Remove quarantine of an Endpoint using Velociraptor.
Remove quarantine of a Windows or Linux Endpoint using Velociraptor
Get started with Velociraptor: Video Tutorial
The module is built for the below Asset types:
- Windows
- Linux
- Mount the api.config.yaml file in DFIR-IRIS docker-compose for both Worker and Web-App
cp api.config.yaml /opt/iris-web/docker/api.config.yaml
nano /opt/iris-web/docker-compose.yml
Web-App
app:
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:latest
command: ['nohup', './iris-entrypoint.sh', 'iriswebapp']
volumes:
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
- "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"
Worker
worker:
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:latest
command: ['./wait-for-iriswebapp.sh', 'app:8000', './iris-entrypoint.sh', 'iris-worker']
volumes:
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
- "./docker/api.config.yaml:/iriswebapp/api.config.yaml:ro"
- Restart the DFIR-IRIS docker-compose
docker-compose down
docker-compose up -d
Currently, the Velociraptor Remove Quarantine module can be ran as DFIR-IRIS
Module.
Get started with DFIR-IRIS: Video Tutorial
- Fetch the
Velociraptor Remove Quarantine Module
Repogit clone https://github.com/socfortress/iris-veloquarantineremove-module cd iris-veloquarantineremove-module
- Install the module
./buildnpush2iris.sh -a
Once installed, configure the module to include:
- Path to api.config.yaml
- Navigate to
Advanced -> Modules
- Add a new module
- Input the Module name:
iris_veloquarantineremove_module
- Configure the module
To run the module select Case -> Asset
and select the dropdown menu.
Currently supports Asset of type:
Windows, Linux
If you are experiencing issues, please contact us at
[email protected]