Skip to content

Commit

Permalink
Create Docker.Image.Export.yaml (Velocidex#962)
Browse files Browse the repository at this point in the history
  • Loading branch information
DoppioRistretto authored Dec 9, 2024
1 parent 28dc8ca commit 8385c1f
Showing 1 changed file with 33 additions and 0 deletions.
33 changes: 33 additions & 0 deletions content/exchange/artifacts/Docker.Image.Export.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Docker.Image.Export
author: Brady Semm - @btsemm / DoppioRistretto
description: |
Uses the Docker UNIX socket to export a Docker image to a
tempfile and upload to Velociraptor.
Analysis Tips:
- https://jellyparks.com/posts/compromised-container-analysis-primer/
#docker
parameters:
- name: dockerSocket
description: |
Docker server socket. You will normally need to be root to connect.
default: /var/run/docker.sock
- name: ImageNameOrID
description: |
Docker Image name or ID to export. Can include tag (eg. "image:latest")
default: empty

sources:
- precondition: |
SELECT OS From info() where OS = 'darwin' OR OS = 'linux'
query: |
LET EncodedImageNameOrID = regex_replace(source=ImageNameOrID, replace_lambda="x=>format(format='%%%02x',args=x)", re="[^a-z0-9\\-_.~?]")
LET docker_api_path = format(format="%v:unix/images/%v/get", args=[dockerSocket, EncodedImageNameOrID])
LET response <= SELECT Content FROM http_client(url=docker_api_path, tempfile_extension=".tar", remove_last=true)
SELECT upload(file=response.Content) from scope()

0 comments on commit 8385c1f

Please sign in to comment.