velociraptor v0.6 RC1 releases: Endpoint visibility and collection tool
Velociraptor – Endpoint visibility and collection tool.
Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic, and cyber response platform.
It was originally developed by DFIR professionals who needed a powerful and efficient way to hunt and monitor activities across fleets of endpoints for specific artifacts, in a wide range of digital forensic and cyber incident response investigations such as:
- Responding to data breaches
- Reconstructing attacker activities through digital forensic analysis
- Hunting for evidence of sophisticated adversaries
- Investigating malware outbreaks and other suspicious network activities
- Continual monitoring for suspicious user activities, such as files copies to USB devices
- Disclosure of confidential information outside the network
- Gathering endpoint data over time, for use in threat hunting and future investigations.
Velociraptor is actively being used by DFIR professionals across cases such as these and continues to grow and develop based on their feedback and ideas.
The design goals of Velociraptor that we’re working towards, are to be:
- Useful – each artefact and use case must return valuable information to the user
- Simple – the design and interface must be easy for a person to navigate and use
- Guided – users don’t need to be DFIR experts, since all elements should provide informative descriptions and guidance
- Powerful – the user should not have to perform too much additional work to achieve their objectives
- Quick – performance should be speedy and resource impact low, while allowing performance to be managed when needed
- Reliable – each feature and artefact should work as expected and be relatively free of bugs and issues
Changelog v0.6 RC1
This release addresses a number of bug fixes and new features:
- GUI editor is now VQL and artifact aware – correct syntax highlighting in those parts of an artifact that expect VQL
- Support for parsing authenticode information from PE files, including cat files.
- Artifacts can now specify a custom notebook to control the notebook tab. Once they are collected in a hunt, there is a ready custom notebook for post processing.
- Artifacts can now import and export VQL code, so common functions can be shared between different artifacts
- New Shellbags artifact provides native parsing of shellbags. Alternatively, another artifact provides parsing using SBECmd.exe
- A new USN record carver is added to recover rotated USN records
- Better Hunt and Label support – you can now start a hunt targeting a label, and then assign clients to the hunt by simply adding the label to them, even after the hunt is started.
Copyright (C) 2019 Velocidex