The configuration file for Aralez is a YAML document that defines the tasks and operations that the tool will execute during triage collection or system analysis. It allows for high flexibility and customization by specifying which artifacts to collect, directories to target, file patterns to match, and commands to execute.
Each task is grouped logically and can include options like priority, exclusions, maximum file sizes, and encryption labels. The configuration also supports embedding custom settings directly into the executable, making deployment and usage seamless across different environments.
This section provides a comprehensive breakdown of all fields in the configuration file, including their purpose, type, default values, and whether they are optional or required. By understanding these fields, users can tailor Aralez to meet their specific forensic and incident response needs effectively.
Find item #
Each search configuration defines what and where to search. The key fields include:
root_path: Specifies the directory to search within.objects: Lists the objects (e.g., files or directories) to include in the search.max_size(optional): Sets a maximum file size for retrieval. Files exceeding this size will be skipped.encrypt(optional): Provides a password for AES-GCM encryption. If specified, files will be encrypted and saved with an.encextension. If not specified, files will remain unencrypted.
Glob Patterns #
Aralez exclusively uses glob patterns to match files and directories. Glob patterns are simple expressions used to define search criteria:
*: Matches any sequence of characters except the directory separator (\\).
Examples:*.txt.txtfiles in the specified directory.\\*\\match all one level folders.
**: Matches directories and their contents recursively.
Example:"**"matches all files in a directory and its sub-directories.**\\: Matches directories recursively.
Example:"**\\"matches all directories and sub directories within the specified path.
Dynamic Paths with Environment Variables #
Aralez supports Windows environment variables within the root_path field. Variables must be wrapped in %...%, and they will automatically expand to their corresponding system values during execution.
Example:
entries:
files:
- root_path: "%USERPROFILE%\\Documents"
objects: ["*.docx", "*.pdf"]
max_size: 1048576
encrypt: "infected"In this example, %USERPROFILE% expands to the current user’s profile directory.
Field Descriptions #
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| tasks | Object | Defines the collection and execution tasks Aralez will perform. Each task contains specific entries for data collection or execution. | Yes | – |
| [task_name] | String | A named task, such as artifacts or tools, representing a logical grouping of operations. The name of the task doesn’t have any impact. | Yes | – |
| type | String | Specifies the type of the task. Options are: – "collect": For data collection tasks.– "execute": For command or tool execution tasks. | Yes | – |
| entries | Object | Contains the specific operations or file paths and objects for the task. | Yes | – |
| [entry_name] | Object | A named entry defining a specific operation within the task. | Yes | – |
| priority | Integer | Defines the execution order of the tasks. | Yes | – |
| disabled | Boolean | Indicates whether the task is disabled. If set to true, the task will be skipped during execution. | No | false |
| drive | Char | Specifies the target drive for collection tasks. Common values include "C" or "*". « * » represent all drives of the machine. | No | C |
| exclude_drives | List of Chars | Lists drives to exclude when using "*" in the drive field. | No | – |
| root_path | String | Defines the directory to search within. Supports environment variables wrapped in %...% and glob patterns. The root_path should start with \\, except for environment variables. | Yes for collect type No for execute type | – |
| objects | List of Strings | Specifies the files or patterns to collect from the directory path. Wildcards like *.evtx can be used to match file types. | Yes for collect type No for execute type | – |
| max_size | Integer | The maximum size (in bytes) of files to be collected. Files exceeding this size will be skipped. | No | No limit |
| encrypt | String | Specifies an encryption label for collected files (e.g., "infected"). | No | – |
| args | List of Strings | Command-line arguments passed to external or system executables. | Yes for execute type No for collect type | – |
| output_file | String | The name of the output file generated by the executable or internal tool. | Yes for execute type No for collect type | – |
| exec_type | String | Defines the type of execution. Options are: – "external": Executes external binaries.– "system": Executes system commands.– "internal": Executes built-in Aralez functions. | Yes for execute type No for collect type | – |
| output_filename | String | The naming convention for the final output file. Template variables like {{hostname}} and {{datetime}} can be used. | Yes | – |
Example Configurations #
Collect Files #
This example collects .docx and .pdf files from all users’ Documents directories, with a file size limit of 1 MB and encryption enabled.
tasks:
artifacts:
type: "collect"
priority: 1
entries:
files:
- root_path: "\\Users\\*\\Documents"
objects: ["*.docx", "*.pdf"]
max_size: 1048576
encrypt: "infected"Execute a PowerShell Command #
tasks:
tools:
priority: 3
type: "execute"
entries:
win_tools:
- name: "powershell"
args: ["-command", "Get-ComputerInfo"]
output_file: "ComputerInfo.txt"Match All Files Recursively #
tasks:
artifacts:
type: "collect"
priority: 1
entries:
logs:
- root_path: "C:\\Logs"
objects: ["**"]Dynamic Output Filename #
output_filename: "Aralez_{{hostname}}_{{datetime}}"For instance, if executed on a machine named MyPC on September 23, 2024, the output file will be named:
Aralez_MyPC_2024-09-23_10-30-10.zip