velociraptor Command Tab Does not Specify Org

[ccben87]

Describe the bug

When attempting to run "Command" on Agent using Velociraptor with "Windows.System.CmdShell", it fails to work with a non-root org. Looking at the logs, it's failing to query the specific org for the agent. Note: Other functions such as "Collect" function works fine.

PS Thanks a lot for your fast work on https://github.com/socfortress/CoPilot/commit/b49a45a1be282b72e34dae187ab666561392009b !

To Reproduce Steps to reproduce the behavior:

1. Find/enroll agent that is configured against a specific non-root Velociraptor org
2. Go to the Command tab for the agent.
3. Choose "Windows.SystemCmdShell" and then specify as command "dir C:\"
4. Observe error that occurs.

Expected behavior Expected that the results of the command "dir C:\" is returned in Copilot

**Container Logs

2024-06-28 03:49:47.081 | INFO     | app.connectors.velociraptor.routes.artifacts:run_command:387 - Received request to run command hostname='DESKTOP-<snip>' velociraptor_id=None velociraptor_org=None command='dir C:\\' artifact_name=<CommandArtifactsEnum.windows_cmd: 'Windows.System.CmdShell'>
2024-06-28 03:49:47.081 | INFO     | app.connectors.velociraptor.routes.artifacts:get_all_artifacts_for_hostname:289 - Fetching all artifacts for hostname DESKTOP-<snip>
2024-06-28 03:49:47.082 | INFO     | app.connectors.velociraptor.routes.artifacts:get_os_prefix_from_os_name:88 - Getting OS prefix from OS name microsoft windows 11 enterprise
2024-06-28 03:49:47.082 | INFO     | app.connectors.velociraptor.routes.artifacts:get_os_prefix_from_os_name:91 - OS prefix for OS name microsoft windows 11 enterprise is Windows
2024-06-28 03:49:47.082 | INFO     | app.connectors.velociraptor.routes.artifacts:get_all_artifacts_for_os_prefix:257 - Fetching all artifacts for OS prefix Windows
2024-06-28 03:49:47.082 | INFO     | app.connectors.velociraptor.services.artifacts:get_artifacts:79 - Fetching artifacts from Velociraptor
2024-06-28 03:49:47.082 | INFO     | app.connectors.utils:get_connector_info_from_db:29 - Fetching connector Velociraptor from database
2024-06-28 03:49:47.087 | INFO     | app.connectors.velociraptor.utils.universal:execute_query:175 - Executing query: SELECT name,description FROM artifact_definitions()
2024-06-28 03:49:47.148 | INFO     | app.connectors.velociraptor.routes.artifacts:get_velociraptor_id:109 - Getting velociraptor_id from hostname DESKTOP-<snip>
2024-06-28 03:49:47.150 | INFO     | app.connectors.velociraptor.routes.artifacts:get_velociraptor_id:125 - velociraptor_id for hostname DESKTOP-<snip> is C.<snip>-OMP9G
2024-06-28 03:49:47.150 | INFO     | app.connectors.velociraptor.routes.artifacts:get_velociraptor_org:143 - Getting velociraptor_org from hostname DESKTOP-<snip>
2024-06-28 03:49:47.151 | INFO     | app.connectors.velociraptor.routes.artifacts:get_velociraptor_org:159 - velociraptor_org for hostname DESKTOP-<snip> is OMP9G
2024-06-28 03:49:47.151 | INFO     | app.connectors.utils:get_connector_info_from_db:29 - Fetching connector Velociraptor from database
2024-06-28 03:49:47.156 | INFO     | app.connectors.velociraptor.services.artifacts:run_remote_command:181 - Running remote command on hostname='DESKTOP-<snip>' velociraptor_id='C.<snip>-OMP9G' velociraptor_org='OMP9G' command='dir C:\\' artifact_name='Windows.System.CmdShell'
2024-06-28 03:49:47.156 | INFO     | app.connectors.velociraptor.utils.universal:execute_query:175 - Executing query: SELECT collect_client(org_id='OMP9G', client_id='C.<snip>-OMP9G', urgent=true, artifacts=['Windows.System.CmdShell'], env=dict(Command='dir C:\')) FROM scope()
2024-06-28 03:49:47.168 | INFO     | app.connectors.velociraptor.services.artifacts:run_remote_command:191 - Successfully ran artifact collection on {'success': True, 'message': 'Successfully executed query', 'results': []}
2024-06-28 03:49:47.169 | ERROR    | app.connectors.velociraptor.services.artifacts:run_remote_command:216 - Failed to run artifact collection on hostname='DESKTOP-<snip>' velociraptor_id='C.<snip>-OMP9G' velociraptor_org='OMP9G' command='dir C:\\' artifact_name='Windows.System.CmdShell': list index out of range
2024-06-28 03:49:47.169 | ERROR    | app.db.db_session:get_db_session:185 - Error during DB session:
2024-06-28 03:49:47.169 | INFO     | app.db.db_session:get_db_session:189 - Closing DB session

2024-06-28 03:49:47.081 | INFO | app.connectors.velociraptor.routes.artifacts:run_command:387 - Received request to run command hostname='<snip>' velociraptor_id=None velociraptor_org=None command='dir C:\\' artifact_name=<CommandArtifactsEnum.windows_cmd: 'Windows.System.CmdShell'>

Here it is not picking up the velociraptor_org which is "None".

2024-06-28 03:49:47.151 | INFO | app.connectors.velociraptor.routes.artifacts:get_velociraptor_org:159 - velociraptor_org for hostname DESKTOP-<snip> is OMP9G

Here it incorrectly retrieves the Velociraptor org name as a subset of the velociraptor_id, namely it retrieves the very end of the velociraptor_id which ends in "-OMP9G" which is not the Velociraptor org. This is odd.

2024-06-28 03:49:47.169 | ERROR | app.connectors.velociraptor.services.artifacts:run_remote_command:216 - Failed to run artifact collection on hostname='DESKTOP-<snip>' velociraptor_id='C.<snip>-OMP9G' velociraptor_org='OMP9G' command='dir C:\\' artifact_name='Windows.System.CmdShell': list index out of range

Must get an empty return because it wasn't executed correctly. This is probably something which can be disregarded because if the query executed against the right org then this error shouldn't happen.

[ccben87]

My mistake, none of the info in this report is correct. Same result happens if executed directly in Velociraptor. Apparently Velociraptor doesn't like that particular command.

PS Thanks for sorting out Velociraptor orgs!

[taylorwalton]

Sorry is there an issue here or was just the command you were using incorrect and we can close this issue out?

[ccben87]

I thought I had closed this with my last comment. My bug report is all wrong. Please disregard.