Skip to content
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-03-23-release-notes/

Notable features

Dead disk analysis

Velociraptor offers top notch forensic analysis capability but it was primarily used as a live response agent. Many users have asked us if Velociraptor can be used on dead disk images. Although we rarely use dead disk images in practice, sometimes we do encounter these (e.g. in cloud investigations).

Previously we could not use Velociraptor easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you would like to read more about this new feature check out Dead Disk Forensics.

Resource control

When collecting artifacts from endpoints we need to be mindful of the overall load that collection will cost on endpoints. For performance sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance. In 0.6.4 we have implemented a feedback based throttler which can control VQL queries to a target average CPU utilization.

Multiple OAuth2 authenticators

Velociraptor has always had SSO support to allow strong 2 factor authentication for access to the GUI. However, previously Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure or OIDC (e.g. Okta) for the authentication provider. In 0.6.4 Velociraptor can be configured to support multiple SSO providers at the same time.

The Velociraptor knowledge base

Velociraptor is a very powerful tool. It’s flexibility means that it can do things that you might have never realized it can! For a while now we have been thinking about ways to make this knowledge more discoverable and easily available.

Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.

The Velociraptor knowledge base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tip about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Tips should be short and refer to more detailed documentation - they are just a quick hint.

Known issues

Release 0.6.4-2 fixes a number of issues - some affecting clients and server, please upgrade.

The full change log can be seen here abe3ae6...b6c5764

Release 0.6.4-1 fixes #1743 which counted completed clients in hunts incorrectly.

Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-01-05-release-notes-0.6.3/

This release adds more support for the multi-frontend configuration - if you would like to try this new deployment method, read more about it here https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/

Notable features

  • Search index is now stored in memory at runtime - this makes searching much faster and allows us to search for things like IP address.
  • New artifact parameter types for regex and yara have specialised UI elements for users to enter yara and regex expressions.
  • It is now possible to override Generic.Client.Info artifact for a custom interrogation process.
  • Hunt wizard can estimate the total number of clients that may be affected by a label/OS condition
  • New Upload File Form element - Users can upload a file to an artifact parameter on an adhoc basis (similar but more light weight than an artifact tool)
  • Root certs can now be specified in the config file. This allows use of self signed servers (e.g MITM proxies). Root certs are now bundled in Velociraptor and we do not use the OS root store.
  • Search index is now recalculated periodically and snapshotted into the filestore. There is no need to rebuild the index any more.

VQL Functions and plugins

  • Added Windows.Forensics.SAM artifact for parsing the SAM
  • Improvement to SRUM artifact
  • The parse_csv() plugin is now more robust and can accept columns not from the header
  • The parse_pe() function now contains full PE resource information
  • VQL accessors that used URLs to denote delegated accessors now support a dedicated pathspec() object. This is more reliable than a URL if a bit more verbose.
  • Improve Windows.Forensics.Lnk parser to include addtional fields like the name, WorkingDir, RelativePath, Arguments
  • The Windows.Detection.Yara.PhysicalMemory artifact allows a yara scan of physical memory accessed via the winpmem driver.
  • Added recursion_callback option to the glob plugin - this allows more fine grained control of the glob() plugin recursing into directories, for both better efficiency and safer access.
  • Introduced the Server.Utils.DeleteManyFlows and Server.Utils.DeleteMonitoringData artifacts to help manage server disk space by remove old data.

Upgrade notes

  • The Windows.Collectors.File artifact was renamed to Generic.Collectors.File - custom artifacts may need to be updated, or simply add a redirection artifact (e.g. #1516)

Known issues

Bugfix release 0.6.3-1 fixes #1606 and #1590 - you only need to update if you are using the API to download files or running multi-frontend configuration.
Release 0.6.3-2 fixes #1519 .

dc02b45
Compare
Choose a tag to compare

v0.6.3-rc1

Pre-release
Pre-release

This is the next point release for Velociraptor - Digging deeper!

This release adds more support for the multi-frontend configuration - if you would like to try this new deployment method, read more about it here https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/

Notable features

  • Search index is now stored in memory at runtime - this makes searching much faster and allows us to search for things like IP address.
  • New artifact parameter types for regex and yara have specialised UI elements for users to enter yara and regex expressions.
  • It is now possible to override Generic.Client.Info artifact for a custom interrogation process.
  • Hunt wizard can estimate the total number of clients that may be affected by a label/OS condition
  • New Upload File Form element - Users can upload a file to an artifact parameter on an adhoc basis (similar but more light weight than an artifact tool)
  • Root certs can now be specified in the config file. This allows use of self signed servers (e.g MITM proxies). Root certs are now bundled in Velociraptor and we do not use the OS root store.

VQL Functions and plugins

  • Added Windows.Forensics.SAM artifact for parsing the SAM
  • Improvement to SRUM artifact
  • The parse_csv() plugin is now more robust and can accept columns not from the header
  • The parse_pe() function now contains full PE resource information
  • VQL accessors that used URLs to denote delegated accessors now support a dedicated pathspec() object. This is more reliable than a URL if a bit more verbose.
  • Improve Windows.Forensics.Lnk parser to include addtional fields like the name, WorkingDir, RelativePath, Arguments
  • The Windows.Detection.Yara.PhysicalMemory artifact allows a yara scan of physical memory accessed via the winpmem driver.
  • Added recursion_callback option to the glob plugin - this allows more fine grained control of the glob() plugin recursing into directories, for both better efficiency and safer access.

NOTE: We have formulated our support policy here https://docs.velociraptor.app/docs/overview/support/ . Please test thoroughly in your environment and provide feedback and suggestions.

Upgrade notes:

If you are upgrading from previous versions, refer to the upgrade guide https://docs.velociraptor.app/docs/deployment/cloud/#server-upgrades

The new release optimizes the search index schema. If upgrading from previous releases, we recommend rebuilding the index:

  1. After upgrade, stop the Velociraptor service: sudo service velociraptor_server stop
  2. Move the old index out of the way: mv <filestore>/client_idx <filestore>/client_idx_old
  3. Rebuild the index: velociraptor index rebuild
  4. Start the service again: sudo service velociraptor_server start

Known issues

A number of issues were fixed in rc2

Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

There are a large number of new features and bug fixes in this release.

Notable features

  • Allow users to specify password to lock downloads (create password protected exports)
  • New strawberry pink theme
  • Cobalt strike config parser can extract config from memory.
  • Windows.Forensics.UserAccessLogs artifact parses the UAL ESE files

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://docs.velociraptor.app/discord/

Known issues

Issue #1383 was fixed in patch v0.6.2-1

Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

There are a large number of new features and bugfixes in this release. For full details please read the release notes here but here are the highlights.

  • Event monitoring logs now contain a time index making them quick to search.
  • The event monitoring GUI has been revamped to present a timeline and allow navigating between times quickly
  • Free disk space is now visible in the dashboard
  • GUI now has a Most Recently Used (MRU) search button to quickly find the clients a user has worked with recently.
  • GUI now has a Quarantine button to be able to quickly quarantine or release an endpoint
  • Notebooks can now be used in full screen
  • Notebooks now can add any table to a super-timeline. This allows multiple queries that produce time columns to be compared side by side in a large timeline.
  • Added starlark support within VQL - you can now write routines in Starlark (python like language) to extend VQL.
  • Added favorites for collections - You can now save your favorite collections by name and load them up again to preconfigure a new collection.

New VQL functions/plugins

  1. reg_set_value,reg_rm_value and reg_rm_key allow VQL queries to modify the registry for response.
  2. user_delete() and user_create() allow velociraptor users to be managed from VQL or the API
  3. geoip function allows looking up IP addresses within the Maxmind databases
  4. xor function allows to uncover simple encryption

Notable new artifacts

  1. Windows.Carving.CobaltStrike allows carving and decoding of cobalt strike configurations from process memory or disk.

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

5957468
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

This release addresses a number of bug fixes and new features:

  • GUI editor is now VQL and artifact aware - correct syntax highlighting in those parts of an artifact that expect VQL
  • Support for parsing authenticode information from PE files, including cat files.
  • Artifacts can now specify a custom notebook to control the notebook tab. Once they are collected in a hunt, there is a ready custom notebook for post processing.
  • Artifacts can now import and export VQL code, so common functions can be shared between different artifacts
  • New Shellbags artifact provides native parsing of shellbags. Alternatively, another artifact provides parsing using SBECmd.exe
  • A new USN record carver is added to recover rotated USN records
  • Better Hunt and Label support - you can now start a hunt targeting a label, and then assign clients to the hunt by simply adding the label to them, even after the hunt is started.

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Notes

  • Fixes CVE-2021-3619, a post-authentication XSS issue

  • 0.6.0-1 fixes a bug around the GROUP BY clause and other minor bugs.

fbe594c
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

This release introduces a new multi-frontend architecture that is suitable for scaling to large numbers of frontends.

The release also addresses a number of bug fixes and new features:

  • Server artifact runner now respects timeout.
  • Write server monitoring query logs to filestore (previously server event query logs were not visible in the GUI)
  • Add sql plugin and change sqlite to alias SQL plugin. VQL queries can now directly access mysql or posgres like sqlite.
  • Link artifacts to open a modal with description in the GUI.
  • Added Freebsd build target.
  • Many performance and stability improvements.

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

e468f54
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

  • Artifact preconditions are now supported by clients natively (Fixes #930 )
  • Added column_filter() plugin to be able to remove columns from SELECT * FROM expressions
  • Added a process accessor which allows directly operating on process memory (e.g. yara scan, upload etc).
  • Added Windows.Forensics.ProcessInfo to extract process information from the process PEB

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

21f75df
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

  • Raw registry accessor leaked file handles causing issues with logon.
  • Direct endpoint VQL option added to shell screen.
  • GUI: Time selector is now in both UTC and Local time
  • GUI: A new dark mode is available by clicking the user label (top right corner).
  • Performance improvements for high scalability (>5k clients)

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Check out the new dark mode here is a sample below.

image

Note: Due to the EOL of Centos 6 we started building Linux releases with Go 1.16 on Ubuntu 18.04. If you still need Centos binaries you can download those separately below for the time being but they will probably be deprecated soon.

Known issues

  1. MacOS binary was built without sqlite and yara support. These were corrected and a new binary is released below.

  2. If upgrading from an old release you might come across this error in the GUI:

Error: connection error: desc = "transport: authentication handshake failed: x509: certificate relies
on legacy Common Name field, use SANs or temporarily enable Common Name matching 
with GODEBUG=x509ignoreCN=0"

This is because the new binary is built with Go 1.16 which enforces SAN checking on certs. If you hit this issue you have two options:

  1. Add export GODEBUG=x509ignoreCN=0 to the shell script in /usr/local/bin/velociraptor to accept the old behavior.
  2. Rotate your server keys using velociraptor --config server.config.yaml config rotate_key > new_server.config.yaml (make sure to backup your old config file).
2715027
Compare
Choose a tag to compare

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes:

  • Offline collector did not include custom artifacts
  • Ignore directories inside zip for zip accessor.
  • Add Linux and MacOS PacketCapture artifacts
  • Added MacOS.Applications.Chrome.History and Windows.Detection.ForwardedImports
  • Fixed tempfile deletion for memory acquisition

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/