Skip to content

socfortress/iris-veloquarantineremove-module

Repository files navigation

Velociraptor Remove Quarantine Module Awesome

Remove quarantine of an Endpoint using Velociraptor.

MIT License LinkedIn your-own-soc-free-for-life-tier youtube-channel


Logo

Velociraptor Remove Quarantine

SOCFortress provided DFIR-IRIS module.
Contact SOCFortress »

Intro

Remove quarantine of a Windows or Linux Endpoint using Velociraptor

Get started with Velociraptor: Video Tutorial

The module is built for the below Asset types:

  • Windows
  • Linux

Configuration




Mount api.config.yaml

  1. Mount the api.config.yaml file in DFIR-IRIS docker-compose for both Worker and Web-App
    • cp api.config.yaml /opt/iris-web/docker/api.config.yaml
    • nano /opt/iris-web/docker-compose.yml

Web-App

app:
    build:
      context: .
      dockerfile: docker/webApp/Dockerfile
    image: iriswebapp_app:latest
    command: ['nohup', './iris-entrypoint.sh', 'iriswebapp']
    volumes:
      - iris-downloads:/home/iris/downloads
      - user_templates:/home/iris/user_templates
      - server_data:/home/iris/server_data
      - "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"

Worker

worker:
    build:
      context: .
      dockerfile: docker/webApp/Dockerfile
    image: iriswebapp_app:latest
    command: ['./wait-for-iriswebapp.sh', 'app:8000', './iris-entrypoint.sh', 'iris-worker']
    volumes:
      - iris-downloads:/home/iris/downloads
      - user_templates:/home/iris/user_templates
      - server_data:/home/iris/server_data
      - "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"
  1. Restart the DFIR-IRIS docker-compose
    • docker-compose down
    • docker-compose up -d

Install

Currently, the Velociraptor Remove Quarantine module can be ran as DFIR-IRIS Module.

Get started with DFIR-IRIS: Video Tutorial

The below steps assume you already have your own DFIR-IRIS application up and running.

  1. Fetch the Velociraptor Remove Quarantine Module Repo
    git clone https://github.com/socfortress/iris-veloquarantineremove-module
    cd iris-veloquarantineremove-module
    
  2. Install the module
    ./buildnpush2iris.sh -a
    

Configuration

Once installed, configure the module to include:

  • Path to api.config.yaml
  1. Navigate to Advanced -> Modules

Advanced -> Modules




  1. Add a new module

Add a new module




  1. Input the Module name: iris_veloquarantineremove_module

Input Module




  1. Configure the module

Configure Module




Running the Module

To run the module select Case -> Asset and select the dropdown menu.

Currently supports Asset of type: Windows, Linux

Asset




Run Module




Device is now un quarantined

Issues?

If you are experiencing issues, please contact us at [email protected]