Server Artifacts

Server.Alerts.PsExec

Send an email if execution of the psexec service was detected on any client. This is a server side artifact.

Note this requires that the Windows.Event.ProcessCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
MessageTemplate PsExec execution detected at %v: %v for client %v\n
View Artifact Source

Server.Alerts.WinPmem

Send an email if the pmem service has been installed on any of the endpoints.

Note this requires that the Windows.Event.ServiceCreation monitoring artifact be collected from clients.

Arg Default Description
EmailAddress admin@example.com
View Artifact Source

Server.Analysis.Triage.PowershellConsole

This artifact post processes the artifact Windows.Triage.Collectors.PowershellConsoleLogs. While that artifact just uploads all the powershell console files, we sometimes want to easily see all the files in the same output table.

This artifact simply post processes the uploaded files and puts their content in the same table.

Arg Default Description
huntId
View Artifact Source

Server.Hunts.List

List Hunts currently scheduled on the server.

View Artifact Source

Server.Hunts.Results

Show the results from each artifact collection hunt.

Arg Default Description
huntId H.d05b2482
ArtifactName Linux.Mounts
View Artifact Source

Server.Information.Clients

This artifact returns the total list of clients, their hostnames and the last times they were seen.

We also include a list of usernames on this machine, as gathered by the last Windows.Sys.Users artifact that was collected. Note that the list of usernames may be outdated if that artifact was not collected recently.

View Artifact Source

Server.Information.Users

List the user names and SIDs on each machine. We get this information from the last time we collected Windows.Sys.Users. If we never collected it for this machine, there will be no results.

Arg Default Description
ClientId None
StandardUserAccounts (-5..$ S-1-5-18
View Artifact Source

Server.Internal.ArtifactDescription

View Artifact Source

Server.Monitor.Health

This is the main server health dashboard. It is shown on the homescreen and enabled by default on all new installs.

Arg Default Description
Frequency 15 Return stats every this many seconds.
View Artifact Source

Server.Monitor.Shell

Velociraptor can get an interactive shell on the endpoint by using the shell command. In order to use it, the user must be directly logged on the server.

Obviously being able to run arbitrary commands on the end point is a powerful feature and should be used sparingly. There is an audit trail for shell commands executed and their output available by streaming all shell commands to the “Shell” client event monitoring artifact.

This server event artifact centralizes all shell access from all clients into the same log file.

View Artifact Source

Server.Monitor.VeloMetrics

Get Velociraptor server metrics.

Arg Default Description
MetricsURL http://localhost:8003/metrics
View Artifact Source

Server.Monitoring.ClientCount

An artifact that sends an email every hour of the current state of the deployment.

Arg Default Description
EmailAddress admin@example.com
CCAddress None
Subject Deployment statistics for Velociraptor
Period 3600
View Artifact Source

Server.Powershell.EncodedCommand

It is possible to pass powershell an encoded script. This artifact decodes the scripts.

NOTE: The client must be running the Windows.Events.ProcessCreation event artifact to retrieve process execution logs.

View Artifact Source