Release 0.5.7

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes and new features:

• Raw registry accessor leaked file handles causing issues with logon.
• Direct endpoint VQL option added to shell screen.
• GUI: Time selector is now in both UTC and Local time
• GUI: A new dark mode is available by clicking the user label (top right corner).
• Performance improvements for high scalability (>5k clients)

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Check out the new dark mode here is a sample below.

Note: Due to the EOL of Centos 6 we started building Linux releases with Go 1.16 on Ubuntu 18.04. If you still need Centos binaries you can download those separately below for the time being but they will probably be deprecated soon.

Known issues

1. MacOS binary was built without sqlite and yara support. These were corrected and a new binary is released below.

2. If upgrading from an old release you might come across this error in the GUI:

Error: connection error: desc = "transport: authentication handshake failed: x509: certificate relies
on legacy Common Name field, use SANs or temporarily enable Common Name matching 
with GODEBUG=x509ignoreCN=0"

This is because the new binary is built with Go 1.16 which enforces SAN checking on certs. If you hit this issue you have two options:

1. Add export GODEBUG=x509ignoreCN=0 to the shell script in /usr/local/bin/velociraptor to accept the old behavior.
2. Rotate your server keys using velociraptor --config server.config.yaml config rotate_key > new_server.config.yaml (make sure to backup your old config file).

Release 0.5.6

This is the next point release for Velociraptor - Digging deeper!

This change addresses a number of bug fixes:

• Offline collector did not include custom artifacts
• Ignore directories inside zip for zip accessor.
• Add Linux and MacOS PacketCapture artifacts
• Added MacOS.Applications.Chrome.History and Windows.Detection.ForwardedImports
• Fixed tempfile deletion for memory acquisition

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/

Release 0.5.5-1

This is a bugfix release from 0.5.5. Thanks for the bug reports and feedback.

Major issues fixed:

1. Memory leak in foreach() plugin
2. Python gRPC API handler crash
3. GUI Fix welcome screen logo was shown with incorrect size
4. GUI Fix VFS browser showing paths with % in their name
5. File based merge sort would fix memory issue on large ORDER BY queries.

Release 0.5.5

This is the next point release for Velociraptor - Digging deeper!

This change introduces some significant improvements, new features and bug fixes. Some notable changes include:

• New binary parser is now available in VQL. This allows for implementing powerful parsers right inside your query.
• Offline collector now stores into a multithreaded ZIP writer - this speeds up collection on multi core machines because multiple cores can compress at the same time.
• Performance optimization for VQL engine - more lazy more places.
• Fixed bugs in NTFS parser cache - this was causing failures in some queries.
• Disable MySQL as a filestore - MySQL backend proved to be lower performance than plain disk and had stability issues. We temporarily withdraw this option until we can work on it more.
• Server side event queues now implement file backed overflow - this makes them more scalable and faster.

Also including a number of interesting new artifacts:

• Splunk upload artifacts match the previous Elastic based ones
• Certutils metadata parser using the new binary parser framework
• Lnk file parser using the new binary parser in VQL.
• The Hive interfacing artifacts

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/

Known issues

• If you intend to use the API please use a CI build later than #879 as there is a known issue with API connections.

Release 0.5.4

This is the next point release for Velociraptor - Digging deeper!

This change introduces some significant improvements, new features and bug fixes. Some notable changes include:

• Add automatic type conversion for artifact parameters: Previously all artifact parameters were strings and artifact writers had to manually convert from these string representations to a VQL type. This conversion is now done automatically and consistently.
• Tool setup now allows overriding the tool URL as well - useful when hosting your tools off S3 or GCS
• Added a parallel plugin for fast post processing. This speeds up notebook post processing by up to x10
• Added server metadata screen. Server can now have user settable configuration parameters which can be used to centrally store and manage global parameters used by many artifacts (e.g. credentials).
• Write monitoring query logs to a daily log file. It is now possible to view VQL logs sent by client and server event queries.

Also including a number of interesting new artifacts:

• MacOS.System.Wifi - list wifi networks previously connected on osx
• Server.Slack.Clients.Online - notify slack when a client comes back online
• Windows.ActiveDirectory.BloodHound - Deploy bloodhound for AD auditing.
• Windows.Application.Firefox.History - Get history from firefox
• Windows.ETW.EdgeURLs - Stream accessed URLs from Edge browser.
• Windows.ETW.WMIProcessCreate - Notify when a wmi win32_process create call starts a new process.
• Windows.Forensics.SolarwindsSunburst - Hunt for solarwinds dlls.

As always please file issues on the Github bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.5.3

This is the next point release for Velociraptor - Digging deeper!

This change introduces some significant improvements, new features and bug fixes. Some notable changes include:

• Added ETW plugin and sysmon log forwarding. Velociraptor will now take care of sysmon installation and mange configuration. Using ETW we can also follow all sysmon logs and forward them or respond to them.
• Hunts and Flows now receive their own notebooks automatically. This allows for rapid post processing of collections using VQL directly in the GUI.
• Add delete client button in GUI - remove client including all collected artifacts.
• Offline collector import - It is now possible to import the offline collector bundle into the GUI. This makes it possible to post process with the usual notebook approach.
• Some more OSX artifacts (MacOS.Detection.InstallHistory, MacOS.System.Plist, MacOS.System.QuarantineEvents, MacOS.System.TimeMachine)
• Limit client concurrency - this fixes the previous behavior where if you have many hunts active in the system, a new client will receive all hunts at the same time and may be overwhelmed. The new behavior limits concurrent queries to 2 by default - and allows GUI queries (like VFS) to bypass this limit to keep the client interactive even while doing heavy hunting.
• Add SFTP Upload as an option for offline collector.

Check out this Video for a demonstration of how the new GUI can be used for rapid hunting
https://www.youtube.com/watch?v=rLgvqsj6T_g

As always please file issues on the bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.5.2

This is the next point release for Velociraptor - Digging deeper!

This change introduces some significant improvements:

• Collected query result sets are now indexed on the server. This means that it is fast to quickly seek within very large JSON file (like many Gb).
• Due to the previous change all tables are now infinite paging - making it possible to view all results in the GUI.
• Many GUI improvements
• NTFS parser now has a built in USN Journal parser.
• Experimental support for on host local hash database powered by USN parser. It is now possible to query for hashes in seconds.

Other notable changes:

• Added support of OpenID Connect for authentication.
• Add sinkhole: It is possible to block a domain name on endpoints by manipulating the hosts file.
• Parser for RecycleBin $I files and RecycleBin Artefact
• Table exports through the GUI now select columns: Allows to export only some columns into CSV or JSON files.
• Add Windows.Detection.ProcessMemory.CobaltStrike - a Cobalt Strike Memory scanner artifact.
• It is now possible to specify externally minted certificates for TLS

As always please file issues on the bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.5.1

This is the next point release for Velociraptor - Digging deeper!

I am excited to announce the new React based GUI is now live in this release. The GUI is a complete re-implementation of the UI since 0.5.0 and it is a large change - so for the moment it may have bugs still. Please test widely and report any issues.

There have been very few backend changes since 0.5.0-1 and so it should be safe to switch back and forth between 0.5.0-1 and 0.5.1 at any time.

The new GUI should be feature complete with the old GUI with additional features focused on making the experience easier:

1. It is now possible to cancel or delete flows or hunts from the GUI
2. VFS view allows recursive download of files as well as recursive listing of files.
3. Keyboard navigation makes driving the interface fast and efficient.

Please share your feedback on the mailing list and add suggestions of how the GUI may be enhanced to help your workflow.

As always please file issues on the bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Known Issues

A patch release 0.5.1-1 was issued with fixes to UI issues and NTFS sparse file support.

Release 0.5.0

This is the next point release for Velociraptor - Digging deeper! This release introduces a number of new features as well as bug fixes and performance enhancements. Thanks everyone for reporting issues through the issue board and Discord!

This release includes many bug fixes and performance improvements, as well as new features:

• Fix headers parameters in http_client plugin.
• Group by now supports expressions.
• Linux filesystem accessor now follows symlinks: It now has symlink cycle detection.
• Added a cache VQL plugin which stores data for a time. This enables VQL for recursive walking of process parent tree

As always please file issues on the bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Known issues (fixed in the 0.5.0-1 release).

1. A client uploader bug was discovered when uploading files with the "file" accessor
2. Server not able to start when custom artifacts are specified in for the server monitoring tables.

Release 0.4.9

This is the next point release for Velociraptor - Digging deeper! This release introduces a number of new features as well as bug fixes and performance enhancements. Thanks everyone for reporting issues through the issue board and Discord!

This release includes many bug fixes and performance improvements, as well as new features:

• External Tool interface was refined and improved. There is now a GUI which allows users to upload their own tool, serve it locally or from an external URL and retrieve tools from GitHub releases.
• Added a standalone velociraptor.exe gui command. This automatically creates a frontend/client and brings up the GUI. Useful for demos or to just write some VQL in the browser without having to install first.
• Added support for OSQuery - simply collect the Windows.OSQuery.Generic artifact. Velociraptor will take care of uploading the osquery binary to the endpoint and converting output to VQL for further processing.
• Implement row limits and total upload limits on artifact collections. When collecting an artifact from the endpoint, if it returns too many rows or uploads too many bytes then it will be cancelled to protect server stability.

An example of the new Tools UI is below - we can upload a substitute version of the tool in the browser, serve locally (all endpoints download the tool from the Velociraptor server) or serve from upstream directly.

As always please file issues on the bug tracker or ask questions on our mailing list [email protected] . You can also chat with us directly on discord https://www.velocidex.com/discord

Known issues

• The command velociraptor debian server was broken in the 0.4.9 release - please use 0.4.9-1 to fix.