Server Artifacts

These artifacts are intended to run on the server.

Server.Alerts.PsExec

Send an email if execution of the psexec service was detected on any client. This is a server side artifact.

Note this requires that the Windows.Event.ProcessCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
MessageTemplate PsExec execution detected at %v: %v for client %v\ …
View Artifact Source

Server.Alerts.WinPmem

Send an email if the pmem service has been installed on any of the endpoints.

Note this requires that the Windows.Event.ServiceCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
View Artifact Source

Server.Hunts.List

List Hunts currently scheduled on the server.

View Artifact Source

Server.Hunts.Results

Show the results from each artifact collection hunt.

Arg Default Description
huntId H.d05b2482
ArtifactName Linux.Mounts
View Artifact Source

Server.Information.Clients

This artifact returns the total list of clients, their hostnames and the last times they were seen.

We also include a list of usernames on this machine, as gathered by the last Windows.Sys.Users artifact that was collected. Note that the list of usernames may be outdated if that artifact was not collected recently.

View Artifact Source

Server.Information.Users

List the user names and SIDs on each machine. We get this information from the last time we collected Windows.Sys.Users. If we never collected it for this machine, there will be no results.

Arg Default Description
ClientId None
StandardUserAccounts (-5..$ S-1-5-18
View Artifact Source

Server.Internal.ArtifactDescription

View Artifact Source

Server.Internal.Interrogate

An internal artifact used track new client interrogations by the Interrogation service.

View Artifact Source

Server.Monitor.Health

This is the main server health dashboard. It is shown on the homescreen and enabled by default on all new installs.

Arg Default Description
Frequency 15 Return stats every this many seconds.
View Artifact Source

Server.Monitor.Shell

Velociraptor can get an interactive shell on the endpoint by using the shell command. In order to use it, the user must be directly logged on the server.

Obviously being able to run arbitrary commands on the end point is a powerful feature and should be used sparingly. There is an audit trail for shell commands executed and their output available by streaming all shell commands to the “Shell” client evnt monitoring artifact.

This server event artifact centralizes all shell access from all clients into the same log file.

View Artifact Source

Server.Monitor.VeloMetrics

Get Velociraptor server metrics.

Arg Default Description
MetricsURL http://localhost:8003/metrics
View Artifact Source

Server.Monitoring.ClientCount

An artifact that sends an email every hour of the current state of the deployment.

Arg Default Description
EmailAddress admin@example.com
CCAddress None
Subject Deployment statistics for Velociraptor
Period 3600
View Artifact Source

Server.Powershell.EncodedCommand

It is possible to pass powershell an encoded script. This artifact decodes the scripts.

NOTE: The client must be running the Windows.Events.ProcessCreation event artifact to retrieve process execution logs.

View Artifact Source

System.Flow.Completion

An internal artifact that produces events for every flow completion in the system.

View Artifact Source

System.Hunt.Participation

Endpoints may participate in hunts. This artifact collects which hunt each system participated in.

Note: This is an automated system hunt. You do not need to start it.

View Artifact Source

System.VFS.DownloadFile

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when the user clicks the “Collect from client” button at the file “Stats” tab.

Arg Default Description
Path / The path of the file to download.
Accessor file
View Artifact Source

System.VFS.ListDirectory

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when a user clicks the “Refresh this directory” button.

Arg Default Description
Path / The path of the file to download.
Accessor file
Depth 0
View Artifact Source

Admin.Client.Upgrade

Remotely push new client updates.

NOTE: The updates can be pulled from any web server. You need to ensure they are properly secured with SSL and at least a random nonce in their path. You may configure the Velociraptor server to serve these through the public directory. Simply place the MSI in the public directory within the data store and set the URL below.

Arg Default Description
clientURL http://127.0.0.1:8000/public/velociraptor.msi The URL to fetch the MSI package.
View Artifact Source

Admin.Events.PostProcessUploads

Sometimes we would like to post process uploads collected as part of the hunt’s artifact collections

Post processing means to watch the hunt for completed flows and run a post processing command on the files obtained from each host.

The command will receive the list of paths of the files uploaded by the artifact. We dont actually care what the command does with those files - we will just relay our stdout/stderr to the artifact’s result set.

Arg Default Description
uploadPostProcessCommand ["/bin/ls”, “-l”]\n The command to run - must be a json array of strings! The list\nof files will be appended to the end of the command.\n
uploadPostProcessArtifact Windows.Registry.NTUser.Upload The name of the artifact to watch.\n
View Artifact Source

Admin.System.CompressUploads

Compresses all uploaded files.

When artifacts collect files they are normally stored on the server uncompressed. This artifact watches all completed flows and compresses the files in the file store when the flow completes. This is very useful for cloud based deployments with limited storage space or when collecting large files.

In order to run this artifact you would normally run it as part of an artifact acquisition process:

$ velociraptor --config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads

Note that there is nothing special about compressed files - you can also just run find and gzip in the file store. Velociraptor will automatically decompress the file when displaying it in the GUI text/hexdump etc.

Arg Default Description
blacklistCompressionFilename (?i).+ntuser.dat Filenames which match this regex will be excluded from compression.
View Artifact Source