diff --git a/content/exchange/artifacts/Docker.Image.Export.yaml b/content/exchange/artifacts/Docker.Image.Export.yaml new file mode 100644 index 00000000000..35762f71d3e --- /dev/null +++ b/content/exchange/artifacts/Docker.Image.Export.yaml @@ -0,0 +1,33 @@ +name: Docker.Image.Export +author: Brady Semm - @btsemm / DoppioRistretto +description: | + Uses the Docker UNIX socket to export a Docker image to a + tempfile and upload to Velociraptor. + + Analysis Tips: + - https://jellyparks.com/posts/compromised-container-analysis-primer/ + + #docker + +parameters: + - name: dockerSocket + description: | + Docker server socket. You will normally need to be root to connect. + default: /var/run/docker.sock + - name: ImageNameOrID + description: | + Docker Image name or ID to export. Can include tag (eg. "image:latest") + default: empty + +sources: + - precondition: | + SELECT OS From info() where OS = 'darwin' OR OS = 'linux' + query: | + + LET EncodedImageNameOrID = regex_replace(source=ImageNameOrID, replace_lambda="x=>format(format='%%%02x',args=x)", re="[^a-z0-9\\-_.~?]") + LET docker_api_path = format(format="%v:unix/images/%v/get", args=[dockerSocket, EncodedImageNameOrID]) + LET response <= SELECT Content FROM http_client(url=docker_api_path, tempfile_extension=".tar", remove_last=true) + + SELECT upload(file=response.Content) from scope() + +