When writing a new artifact it helps to use the following tips to make it easier.
Although the Velociraptor GUI allows to change the artifact, and collect it from remote machines this is tedious in general. It is easier to just develop and collect the artifact locally.
Simply create a directory where you store your custom artifact, and run the artifact collector with that directory specified.
$ mkdir /tmp/my_artifacts/ $ vi /tmp/my_artifacts/my_new_artifact.yaml .... $ velociraptor --definitions /tmp/my_artifacts artifacts collect -v My.New.Artifact.Name
-v flag which emits verbose messages to the console. If you
have VQL syntax errors or any issues you will be able to see that
easily, edit the artifact source and re-collect it.
In VQL you can put complex expressions in the WHERE clause in order to filter the result set. The trouble is that you can not actually see the results of the expression - the expression is simply evaluated for a boolean true/false.
It is more productive to place the complex expression in the column specification and then you can see what it evaluates to for each row.
SELECT encode(string=Data.value, type="hex") AS Value FROM ..... WHERE Value =~ "ffffff7f$"