This is the next point release for Velociraptor - Digging deeper!
This change introduces some significant improvements, new features and bug fixes. Some notable changes include:
- Added ETW plugin and sysmon log forwarding. Velociraptor will now take care of sysmon installation and mange configuration. Using ETW we can also follow all sysmon logs and forward them or respond to them.
- Hunts and Flows now receive their own notebooks automatically. This allows for rapid post processing of collections using VQL directly in the GUI.
- Add delete client button in GUI - remove client including all collected artifacts.
- Offline collector import - It is now possible to import the offline collector bundle into the GUI. This makes it possible to post process with the usual notebook approach.
- Some more OSX artifacts (MacOS.Detection.InstallHistory, MacOS.System.Plist, MacOS.System.QuarantineEvents, MacOS.System.TimeMachine)
- Limit client concurrency - this fixes the previous behavior where if you have many hunts active in the system, a new client will receive all hunts at the same time and may be overwhelmed. The new behavior limits concurrent queries to 2 by default - and allows GUI queries (like VFS) to bypass this limit to keep the client interactive even while doing heavy hunting.
- Add SFTP Upload as an option for offline collector.
Check out this Video for a demonstration of how the new GUI can be used for rapid hunting
https://www.youtube.com/watch?v=rLgvqsj6T_g
As always please file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord