Server Artifacts

These artifacts are intended to run on the server.

Server.Alerts.PsExec

Send an email if execution of the psexec service was detected on any client. This is a server side artifact.

Note this requires that the Windows.Event.ProcessCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
MessageTemplate PsExec execution detected at %v: %v for client %v\ …
View Artifact Source

Server.Alerts.WinPmem

Send an email if the pmem service has been installed on any of the endpoints.

Note this requires that the Windows.Event.ServiceCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
View Artifact Source

Server.Hunts.List

List Hunts currently scheduled on the server.

View Artifact Source

Server.Hunts.Results

Show the results from each artifact collection hunt.

Arg Default Description
huntId H.d05b2482
ArtifactName Linux.Mounts
View Artifact Source

Server.Information.Clients

This artifact returns the total list of clients, their hostnames and the last times they were seen.

We also include a list of usernames on this machine, as gathered by the last Windows.Sys.Users artifact that was collected. Note that the list of usernames may be outdated if that artifact was not collected recently.

View Artifact Source

Server.Information.Users

List the user names and SIDs on each machine. We get this information from the last time we collected Windows.Sys.Users. If we never collected it for this machine, there will be no results.

Arg Default Description
ClientId C.56a8dfd31eb1fa6f
StandardUserAccounts (-5..$ S-1-5-18
View Artifact Source

Server.Internal.ArtifactDescription

View Artifact Source

Server.Internal.ArtifactModification

This event artifact is an internal event stream over which notifications of artifact modifications are sent. Interested parties can watch for new artifact modification events and rebuild caches etc.

Note: This is an automated system artifact. You do not need to start it.

View Artifact Source

Server.Internal.Enrollment

This event artifact is an internal event stream over which client enrollments are sent. You can watch this event queue to be notified on any new clients enrolling for the first time.

Note: This is an automated system artifact. You do not need to start it.

View Artifact Source

Server.Internal.Interrogate

An internal artifact used track new client interrogations by the Interrogation service.

View Artifact Source

Server.Internal.Label

An internal artifact used to track new labeling events.

View Artifact Source

Server.Internal.Notifications

This event artifact is an internal event stream over which client notifications are sent. A frontend will watch for events over this stream and if a client is actively connected to this frontend, the client will be notified that new work is available to it.

Note: This is an automated system artifact. You do not need to start it.

View Artifact Source

Server.Monitor.Health

This is the main server health dashboard. It is shown on the homescreen and enabled by default on all new installs.

View Artifact Source

Server.Monitor.Profile

This artifact collects profiling information from the running server. This is useful when you notice a high CPU load in the server and want to know why.

The following options are most useful:

  1. Goroutines: This shows the backtraces of all currently running goroutines. It will generally show most of the code working in the current running set of queries.

  2. Heap: This shows all allocations currently in use and where they are allocated from. This is useful if the server is taking too much memory.

  3. Profile: This takes a CPU profile of the running process for the number of seconds specified in the Duration parameter. You can read profiles using:

go tool pprof -callgrind -output=profile.grind profile.bin
kcachegrind profile.grind
Arg Default Description
Allocs A sampling of all past memory allocations
Block Stack traces that led to blocking on synchronization primitives
Goroutine Stack traces of all current goroutines
Heap A sampling of memory allocations of live objects
Mutex Stack traces of holders of contended mutexes
Profile CPU profile
Trace CPU trace
Verbose Print more detail
Duration 30 Duration of sampling for Profile and Trace.
View Artifact Source

Server.Monitor.Shell

Velociraptor can get an interactive shell on the endpoint by using the shell command. In order to use it, the user must be directly logged on the server.

Obviously being able to run arbitrary commands on the end point is a powerful feature and should be used sparingly. There is an audit trail for shell commands executed and their output available by streaming all shell commands to the “Shell” client evnt monitoring artifact.

This server event artifact centralizes all shell access from all clients into the same log file.

View Artifact Source

Server.Monitor.VeloMetrics

Get Velociraptor server metrics.

Arg Default Description
MetricsURL http://localhost:8003/metrics
View Artifact Source

Server.Monitoring.ClientCount

An artifact that sends an email every hour of the current state of the deployment.

Arg Default Description
EmailAddress admin@example.com
CCAddress None
Subject Deployment statistics for Velociraptor
Period 3600
View Artifact Source

Server.Powershell.EncodedCommand

It is possible to pass powershell an encoded script. This artifact decodes the scripts.

NOTE: The client must be running the Windows.Events.ProcessCreation event artifact to retrieve process execution logs.

View Artifact Source

Server.Utils.CreateCollector

A utility artifact to create a stand alone collector.

This artifact is actually invoked by the Offline collector GUI and that is the recommended way to launch it. You can find the Offline collector builder in the Server Artifacts section of the GUI.

Arg Default Description
OS Windows
artifacts [“Generic.Client.Info”]\n A list of artifacts to collect
template Reporting.Default The HTML report template to use.
Password If set we encrypt collected zip files with this password.
parameters {}\n A dict containing the parameters to set.
target ZIP Output type
target_args {} Type Dependent args
FetchBinaryOverride LET temp_binary <= tempfile(extension=".exe",\n … A replacement for Generic.Utils.FetchBinary which\ngrabs files from the local archive.\n
View Artifact Source

System.Flow.Archive

An internal artifact that produces events for every flow completion in the system.

View Artifact Source

System.Flow.Completion

An internal artifact that produces events for every flow completion in the system.

View Artifact Source

System.Hunt.Participation

Endpoints may participate in hunts. This artifact collects which hunt each system participated in.

Note: This is an automated system artifact. You do not need to start it.

View Artifact Source

System.Upload.Completion

An internal artifact that produces events for every file that is uploaded to the system.

View Artifact Source

System.VFS.DownloadFile

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when the user clicks the “Collect from client” button at the file “Stats” tab.

Arg Default Description
Path / The path of the file to download.
Accessor file
View Artifact Source

System.VFS.ListDirectory

This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the GUI when a user clicks the “Refresh this directory” button.

Arg Default Description
Path / The path of the file to download.
Accessor file
Depth 0
View Artifact Source

Admin.Client.Upgrade

Remotely push new client updates.

NOTE: The updates can be pulled from any web server. You need to ensure they are properly secured with SSL and at least a random nonce in their path. You may configure the Velociraptor server to serve these through the public directory. Simply place the MSI in the public directory within the data store and set the URL below.

Arg Default Description
clientURL http://127.0.0.1:8000/public/velociraptor.msi The URL to fetch the MSI package.
View Artifact Source

Admin.Events.PostProcessUploads

Sometimes we would like to post process uploads collected as part of the hunt’s artifact collections

Post processing means to watch the hunt for completed flows and run a post processing command on the files obtained from each host.

The command will receive the list of paths of the files uploaded by the artifact. We dont actually care what the command does with those files - we will just relay our stdout/stderr to the artifact’s result set.

Arg Default Description
uploadPostProcessCommand ["/bin/ls", “-l”]\n The command to run - must be a json array of strings! The list\nof files will be appended to the end of the command.\n
uploadPostProcessArtifact Windows.Registry.NTUser.Upload The name of the artifact to watch.\n
View Artifact Source

Admin.System.CompressUploads

Compresses all uploaded files.

When artifacts collect files they are normally stored on the server uncompressed. This artifact watches all completed flows and compresses the files in the file store when the flow completes. This is very useful for cloud based deployments with limited storage space or when collecting large files.

In order to run this artifact you would normally run it as part of an artifact acquisition process:

$ velociraptor --config /etc/server.config.yaml artifacts acquire Admin.System.CompressUploads

Note that there is nothing special about compressed files - you can also just run find and gzip in the file store. Velociraptor will automatically decompress the file when displaying it in the GUI text/hexdump etc.

Arg Default Description
blacklistCompressionFilename (?i).+ntuser.dat Filenames which match this regex will be excluded from compression.
View Artifact Source