Exposed variables
Some variables can be used and will be replaced by UAC at runtime:
Variable | Replacement |
---|---|
%uac_directory% | Full path to where uac was run from |
%destination_directory% | Full path to the destination directory along with the path to the artifact appended to it |
%mount_point% | Full path of the target mount point |
%start_date% | Date specified by --date-range-start |
%start_date_epoch% | Epoch converted date specified by --date-range-start |
%end_date% | Date specified by --date-range-end |
%end_date_epoch% | Epoch converted date specified by --date-range-end |
The following two variables will trigger a loop in which UAC will run the command across all users.
Variable | Replacement |
---|---|
%user% | Username of each user |
%user_home% | User's home directory path |
Examples:
artifacts:
-
description: Hash all files based on a file list located in the UAC directory.
supported_os: [all]
collector: hash
path: /%uac_directory%/my_file_list.txt
is_file_list: true
output_file: my_hash_list.txt
artifacts:
-
description: Capture a RAM dump using AVML tool and store the acquired data into avml.raw file.
supported_os: [all]
collector: command
command: avml %output_file%
output_file: avml.raw
artifacts:
-
description: Collect shell history files.
supported_os: [all]
collector: file
path: /%user_home%/
name_pattern: [".*_history", ".*history", ".lesshst", ".zhistory"]