API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| 9688d3deb93d8180 | Artifact: Windows.Detection.Yara.Process Author: Matt Green - @mgreen27 Category: Windows This artifact enables running YARA over processes in memory. There are 2 kinds of YARA rules that can be… | velociraptor |
| 0d1d94e283e3d2d4 | Artifact: Windows.Detection.Yara.UEFI Author: Matt Green - @mgreen27 Category: Windows This artifact enables running YARA over files in an EFI System Partition (ESP). | velociraptor |
| 75a925dbd9ec2a1b | Artifact: Windows.Detection.PsexecService.Kill Author: Category: Windows Psexec can launch a service remotely. This artifact implements a client side response plan whereby all the child processes of… | velociraptor |
| 2d39ab6d3ab021a7 | Artifact: Windows.Detection.Thumbdrives.OfficeMacros Author: Category: Windows Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain… | velociraptor |
| 835d8ed851de91ff | Artifact: Windows.Detection.Thumbdrives.OfficeKeywords Author: Category: Windows Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain… | velociraptor |
| 222d2f4f7713de72 | Artifact: Windows.Detection.Thumbdrives.List Author: Category: Windows Users inserting Thumb drives or other Removable drive pose a constant security risk. The external drive may contain malware… | velociraptor |
| 6bd468d17208e8d4 | Artifact: Windows.System.Powershell.PSReadline Author: Matt Green - @mgreen27 Category: Windows This Artifact will search and extract lines from PSReadline history file. PowerShell is commonly used… | velociraptor |
| 92419c6e7d20cb12 | Artifact: Windows.System.Powershell.ModuleAnalysisCache Author: Category: Windows ModuleAnalysisCache stores metadata about loaded PowerShell modules. Recent updates include filters by regex to… | velociraptor |
| 98116fef09ffbe53 | Artifact: Windows.Applications.TeamViewer.Incoming Author: Matt Green - @mgreen27 Category: Windows Parses the TeamViewer Connections_incoming.txt log file. When inbound logging enabled, this file… | velociraptor |
| 212918e243a25157 | Artifact: Windows.Applications.Firefox.Downloads Author: Angry-Bender @angry-bender, based on Custom.Windows.Application.Firefox.History by Zach Stanford @svch0st Category: Windows Enumerate the… | velociraptor |
| 36a1ef8d4e07f18e | Artifact: Windows.Applications.Firefox.History Author: Zach Stanford @svch0st, Modified by @angry-bender Category: Windows Enumerate the users Firefox history. ## NOTES: This artifact is deprecated… | velociraptor |
| f8f41fb6262a0899 | Artifact: Windows.Applications.Chrome.Extensions Author: Category: Windows Fetch Chrome extensions. Chrome extensions are installed into the user's home directory. We search for manifest.json… | velociraptor |
| 5d15ba37cc484a57 | Artifact: Windows.Applications.Chrome.Cookies Author: Category: Windows Enumerate the users chrome cookies. The cookies are typically encrypted by the DPAPI using the user's credentials. Since… | velociraptor |
| b01178a2863d5963 | Artifact: Windows.Applications.Chrome.History Author: Angry-Bender @angry-bender Category: Windows Enumerates a targets chrome history. Source based on Hindsight and code review… | velociraptor |
| 9e8d22bc253d73aa | Artifact: Windows.Applications.Edge.Favicons Author: Phill Moore, @phillmoore Category: Windows Enumerate the user's Microsoft Edge favicons. Also tested against Chrome: replace Microsoft Edge with… | velociraptor |
| b134becf7bc2e2a4 | Artifact: Windows.Applications.Edge.History Author: Category: Windows Enumerate the users chrome history. | velociraptor |
| 169840b1d45c3363 | Artifact: Windows.Registry.Sysinternals.Eulacheck Author: Category: Windows Checks for the Accepted Sysinternals EULA from the registry key "HKCU\Software\Sysinternals\[TOOL]\". When a Sysinternals… | velociraptor |
| e68780bf46e30e66 | Artifact: Windows.Registry.NTUser.Upload Author: Category: Windows This artifact collects all the user's NTUser.dat registry hives. When a user logs into a windows machine the system creates their… | velociraptor |
| f7ac9e61c2785cef | Artifact: Demo.Plugins.Fifo Author: Category: Demo This is a demo of the fifo() plugin. The Fifo plugin collects and caches rows from its inner query. Every subsequent execution of the query then… | velociraptor |
| 423c09916c84767b | Artifact: Demo.Plugins.GUI Author: Category: Demo A demo plugin showing some GUI features. This plugin is also used for tests. | velociraptor |
| 63afe95ecfb469f9 | Artifact: ADX.Flows.Upload Author: Category: ADX This server side event monitoring artifact waits for new artifacts to be collected from endpoints and automatically uploads those to an Azure Data… | velociraptor |
| 73a8a87692dac024 | Artifact: LogScale.Flows.Upload Author: Category: LogScale This server side event monitoring artifact waits for new artifacts to be collected from endpoints and automatically posts those to… | velociraptor |
| e3c1dffc56349562 | Artifact: LogScale.Events.Clients Author: Category: LogScale This server side event monitoring artifact will watch a selection of client monitoring artifacts for new events and push those to a… | velociraptor |
| a50ce7a1d02a0614 | Artifact: Admin.Client.Uninstall Author: Category: Admin Uninstall Velociraptor from the endpoint. This artifact uninstalls a Velociraptor client (or any other MSI package) from the… | velociraptor |
| 9131efc413807bb8 | Artifact: Admin.Client.UpdateClientConfig Author: Category: Admin Sometimes we wish to move a client from one org ID to another. This requires updating the config on the client and rekeying the… | velociraptor |
| ac7989919c4ea8ce | Artifact: Admin.Client.Remove Author: Category: Admin This artifact will remove clients that have not checked in for a while. All data for these clients will be removed. The artifact enumerates… | velociraptor |
| cbed74124d78bdbf | Artifact: Admin.Client.Upgrade.Debian Author: Category: Admin Remotely push new client updates to Debian hosts. NOTE: This artifact requires that you supply a client Debian package by using… | velociraptor |
| a8b9793c0cb83c10 | Artifact: Admin.Client.Upgrade.Windows Author: Category: Admin Remotely push new client updates. NOTE: This artifact requires that you supply a client MSI by using the tools interface. Simply click… | velociraptor |
| 2e588d1478623a32 | Artifact: Admin.Client.Upgrade.RedHat Author: Category: Admin Remotely push new client updates to Red Hat hosts. NOTE: This artifact requires that you supply a client Red Hat package by using… | velociraptor |
| c1c04ae5e24b4465 | Artifact: Reporting.Hunts.Details Author: Category: Reporting Report details about which client ran each hunt, how long it took and if it has completed. | velociraptor |
| 70481de6234cb101 | Artifact: System.Flow.Completion Author: Category: System An internal artifact that produces events for every flow completion in the system. This also includes when importing an… | velociraptor |
| 0da3071329af5217 | Artifact: System.Flow.Archive Author: Category: System An internal artifact that produces events for every flow completion in the system. | velociraptor |
| 64765abdc70fb58e | Artifact: System.Hunt.Creation Author: Category: System An event artifact that fires when a user schedules a new hunt. | velociraptor |
| 428d54f342b01b00 | Artifact: System.Hunt.Archive Author: Category: System An internal artifact that receives events when a hunt is archived. You can write a server event artifact to do something about the hunts (like… | velociraptor |
| 00a25ef94c65f258 | Artifact: System.Upload.Completion Author: Category: System An internal artifact that produces events for every file that is uploaded to the system. This also includes when importing an… | velociraptor |
| bba2ded643ae0388 | Artifact: System.VFS.DownloadFile Author: Category: System This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the… | velociraptor |
| 09915c6a97aa6cc2 | Artifact: System.VFS.Export Author: Category: System Exports parts of the VFS in a server side collection. | velociraptor |
| c9141802210696e0 | Artifact: System.VFS.ListDirectory Author: Category: System This is an internal artifact used by the GUI to populate the VFS. You may run it manually if you like, but typically it is launched by the… | velociraptor |
| a16a7c6d2bfddfe2 | Artifact: MacOS.Forensics.AppleDoubleZip Author: Category: MacOS Search for zip files containing leaked download URLs included by MacOS users. MacOS filesystem can represent extended attributes.… | velociraptor |
| efc746f322e7bf5a | Artifact: MacOS.Forensics.FSEvents Author: Mike Cohen, Matt Green - @mgreen27, Yogesh Khatri (@swiftforensics), CyberCX Category: MacOS This artifact parses the FSEvents log files. We can filter on… | velociraptor |
| 849892805e4b3d96 | Artifact: MacOS.Network.Netstat Author: Category: MacOS Report network connections, and enrich with process information. | velociraptor |
| 12f79cacacd594c5 | Artifact: MacOS.Network.PacketCapture Author: Wes Lambert, @therealwlambert Category: MacOS This artifact uses tcpdump to natively capture packets. The `Duration` parameter is used to define how… | velociraptor |
| 211d636b652af328 | Artifact: MacOS.Detection.InstallHistory Author: Wes Lambert - @therealwlambert Category: MacOS This artifact collects entries from the InstallHistory .plist file | velociraptor |
| 1f1bfd26122de6f2 | Artifact: MacOS.Detection.Autoruns Author: Category: MacOS This artifact collects evidence of autoruns. We also capture the files and upload them. This code is based… | velociraptor |
| 36036ff284a02a9d | Artifact: MacOS.System.Users Author: Category: MacOS This artifact collects information about the local users on the system. The information is stored in plist files. | velociraptor |
| b2d58d7502c2ce02 | Artifact: MacOS.System.Dock Author: Wes Lambert - @therealwlambert Category: MacOS This artifact examines the contents of the user's dock. The property list entry for each application represented… | velociraptor |
| a5691435c0defa8c | Artifact: MacOS.System.Packages Author: Category: MacOS Parse packages installed on Macs | velociraptor |
| 6470e2d6b339c573 | Artifact: MacOS.System.QuarantineEvents Author: Wes Lambert - @therealwlambert Category: MacOS This artifact parses the QuarantineEventsV2 database, which provides information on when a file was… | velociraptor |
| d7489daaafe1b54c | Artifact: MacOS.System.TimeMachine Author: Wes Lambert - @therealwlambert Category: MacOS This artifact collects information about MacOS Time Machine backups. | velociraptor |
| c5e641bc4527dfd0 | Artifact: MacOS.System.Wifi Author: Wes Lambert - @therealwlambert Category: MacOS This artifact looks for all Wifi networks to which a host has joined. This can be useful in determining where a… | velociraptor |