This is the next point release for Velociraptor - Digging deeper!
This change introduces some significant improvements, new features and bug fixes. Some notable changes include:
- Add automatic type conversion for artifact parameters: Previously all artifact parameters were strings and artifact writers had to manually convert from these string representations to a VQL type. This conversion is now done automatically and consistently.
- Tool setup now allows overriding the tool URL as well - useful when hosting your tools off S3 or GCS
- Added a parallel plugin for fast post processing. This speeds up notebook post processing by up to x10
- Added server metadata screen. Server can now have user settable configuration parameters which can be used to centrally store and manage global parameters used by many artifacts (e.g. credentials).
- Write monitoring query logs to a daily log file. It is now possible to view VQL logs sent by client and server event queries.
Also including a number of interesting new artifacts:
- MacOS.System.Wifi - list wifi networks previously connected on osx
- Server.Slack.Clients.Online - notify slack when a client comes back online
- Windows.ActiveDirectory.BloodHound - Deploy bloodhound for AD auditing.
- Windows.Application.Firefox.History - Get history from firefox
- Windows.ETW.EdgeURLs - Stream accessed URLs from Edge browser.
- Windows.ETW.WMIProcessCreate - Notify when a wmi win32_process create call starts a new process.
- Windows.Forensics.SolarwindsSunburst - Hunt for solarwinds dlls.
As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord