Release 0.72
I am very excited to announce that the latest Velociraptor release 0.72 is now live!
Detailed release notes are at https://docs.velociraptor.app/blog/2024/2024-03-10-release-notes-0.72/
This release brings many new features:
-
EWF Support - In this release, Velociraptor supports EWF (AKA E01) format using the
ewf
accessor. This allows Velociraptor to analyze E01 image sets. -
Allow remapping clients to use SSH accessor - This release added the ability to apply remapping in a similar way to
the dead disk image method above to run aVirtual Client
which
connects to the remote system via SSH and emulates filesystem access
over thesftp
protocol. -
Undo/Redo for notebook cells
-
Hunt view GUI is now paged
-
Secret Management - This release introduces
Secrets
as a first class concept within
VQL. ASecret
is a specific data object (key/value pairs) given a
name which is used to configure credentials for certain plugins -
Implemented Websocket based communication mechanism - In this release, Velociraptor introduces support for websockets as a
communications protocol. The websocket protocol is designed for low
latency and low overhead continouus communications method between
clients and server (and is already used by e.g. most major social
media platforms). -
Dynamic DNS providers - The 0.72 release has now switched to
CloudFlare
as our default
preferred Dynamic DNS provider. We also addednoip.com
as a second
option. -
Enhanced proxy support - The 0.72 release introduces more complex proxy condition
capabilities. It is now possible to specify which proxy to use for
which URL based on a set of regular expressions. Also PAC files are now supported. -
Process memory access on MacOS
-
Multipart uploaders to http_client() - This release adds the
files
parameter to thehttp_client()
plugin. This simplifies uploading multiple files and automatically
streams those files without memory buffering - allowing very large
files to be uploaded this way. -
Yara plugin can now accept compiled rules.
There are many more changes, bug fixes and features - please review the blog post here for the full details.
If you find any issues please file an issue on GitHub or chat with us on our discord server.
Version scheme update
Note that this release is 0.72 which is a different scheme from previous releases. You can read more about the reasons for this version scheme changes here
Known issues
Release 0.72.1 addresses a number of issues:
- Bugfix: Dashboard ignores the StartTime (#3464)
- Bugfix: Hunt dispatcher did not expire hunts (#3468)
- Bugfixes: Handle empty timelines (#3456)
- Enabled panic file for windows service. (#3463)
- Make Logging from Windows service optional (#3480)
- Added housekeep loop for client info manager. (#3479)
Release 0.72.3 addresses the following:
- Bugfix: Deadlock in accessor LRU - this could sometimes cause the client to take a long time or fail to complete artifacts with very heavy IO processing
- Remove group by in event artifacts and fixed MacOS WiFi artifacts
- Rewrote MemcacheFileDataStore to be more efficient. - The Memcache filestore is only used in Master/Minion configurations and this fixed a number of critical bugs in this implementation.
Release 0.72.4 addresses the following:
- Bugfix: Usernames can now contain unicode for i8n support.
- Bugfix: Update index when processing automated client metadata
- Bugfix: Automatic import of x509 encrypted offline collections.
- Bugfix: Handle NULL in stacking
- Optimize hunt_dispatcher GetFlows() API
- Thread pool flow deletion
- Bugfix: Memory leak in diff plugin
- Bugfix: S3 accessor was unable to handle 416 byte range error.
- Added ext4 and raw_ext4 accessors.