Skip to content

@scudette scudette released this Jun 9, 2021

This is the next point release for Velociraptor - Digging deeper!

This release addresses a number of bug fixes and new features:

  • GUI editor is now VQL and artifact aware - correct syntax highlighting in those parts of an artifact that expect VQL
  • Support for parsing authenticode information from PE files, including cat files.
  • Artifacts can now specify a custom notebook to control the notebook tab. Once they are collected in a hunt, there is a ready custom notebook for post processing.
  • Artifacts can now import and export VQL code, so common functions can be shared between different artifacts
  • New Shellbags artifact provides native parsing of shellbags. Alternatively, another artifact provides parsing using SBECmd.exe
  • A new USN record carver is added to recover rotated USN records
  • Better Hunt and Label support - you can now start a hunt targeting a label, and then assign clients to the hunt by simply adding the label to them, even after the hunt is started.

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Notes

  • Fixes CVE-2021-3619, a post-authentication XSS issue

  • 0.6.0-1 fixes a bug around the GROUP BY clause and other minor bugs.

Assets 12
Jun 9, 2021
Only show refresh button when a refresh function is set (#1101)

@scudette scudette released this Apr 28, 2021

This is the next point release for Velociraptor - Digging deeper!

This release introduces a new multi-frontend architecture that is suitable for scaling to large numbers of frontends.

The release also addresses a number of bug fixes and new features:

  • Server artifact runner now respects timeout.
  • Write server monitoring query logs to filestore (previously server event query logs were not visible in the GUI)
  • Add sql plugin and change sqlite to alias SQL plugin. VQL queries can now directly access mysql or posgres like sqlite.
  • Link artifacts to open a modal with description in the GUI.
  • Added Freebsd build target.
  • Many performance and stability improvements.

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 8
Apr 28, 2021
Fixed broken darwin build (#1043)

@scudette scudette released this Apr 1, 2021

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

  • Artifact preconditions are now supported by clients natively (Fixes #930 )
  • Added column_filter() plugin to be able to remove columns from SELECT * FROM expressions
  • Added a process accessor which allows directly operating on process memory (e.g. yara scan, upload etc).
  • Added Windows.Forensics.ProcessInfo to extract process information from the process PEB

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 7
Apr 1, 2021
Prepare for release 0.5.8 RC1 (#997)

@scudette scudette released this Mar 15, 2021

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

  • Raw registry accessor leaked file handles causing issues with logon.
  • Direct endpoint VQL option added to shell screen.
  • GUI: Time selector is now in both UTC and Local time
  • GUI: A new dark mode is available by clicking the user label (top right corner).
  • Performance improvements for high scalability (>5k clients)

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Check out the new dark mode here is a sample below.

image

Note: Due to the EOL of Centos 6 we started building Linux releases with Go 1.16 on Ubuntu 18.04. If you still need Centos binaries you can download those separately below for the time being but they will probably be deprecated soon.

Known issues

  1. MacOS binary was built without sqlite and yara support. These were corrected and a new binary is released below.

  2. If upgrading from an old release you might come across this error in the GUI:

Error: connection error: desc = "transport: authentication handshake failed: x509: certificate relies
on legacy Common Name field, use SANs or temporarily enable Common Name matching 
with GODEBUG=x509ignoreCN=0"

This is because the new binary is built with Go 1.16 which enforces SAN checking on certs. If you hit this issue you have two options:

  1. Add export GODEBUG=x509ignoreCN=0 to the shell script in /usr/local/bin/velociraptor to accept the old behavior.
  2. Rotate your server keys using velociraptor --config server.config.yaml config rotate_key > new_server.config.yaml (make sure to backup your old config file).
Assets 9

@scudette scudette released this Feb 8, 2021

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes:

  • Offline collector did not include custom artifacts
  • Ignore directories inside zip for zip accessor.
  • Add Linux and MacOS PacketCapture artifacts
  • Added MacOS.Applications.Chrome.History and Windows.Detection.ForwardedImports
  • Fixed tempfile deletion for memory acquisition

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/

Assets 7

@scudette scudette released this Jan 25, 2021

This is a bugfix release from 0.5.5. Thanks for the bug reports and feedback.

Major issues fixed:

  1. Memory leak in foreach() plugin
  2. Python gRPC API handler crash
  3. GUI Fix welcome screen logo was shown with incorrect size
  4. GUI Fix VFS browser showing paths with % in their name
  5. File based merge sort would fix memory issue on large ORDER BY queries.
Assets 7

@scudette scudette released this Jan 19, 2021

This is the next point release for Velociraptor - Digging deeper!

This change introduces some significant improvements, new features and bug fixes. Some notable changes include:

  • New binary parser is now available in VQL. This allows for implementing powerful parsers right inside your query.
  • Offline collector now stores into a multithreaded ZIP writer - this speeds up collection on multi core machines because multiple cores can compress at the same time.
  • Performance optimization for VQL engine - more lazy more places.
  • Fixed bugs in NTFS parser cache - this was causing failures in some queries.
  • Disable MySQL as a filestore - MySQL backend proved to be lower performance than plain disk and had stability issues. We temporarily withdraw this option until we can work on it more.
  • Server side event queues now implement file backed overflow - this makes them more scalable and faster.

Also including a number of interesting new artifacts:

  • Splunk upload artifacts match the previous Elastic based ones
  • Certutils metadata parser using the new binary parser framework
  • Lnk file parser using the new binary parser in VQL.
  • The Hive interfacing artifacts

As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/

Known issues

  • If you intend to use the API please use a CI build later than #879 as there is a known issue with API connections.
Assets 7