Releases: Velocidex/velociraptor
Release 0.73
I am very excited to announce that the latest Velociraptor release 0.73 is now in available for download.
Detailed release notes are at https://docs.velociraptor.app/blog/2024/2024-09-10-release-notes-0.73/
The major new feature in this release is a revamp of the timelining feature. You can read all about the latest timeline feature in our blog post https://docs.velociraptor.app/blog/2024/2024-09-12-timelines/
If you find any issues please file an issue on GitHub or chat with us on our discord server.
Release 0.72
I am very excited to announce that the latest Velociraptor release 0.72 is now live!
Detailed release notes are at https://docs.velociraptor.app/blog/2024/2024-03-10-release-notes-0.72/
This release brings many new features:
-
EWF Support - In this release, Velociraptor supports EWF (AKA E01) format using the
ewf
accessor. This allows Velociraptor to analyze E01 image sets. -
Allow remapping clients to use SSH accessor - This release added the ability to apply remapping in a similar way to
the dead disk image method above to run aVirtual Client
which
connects to the remote system via SSH and emulates filesystem access
over thesftp
protocol. -
Undo/Redo for notebook cells
-
Hunt view GUI is now paged
-
Secret Management - This release introduces
Secrets
as a first class concept within
VQL. ASecret
is a specific data object (key/value pairs) given a
name which is used to configure credentials for certain plugins -
Implemented Websocket based communication mechanism - In this release, Velociraptor introduces support for websockets as a
communications protocol. The websocket protocol is designed for low
latency and low overhead continouus communications method between
clients and server (and is already used by e.g. most major social
media platforms). -
Dynamic DNS providers - The 0.72 release has now switched to
CloudFlare
as our default
preferred Dynamic DNS provider. We also addednoip.com
as a second
option. -
Enhanced proxy support - The 0.72 release introduces more complex proxy condition
capabilities. It is now possible to specify which proxy to use for
which URL based on a set of regular expressions. Also PAC files are now supported. -
Process memory access on MacOS
-
Multipart uploaders to http_client() - This release adds the
files
parameter to thehttp_client()
plugin. This simplifies uploading multiple files and automatically
streams those files without memory buffering - allowing very large
files to be uploaded this way. -
Yara plugin can now accept compiled rules.
There are many more changes, bug fixes and features - please review the blog post here for the full details.
If you find any issues please file an issue on GitHub or chat with us on our discord server.
Version scheme update
Note that this release is 0.72 which is a different scheme from previous releases. You can read more about the reasons for this version scheme changes here
Known issues
Release 0.72.1 addresses a number of issues:
- Bugfix: Dashboard ignores the StartTime (#3464)
- Bugfix: Hunt dispatcher did not expire hunts (#3468)
- Bugfixes: Handle empty timelines (#3456)
- Enabled panic file for windows service. (#3463)
- Make Logging from Windows service optional (#3480)
- Added housekeep loop for client info manager. (#3479)
Release 0.72.3 addresses the following:
- Bugfix: Deadlock in accessor LRU - this could sometimes cause the client to take a long time or fail to complete artifacts with very heavy IO processing
- Remove group by in event artifacts and fixed MacOS WiFi artifacts
- Rewrote MemcacheFileDataStore to be more efficient. - The Memcache filestore is only used in Master/Minion configurations and this fixed a number of critical bugs in this implementation.
Release 0.72.4 addresses the following:
- Bugfix: Usernames can now contain unicode for i8n support.
- Bugfix: Update index when processing automated client metadata
- Bugfix: Automatic import of x509 encrypted offline collections.
- Bugfix: Handle NULL in stacking
- Optimize hunt_dispatcher GetFlows() API
- Thread pool flow deletion
- Bugfix: Memory leak in diff plugin
- Bugfix: S3 accessor was unable to handle 416 byte range error.
- Added ext4 and raw_ext4 accessors.
Release 0.7.1
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-11-15-release-notes-0.7.1/
GUI improvements
The GUI was updated in this release to improve user workflow and accessibility.
Notebook improvements
Velociraptor uses notebooks extensively to facilitate collaboration, and post processing. There are currently three types of notebooks:
Global Notebooks - these are available from the GUI sidebar and can be shared with other users for a collaborative workflow.
Collection notebooks - these are attached to specific collections and allow post processing the collection results.
Hunt notebooks - are attached to a hunt and allow post processing of the collection data from a hunt.
This release further develops the Global notebooks workflow as a central place for collecting and sharing analysis results.
Templated notebooks
Many users use notebooks heavily to organize their investigation and guide users on what to collect. While Collection notebooks and Hunt notebooks can already include templates there was no way to customize the default Global notebook.
In this release, we define a new type of Artifact of type NOTEBOOK which allows a user to define a template for global notebooks.
Copying a cell to a global notebook
Velociraptor will copy the cell to the target notebook and add VQL statements to still refer to the original collection. This allows users of the global notebook to further refine the query if needed.
This work flow allows better collaboration between users.
VFS Downloads
Velociraptorβs VFS view is an interactive view of the endpointβs filesystem. Users can nagivate the remote filesystem using a familiar tree based navigation and interactively fetch various files from the endpoint.
In the 0.7.1 release, there is a new GUI button to initiate a collection from the VFS itself. This allows the user to download all or only some of the files they had previously interactively downloaded into the VFS.
Artifacts can be hidden in the GUI
Velociraptor comes with a large number of built in artifacts. This can be confusing for new users and admins may want to hide artifacts in the GUI.
You can now hide an artifact from the GUI using the artifact_set_metadata() VQL function. For example the following query will hide all artifacts which do not have Linux in their name.
New VQL plugins and capabilities
This release introduce an exciting new capability: Built-in Sigma Support.
Built-in Sigma Support
Sigma is fast emerging as a popular standard for writing and distributing detections. In this release, Sigma rules can directly be used on the endpoint, without the need to forward all the events off the system first! This makes Sigma a powerful tool for initial triage:
- Apply a large number of Sigma rules on the local event log files.
- Live detection of Sigma rules
Other improvements
SSH/SCP accessor
Velociraptor normally runs on the end point and can directly collect evidence from the endpoint. However, many devices on the network can not install an endpoint agent - either because the operating system is not supported (for example embedded versions of Linux) or due to policy.
When we need to investigate such systems we often can only access them by Secure Shell (SSH). In the 0.7.1 release, Velociraptor has an ssh accessor which allows all plugins that normally use the filesystem to transparently use SSH instead.
Distributed notebook processing
While Velociraptor is very efficient and fast, and can support a large number of endpoints connected to the server, many users told us that on busy servers, running notebook queries can affect server performance. This is because a notebook query can be quite intense (e.g. Sorting or Grouping a large data set) and in the default configuration the same server is collecting data from clients, performing hunts, and also running the notebook queries.
This release allows notebook processors to be run in another process. In Multi-Frontend configurations (also called Master/Minion configuration), the Minion nodes will now offer to perform notebook queries away from the master node. This allows this sudden workload to be distributed to other nodes in the cluster and improve server and GUI performance.
ETW Multiplexing
In 0.7.1 the ETW subsystem was overhauled with the ability to multiplex many ETW watchers on top of the same session. The ETW sessions are created and destroyed on demand. This allows us to more efficiently track many more ETW providers with minimal impact on the system.
Additionally the etw_sessions() plugin can show statistics for all sessions currently running including the number of dropped events.
Local encrypted storage for clients.
It is sometimes useful to write data locally on endpoints instead of transferring the data to the server. For example, if the client is not connected to the internet for long periods it is useful to write data locally. Also useful is to write data in case we want to recover it later during an investigation.
The downside of writing data locally on the endpoints is that this data may be accessed if the endpoint is later compromised. If the data contains sensitive information this can be used by an attacker. This is also primarily the reason that Velociraptor does not write a log file on the endpoint. Unfortunately this makes it difficult to debug issues.
The 0.7.1 release introduces a secure local log file format. This allows the Velociraptor client to write to the local disk in a secure way. Once written the data can only be decrypted by the server.
If you find any issues please file an issue on GitHub or chat with us on our discord server.
Known issues
Release 0.7.1-2 fixes a number of bugs:
- Bugfix: Return notebook worker to the pool when query is cancelled. (#3252)
- Added a counter for etw loops and slowed down retry rate. (#3207)
- Grow the Generic Embedded Config container to fit large config (#3209)
- Fix EWF reading bug (#3210)
- Fix JSX leading space in translations (#3195)
- Fix crash in proc_yara() plugin. (#3226)
- Bugfix: Sigma plugin expand details did not handle non-string values (#3232)
- Update flow index when importing a flow (#3240)
- Fix for ACE editor cursor position issue in Classic theme (#3262)
- bugfix: #3265 missing forward proxy configuration for oidc authenticator (#3268)
- Bugfix: Merge fixes to EWF and ESE libraries (#3280)
Release 0.7.1-1 fixes a number of minor bugs:
- Fixed crash with timeout handling on API handler (#3187)
- Return AuthenticationFailedError when password is not OK (#3182)
- Fix dangling pointers around WinVerifyTrust (#3176)
- Limit the LRU size in the memcache filestore (#3175)
- Added symlink processing to linux file accessor (#3173)
- Guard use of sysinfo() in Generic.Client.Info #3180
- http_client() plugin does not set a useragent by default #3171
Release 0.7.0
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
GUI improvements
Enhanced client search
In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in memory. This approach allows client searching to be extremely quick even for large numbers of clients well over 100k.
Paged table in Flows List
In this release the GUI was updated to include a paged table (with suitable filtering and sorting capabilities) so all collections can be
accessed.
VQL Plugins and artifacts
Chrome artifacts
Added a leveldb parser and artifacts around Chrome Session Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.
Lnk forensics
This release added a more comprehensive Lnk parser covering off on all known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.
Direct S3 accessor
In this release Velociraptor adds an S3 accessor. This allows plugins to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various buckets.
Volume Shadow Copies analysis
In the 0.7.0 release, Velociraptor adds the ntfs_vss
accessor. This accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much easier to incorporate VSS analysis into your artifacts.
The SQLiteHunter project
This release incorporates the SQLiteHunter artifact. A one stop shop for finding and analyzing SQLite files such as browser artifacts and
OS internal files.
Server security improvements
In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr
option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI application (for example 192.168.1.0/24
).
This filtering only applies to the GUI and forms an additional layer of security protecting the GUI application (in addition to the usual
authentication methods).
Conclusions
There are many more new features and bug fixes in the latest release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel
Notes
MacOS Binaries are now signed. You can verify the signature using the codesign
utility
codesign -d -vvv ./velociraptor-v0.7.0-darwin-amd64
If you see the error version GLIBC_2.33 not found
when running Velociraptor on your system, upgrade to 0.7.0-2 or the musl build. The 0.7.0 release was built on Ubuntu 22.04. A 0.7.0-2 release was now made built on Ubuntu 20.04
Release 0.7.0-3 is a bugfix release primarily for issue #2955 . If you are experiencing this issue (many duplicate clients) please test upgrading the clients to 0.7.0-3. This release also adds the ability for the writeback file to be stored in the registry instead of the filesystem on windows - simply modify the writeback_windows
value in the config file to something that starts with HKLM (for example HKLM\SOFTWARE\Velocidex\Velociraptor
) this should improve stability in writing the writeback on the client and prevent potential writeback file corruptions which may have previously lead to clients recreating the writeback file with a new client id.
NOTE: Please upgrade servers to 0.7.0-4 address CVE-2023-5950
We are very grateful to Mathias Kujala for reporting this issue. More information at https://docs.velociraptor.app//announcements/2023-cves/
Release 0.7.0-rc1
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
GUI improvements
Enhanced client search
In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in
memory. This approach allows client searching to be extremely quick
even for large numbers of clients well over 100k.
Paged table in Flows List
In this release the GUI was updated to include a paged table (with
suitable filtering and sorting capabilities) so all collections can be
accessed.
VQL Plugins and artifacts
Chrome artifacts
Added a leveldb parser and artifacts around Chrome Session
Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.
Lnk forensics
This release added a more comprehensive Lnk parser covering off on all
known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.
Direct S3 accessor
In this release Velociraptor adds an S3 accessor. This allows plugins
to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various
buckets.
Volume Shadow Copies analysis
In the 0.7.0 release, Velociraptor adds the ntfs_vss
accessor. This
accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much
easier to incorporate VSS analysis into your artifacts.
The SQLiteHunter project
This release incorporates the SQLiteHunter artifact. A one stop shop
for finding and analyzing SQLite files such as browser artifacts and
OS internal files.
Server security improvements
In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr
option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI
application (for example 192.168.1.0/24
).
This filtering only applies to the GUI and forms an additional layer
of security protecting the GUI application (in addition to the usual
authentication methods).
Conclusions
There are many more new features and bug fixes in the latest
release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel
Release 0.6.9
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-05-05-release-notes-0.6.9/
GUI Improvements
- Table filtering and sorting - the table filtering controls were moved to the top of each table column
- VFS GUI improvements - It is now possible to download multiple files at the same time within the VFS GUI
- Hex viewer and file previewer GUI - A new hex viewer widget was introduced. This allows directly previewing collected files within the GUI
- Artifact pack import GUI improvements - When manually importing an artifact pack with the GUI the user can now filter which artifacts to import and set their prefix
Notable features
This release brings direct SMB support to Velociraptor - it is now possible to use SMB for:
- Upload the offline collector to an SMB share
- Serving tools from an SMB share
This release also supports Azure blob storage for offline collector uploads.
Debugging VQL
A frequent difficulty users expressed is the ability to debug VQL queries. This release introduces the EXPLAIN
keyword which helps in debugging VQL queries either in the notebook or on the client itself.
Security features
This release introduces a new "lockdown" server mode. When a server is in lockdown it is not able to schedule new collections or hunts but can still be used to view already collected information.
Additionally this release introduces an audit event viewer allowing for those to be viewed directly in the UI. Auditable events include collection launch, hunt creation etc.
Velociraptor allows for utilizing external third party tool in artifacts. Previously tool definitions could specify where a tool should be downloaded from. In this release it is also possible to specifty an expected hash for the tool.
NOTE: Please upgrade servers to 0.6.9-1 to address CVE-2023-5950
We are very grateful to Mathias Kujala for reporting this issue. More information at https://docs.velociraptor.app//announcements/2023-cves/
Release 0.6.9 rc1
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-05-05-release-notes-0.6.9/
Please test widely and report any issues on GitHub.
Release 0.6.8
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-02-13-release-notes-0.6.8/
This release introduces an upgraded communication protocol between client and server. Previously the server would keep track of various collection statistics but now these are tracked on the client, making the server a lot more efficient. The new communication protocol is a lot faster and allows the server to support a larger number of clients. When using a 0.6.8 server with older clients, the older protocol is still used to maintain backwards compatibility.
Notable features
- Send ClientInfo messages all the time. Previously client information like hostname was collected during interrogation by collecting Generic.Client.Info. In this version, Velociraptor will send periodic updates every day to keep client information in sync.
- Use pageable tables for the VFS: The previous VFS view would store the entire directory listing in a single table making it impossible to view very large directories like
C:\Windows
or System32. This version updates the way the VFS is handled to transfer directory listing more efficiently, and uses a pageable table to view arbitrarily large directories. Performance is much improved for example recursive directory sync on C:\Windows tables about 90 sec to sync 250k files. - Refactored hunt and collection export code - exporting a hunt or collection creates a zip file containing the files collected and query results. The code for exporting this zip file was optimized to produce this export much faster and with less memory requirements. The GUI is also much improved.
- Batch client log messages into JSONL groups - Previously clients would send each query log in a separate message, in order to ensure they get to the server ASAP. This release batches these into larger messages reducing the server's load and improving efficiency.
- Implemented a preview Column renderer - Sometimes it is handy to send from the client some raw data to provide context around e.g. yara hits. Previously it was only possible to view data that was encoded within the result set JSON causing very large JSON payloads. In this version it is possible to use the upload() function to upload an arbitrary sized file to the server, and mark the column as type "upload_preview" . The GUI will then render a preview of the file (if it is an image, it will be shown as a thumbnail) otherwise a hex viewer.
- Uploads are now deduplicated on store_as_name: Previously each call to the upload() function would result in the file being uploaded which made using upload() a bit tricky in order to avoid uploading the same file multiple times. Now it is not necessary as uploads will be automatically deduplicated so can be called multiple times on the same file.
- Added a tempfile based materializer to have safe queries : Some VQL queries would materialize a query into an array, e.g. with an expression like
LET X <= SELECT * FROM glob(...)
Previously this expanded the query into memory and would cause huge memory requirements and possible out of memory crashes. In this release VQL implements a temp file implementation of the LET operator which automatically switches to a temp file when the variable receives more than 1000 rows by default. This keeps memory use controlled and allows these kinds of queries to be run safely.
-
Allow client side collections to be traced: We often get questions about what happened to a collection that seems to be hung? Previously the only way to gather client side information was to collect a Generic.Client.Profile collection. This required running it at just the right time and did not guarantee that we would get helpful insight of what the query and the client binary were doing. In this release it is possible to specify a trace collection for any collection to automatically collect client side state as the collection is progressing.
-
Added progress reporting to offline collector: When copying large files it is useful to get some kind of feedback as the copy operation is progressing.
-
Track tool definitions by defining artifact: Previously once a tool was defined, the admin could only override the tool but not reset it to a new version. If a tool was defined by 2 artifacts it might be that each artifact declares a different version. The release allows the admin to reset the tool definition to any one of the artifacts that define it.
Including many bug fixes and stability improvements.
Known Issues
Release 0.6.8-2 fixes a number of minor issues:
- Flow Deletion did not remove uploaded bulk files.
- Protect CryptCATAdmin and WinVerifyTrust functions behind dangerous api flag due to occassional crashes
- Trace file generator regression
- Dedudplicate labels in GUI
- Suppress logging to files for admin commands
- Add client id back to client monitoring events
Release 0.6.7
This is the next point release for Velociraptor - Digging deeper!
Read the full release notes here https://docs.velociraptor.app/blog/2022/2022-11-21-release-notes/
Notable feature
- Offline collector and flow exports use the same container format. The container is fully importable containing all the information that should be recreated in the new collection. This makes it possible to archive collections and re-import them easily.
- Offline collector can now encrypt the collection file using X509 or PGP key pairs. This makes it possible to secure the collected file in such a way that it is not possible to derive the password without the server private key.
- Encrypted collection files are automatically decrypted when imported.
- Hunts can be scheduled on multiple orgs in the GUI
- Cell query logs in notebooks is now pageable.
- Collection Uploads tab was reworked to allow downloading sparse files in expanded or compacted form.
- Work on NTFS parser display multiple file paths for the same file (i.e. hard links) as well as better support for NTFS compression.
- Group BY queries now revert to disk when the size of the groups is too large. This allows GROUP BY queries to be run safely on very large data sets without exceeding memory use
- The collection launch wizard now allows a collection to be specified as
urgent
. This allows certain queries to pre-empt larger hunts on busy systems. - Experimental: You can now repack client configuration in the windows MSI directly without needing to install Wix Framework.
- Updates themes - Default theme is now Velociraptor light. You can still use the old theme which had been named Velociraptor Classic.
Including many bug fixes and stability improvements.
Thanks to @clayscode for implementing the encryption/decryption of offline collections!
Thanks to @weslambert for many contributions in this release - many artifacts and fixes.
Thanks to @predictiple for updating all the themes!
Thanks to @jeffmahoney for the user management UI contribution!
Known issues
Release 0.6.7-3 addresses some minor issues and bug fixes. It also adds a User management screen
Release 0.6.7-4 fixes a GUI issue with initial log in for a new user
Release 0.6.7-5 fixes CVE-2023-0242 and CVE-2023-0290 - see release notes https://docs.velociraptor.app/announcements/2023-cves/
Release 0.6.6
This is the next point release for Velociraptor - Digging deeper!
For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-08-15-release-notes/
Notable feature
- This release introduces full multi-tenancy to Velociraptor: You can create new orgs on the fly to keep clients separated and organized.
- More work on the process tracker allows VQL to access historical process information on the endpoint.
GUI improvements
- Users can change their password in the GUI
- Client monitoring event logs can now be deleted with the GUI
- Right click on any table cell to get a context menu allowing send to Virus Total, Cyberchef and more!
- Notebooks can be shared with all users (public notebooks)
Including many bug fixes and stability improvements.
As usual if you find bugs or issues please file an issue on GitHub
Known issues
-
0.6.6-1 is a server only release to fix #2062 and #2059 . If you have clients older than 0.6.4 please upgrade to this release to continue to support them.
-
0.6.6-2 is a windows only fix for #2065 . This affects the way the windows service communicator works so please use that release for windows.
-
0.6.6.-3 is a windows 32 bit fix for #2195 - this only affects the 32 bit version