Release 0.6.6 RC2

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-08-15-release-notes/

Notable feature

• This release introduces full multi-tenancy to Velociraptor: You can create new orgs on the fly to keep clients separated and organized.
• More work on the process tracker allows VQL to access historical process information on the endpoint.

GUI improvements

• Users can change their password in the GUI
• Client monitoring event logs can now be deleted with the GUI
• Notebooks can be shared with all users (public notebooks)

Including many bug fixes and stability improvements.

Release Candidate 2 is now available with the bugfixes here edc1369

Release 0.6.5

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-06-21-release-notes/

Notable features

• Implement log levels in VQL. Logging a VQL message at ERROR level will cause the collection to fail. This is now clearer when a collection failed although partial results may be available.
• Multi-Language support: The Velociraptor GUI is now also available in French, German, Spanish and Portuguese. We welcome contributions of new languages!
• Several new themes by @predictiple are now available!
• Lots of powerful new artifacts by @mgreen27 including Windows.NTFS.ADSHunter for hunting for NTFS Alternate Data streams, Linux.Sys.LogHunter for hunting linux syslogs and Windows.Detection.TemplateInjection for hunting maldocs.
• Make display timezone user selectable - this makes it easier to see timestamps in difference timezones
• Added MUSL build target - previously Linux builds were only compatible for Ubuntu 18.04 or later. For older systems we used a Centos Build. The new MUSL target is a fully featured completely static binary that should work on older systems as well. It will now supercede the old centos build.

Including many bug fixes and stability improvements.

Known Issues:

• Release 0.6.5-2 includes a number of bug fixes as well as addressing CVE-2022-35629..35632
• Release 0.6.5-3 includes a fix for a potential DoS in the oauth handler #1999 - If you use oauth you must upgrade ASAP.

Release 0.6.4

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-03-23-release-notes/

Notable features

Dead disk analysis

Velociraptor offers top notch forensic analysis capability but it was primarily used as a live response agent. Many users have asked us if Velociraptor can be used on dead disk images. Although we rarely use dead disk images in practice, sometimes we do encounter these (e.g. in cloud investigations).

Previously we could not use Velociraptor easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you would like to read more about this new feature check out Dead Disk Forensics.

Resource control

When collecting artifacts from endpoints we need to be mindful of the overall load that collection will cost on endpoints. For performance sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance. In 0.6.4 we have implemented a feedback based throttler which can control VQL queries to a target average CPU utilization.

Multiple OAuth2 authenticators

Velociraptor has always had SSO support to allow strong 2 factor authentication for access to the GUI. However, previously Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure or OIDC (e.g. Okta) for the authentication provider. In 0.6.4 Velociraptor can be configured to support multiple SSO providers at the same time.

The Velociraptor knowledge base

Velociraptor is a very powerful tool. It’s flexibility means that it can do things that you might have never realized it can! For a while now we have been thinking about ways to make this knowledge more discoverable and easily available.

Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.

The Velociraptor knowledge base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tip about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Tips should be short and refer to more detailed documentation - they are just a quick hint.

Known issues

Release 0.6.4-2 fixes a number of issues - some affecting clients and server, please upgrade.

The full change log can be seen here abe3ae6...b6c5764

Release 0.6.4-1 fixes #1743 which counted completed clients in hunts incorrectly.

Release v0.6.3

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-01-05-release-notes-0.6.3/

This release adds more support for the multi-frontend configuration - if you would like to try this new deployment method, read more about it here https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/

Notable features

• Search index is now stored in memory at runtime - this makes searching much faster and allows us to search for things like IP address.
• New artifact parameter types for regex and yara have specialised UI elements for users to enter yara and regex expressions.
• It is now possible to override Generic.Client.Info artifact for a custom interrogation process.
• Hunt wizard can estimate the total number of clients that may be affected by a label/OS condition
• New Upload File Form element - Users can upload a file to an artifact parameter on an adhoc basis (similar but more light weight than an artifact tool)
• Root certs can now be specified in the config file. This allows use of self signed servers (e.g MITM proxies). Root certs are now bundled in Velociraptor and we do not use the OS root store.
• Search index is now recalculated periodically and snapshotted into the filestore. There is no need to rebuild the index any more.

VQL Functions and plugins

• Added Windows.Forensics.SAM artifact for parsing the SAM
• Improvement to SRUM artifact
• The parse_csv() plugin is now more robust and can accept columns not from the header
• The parse_pe() function now contains full PE resource information
• VQL accessors that used URLs to denote delegated accessors now support a dedicated pathspec() object. This is more reliable than a URL if a bit more verbose.
• Improve Windows.Forensics.Lnk parser to include addtional fields like the name, WorkingDir, RelativePath, Arguments
• The Windows.Detection.Yara.PhysicalMemory artifact allows a yara scan of physical memory accessed via the winpmem driver.
• Added recursion_callback option to the glob plugin - this allows more fine grained control of the glob() plugin recursing into directories, for both better efficiency and safer access.
• Introduced the Server.Utils.DeleteManyFlows and Server.Utils.DeleteMonitoringData artifacts to help manage server disk space by remove old data.

Upgrade notes

• The Windows.Collectors.File artifact was renamed to Generic.Collectors.File - custom artifacts may need to be updated, or simply add a redirection artifact (e.g. #1516)

Known issues

Bugfix release 0.6.3-1 fixes #1606 and #1590 - you only need to update if you are using the API to download files or running multi-frontend configuration.
Release 0.6.3-2 fixes #1519 .

v0.6.3-rc1

This is the next point release for Velociraptor - Digging deeper!

This release adds more support for the multi-frontend configuration - if you would like to try this new deployment method, read more about it here https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/

Notable features

• Search index is now stored in memory at runtime - this makes searching much faster and allows us to search for things like IP address.
• New artifact parameter types for regex and yara have specialised UI elements for users to enter yara and regex expressions.
• It is now possible to override Generic.Client.Info artifact for a custom interrogation process.
• Hunt wizard can estimate the total number of clients that may be affected by a label/OS condition
• New Upload File Form element - Users can upload a file to an artifact parameter on an adhoc basis (similar but more light weight than an artifact tool)
• Root certs can now be specified in the config file. This allows use of self signed servers (e.g MITM proxies). Root certs are now bundled in Velociraptor and we do not use the OS root store.

VQL Functions and plugins

• Added Windows.Forensics.SAM artifact for parsing the SAM
• Improvement to SRUM artifact
• The parse_csv() plugin is now more robust and can accept columns not from the header
• The parse_pe() function now contains full PE resource information
• VQL accessors that used URLs to denote delegated accessors now support a dedicated pathspec() object. This is more reliable than a URL if a bit more verbose.
• Improve Windows.Forensics.Lnk parser to include addtional fields like the name, WorkingDir, RelativePath, Arguments
• The Windows.Detection.Yara.PhysicalMemory artifact allows a yara scan of physical memory accessed via the winpmem driver.
• Added recursion_callback option to the glob plugin - this allows more fine grained control of the glob() plugin recursing into directories, for both better efficiency and safer access.

NOTE: We have formulated our support policy here https://docs.velociraptor.app/docs/overview/support/ . Please test thoroughly in your environment and provide feedback and suggestions.

Upgrade notes:

If you are upgrading from previous versions, refer to the upgrade guide https://docs.velociraptor.app/docs/deployment/cloud/#server-upgrades

The new release optimizes the search index schema. If upgrading from previous releases, we recommend rebuilding the index:

1. After upgrade, stop the Velociraptor service: sudo service velociraptor_server stop
2. Move the old index out of the way: mv <filestore>/client_idx <filestore>/client_idx_old
3. Rebuild the index: velociraptor index rebuild
4. Start the service again: sudo service velociraptor_server start

Known issues

A number of issues were fixed in rc2

Release 0.6.2

This is the next point release for Velociraptor - Digging deeper!

There are a large number of new features and bug fixes in this release.

Notable features

• Allow users to specify password to lock downloads (create password protected exports)
• New strawberry pink theme
• Cobalt strike config parser can extract config from memory.
• Windows.Forensics.UserAccessLogs artifact parses the UAL ESE files

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://docs.velociraptor.app/discord/

Known issues

Issue #1383 was fixed in patch v0.6.2-1

Release 0.6.1

This is the next point release for Velociraptor - Digging deeper!

There are a large number of new features and bugfixes in this release. For full details please read the release notes here but here are the highlights.

• Event monitoring logs now contain a time index making them quick to search.
• The event monitoring GUI has been revamped to present a timeline and allow navigating between times quickly
• Free disk space is now visible in the dashboard
• GUI now has a Most Recently Used (MRU) search button to quickly find the clients a user has worked with recently.
• GUI now has a Quarantine button to be able to quickly quarantine or release an endpoint
• Notebooks can now be used in full screen
• Notebooks now can add any table to a super-timeline. This allows multiple queries that produce time columns to be compared side by side in a large timeline.
• Added starlark support within VQL - you can now write routines in Starlark (python like language) to extend VQL.
• Added favorites for collections - You can now save your favorite collections by name and load them up again to preconfigure a new collection.

New VQL functions/plugins

1. reg_set_value,reg_rm_value and reg_rm_key allow VQL queries to modify the registry for response.
2. user_delete() and user_create() allow velociraptor users to be managed from VQL or the API
3. geoip function allows looking up IP addresses within the Maxmind databases
4. xor function allows to uncover simple encryption

Notable new artifacts

1. Windows.Carving.CobaltStrike allows carving and decoding of cobalt strike configurations from process memory or disk.

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.6.0

This is the next point release for Velociraptor - Digging deeper!

This release addresses a number of bug fixes and new features:

• GUI editor is now VQL and artifact aware - correct syntax highlighting in those parts of an artifact that expect VQL
• Support for parsing authenticode information from PE files, including cat files.
• Artifacts can now specify a custom notebook to control the notebook tab. Once they are collected in a hunt, there is a ready custom notebook for post processing.
• Artifacts can now import and export VQL code, so common functions can be shared between different artifacts
• New Shellbags artifact provides native parsing of shellbags. Alternatively, another artifact provides parsing using SBECmd.exe
• A new USN record carver is added to recover rotated USN records
• Better Hunt and Label support - you can now start a hunt targeting a label, and then assign clients to the hunt by simply adding the label to them, even after the hunt is started.

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Notes

• Fixes CVE-2021-3619, a post-authentication XSS issue

• 0.6.0-1 fixes a bug around the GROUP BY clause and other minor bugs.

Release 0.5.9

This is the next point release for Velociraptor - Digging deeper!

This release introduces a new multi-frontend architecture that is suitable for scaling to large numbers of frontends.

The release also addresses a number of bug fixes and new features:

• Server artifact runner now respects timeout.
• Write server monitoring query logs to filestore (previously server event query logs were not visible in the GUI)
• Add sql plugin and change sqlite to alias SQL plugin. VQL queries can now directly access mysql or posgres like sqlite.
• Link artifacts to open a modal with description in the GUI.
• Added Freebsd build target.
• Many performance and stability improvements.

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.5.8

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

• Artifact preconditions are now supported by clients natively (Fixes #930 )
• Added column_filter() plugin to be able to remove columns from SELECT * FROM expressions
• Added a process accessor which allows directly operating on process memory (e.g. yara scan, upload etc).
• Added Windows.Forensics.ProcessInfo to extract process information from the process PEB

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord