Fennec v0.4 releases: Artifact collection tool for *nix systems

by do son · Published · Updated

Artifact collection tool

Fennec

fennec is an artifact collection tool written in Rust to be used during an incident response on *nix based systems. fennec allows you to write a configuration file that contains how to collect artifacts.

Features 🌟

  • 🦀 A single statically compiled binary
  • 🔬 Execute any osquery SQL query
  • 💻 Execute system commands
  • 📚 Parse any text file using regex
  • 🧰 Ability to collect system logs and files
  • 🧱 Return data in a structured manner
  • 🃏 Support multiple output formats (JSONL, CSV, and KJSON)
  • 🤸‍♀️ Flexible configuration file
  • 💾 Directly write to ZIP file to safe space
  • ⚡ Very fast!

Use

fennec_x86_64unknownlinuxgnu [OPTIONS]

  • -c--config : Use the specified configuration file instead of the embedded configuration
  • -f--log-file : Change the default name for the log file (default: fennec.log)
  • -h--help : Print help message
  • -l--log-level : Change the default log level (default: info)
  • -o--output : Change the default output file name for the zip file (default: {HOSTNAME}.zip, where hostname is the runtime evaluated machine hostname)
  • --osquery-path : Path to osquery executable, This value will be used based on these conditions:
    • If osquery binary is embedded into fennec then extract it and dump it to --osquery-path
    • If osquery is not embedded into fennec then use the osquery binary in the path --osquery-path
  • --output-format : Choose the output format, Supported formats:
    • jsonl : A new line separated JSON objects (default)
    • csv: Comma separated values
    • kjson: Use this format if you want to upload the resulting file to Kuiper analysis platform.
  • -q--quiet : Do not print logs to stdout
  • --show-config : Print the embedded configuration then exit
  • -V--version : Print fennec version then exit

Changelog v0.4

  • Added feature to parse the output of the command artifact
  • Replaced the artifact file_list from query type to command
  • Added to_int modifier to parse string fields to i64
  • Added schema.json which is a schema definition for the fennec configuration
  • Changed the configuration file name from config.yaml to fennec.yaml so it works better with the schema file
  • Small change to push_to_es.py script

Install

Copyright (c) 2022 AbdulRhman Alfaifi

Tags: Artifact collection toolFennec