API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| 7fe0a864c7db2d24 | Artifact: Generic.Client.VQL Author: Category: Generic Run arbitrary VQL on the endpoint. | velociraptor |
| 2a337a9b1a1d4f5a | Artifact: Generic.Client.Info Author: Category: Generic Collect basic information about the client. This artifact is collected when any new client is enrolled into the system. Velociraptor will… | velociraptor |
| 3f831ce8bb58a577 | Artifact: Generic.Client.Rekey Author: Category: Generic This artifact forces the client to regenerate its client id. This is normally not needed! You will only need to use this artifact in… | velociraptor |
| 4b261665c6e40bac | Artifact: Generic.Client.Stats Author: Category: Generic An Event artifact which records client's CPU and memory statistics. To learn about managing end point performance with Velociraptor see this… | velociraptor |
| 5277659c767a2a35 | Artifact: Generic.Client.DiskSpace Author: Category: Generic This artifact reports the amount of free disk space. It is designed to work equally on all architectures: 1. On Linux and MacOS we… | velociraptor |
| 932fd1855141071d | Artifact: Generic.Client.Profile Author: Category: Generic This artifact collects profiling information about the running client. This is useful when you notice a high CPU load in the client and… | velociraptor |
| c7494e556a1c914e | Artifact: Generic.Client.CleanupTemp Author: Category: Generic This artifact cleans up the temp folder in the Velociraptor client. | velociraptor |
| 1793f2cc9ecda5ff | Artifact: Generic.Client.DiskUsage Author: Category: Generic This artifact reports the amount of space used by each directory recursively (Similar to the `du` command). Unlike the `du` command,… | velociraptor |
| 2bd16f1efa7de329 | Artifact: Generic.Client.LocalLogsRetrieve Author: Category: Generic Retrieves the locally written logs. | velociraptor |
| c8b058c4cbc85a04 | Artifact: Generic.Client.LocalLogs Author: Category: Generic Write client logs locally in an encrypted container. This helps when we need to access what the client was doing in the past. | velociraptor |
| c29c760dff80cadb | Artifact: Generic.Network.InterfaceAddresses Author: Category: Generic Network interfaces and relevant metadata. This artifact works on all supported OSs. | velociraptor |
| a9cc08abbac312e4 | Artifact: Generic.Detection.Logs Author: Matt Green - @mgreen27, Apache groks thanks to Harsh Jaroli and Krishna Patel Category: Generic This artifact enables grep of Logs to hunt for strings of… | velociraptor |
| e61d32b96c1c70c9 | Artifact: Generic.Detection.HashHunter Author: Matt Green - @mgreen27 Category: Generic This artifact enables searching for hashes. The artifact takes a glob targeting input, then generates a hash… | velociraptor |
| 39cc4a765f7c4f81 | Artifact: Generic.System.HostsFile Author: Category: Generic The system hosts file maps hostnames to IP addresses. In some cases, entries in this file take precedence and overrides the results… | velociraptor |
| 7eecdad62185d20f | Artifact: Generic.System.ProcessSiblings Author: Category: Generic This artifact queries the process tracker to display all known sibling processes of the target process (i.e. all other… | velociraptor |
| f3b2cc30aea5b5d4 | Artifact: Generic.System.Pstree Author: Category: Generic This artifact displays the call chain for every process on the system by traversing the process's parent ID. It is useful for establishing… | velociraptor |
| 32be447b2ee17f91 | Artifact: Generic.System.EfiSignatures Author: Category: Generic Collect Efi Signature information from the client. | velociraptor |
| 910cde480a9012e7 | Artifact: Generic.Utils.SendEmail Author: Andreas Misje – @misje Category: Generic A Utility artifact for sending emails. This artifact handles the challenges of MIME, encodings and other… | velociraptor |
| ea967a90c7c3dc1f | Artifact: Generic.Utils.DeadDiskRemapping Author: Category: Generic Calculate a remapping configuration from a dead disk image. The artifact uses some heuristics to calculate a suitable… | velociraptor |
| 4de2f5243ff4a8c4 | Artifact: Generic.Utils.FetchBinary Author: Category: Generic A utility artifact which fetches a binary from a URL and caches it on disk. We verify the hash of the binary on disk and if it does not… | velociraptor |
| 3548863ad06e544f | Artifact: Generic.Utils.Crypto Author: Category: Generic A utility artifact to provide helpful utility functions. To use, import this artifact and use the functions. | velociraptor |
| ca474d63a17a9cfb | Artifact: Generic.Forensic.Carving.URLs Author: Category: Generic Carve URLs from files located in a glob. Note that we do not parse any files - we simply carve anything that looks like a URL. | velociraptor |
| 3ba91d815da7677f | Artifact: Generic.Forensic.LocalHashes.Query Author: Category: Generic This artifact maintains a local (client side) database of file hashes. It is then possible to query this database by using… | velociraptor |
| 6708201a2ad11109 | Artifact: Generic.Forensic.LocalHashes.Glob Author: Category: Generic This artifact maintains a local (client side) database of file hashes. It is then possible to query this database by using… | velociraptor |
| a7d01264601cede1 | Artifact: Generic.Forensic.LocalHashes.Init Author: Category: Generic This artifact creates an SQLite database on the endpoint to hold local file hashes. These hashes can then be queried quickly. | velociraptor |
| b2e5f9f05ec0e811 | Artifact: Generic.Detection.Yara.Glob Author: Matt Green - @mgreen27 Category: Generic This artifact returns a list of target files then runs YARA over the target list. There are 2 kinds of YARA… | velociraptor |
| 8bf7fd2d33b9e9c6 | Artifact: Generic.Detection.Yara.Zip Author: Matt Green - @mgreen27 Category: Generic This artifact enables running YARA on embedded compressed files. The artifact: * firstly searches for… | velociraptor |
| 41042d08b8444ccd | Artifact: Generic.Applications.Office.Keywords Author: Category: Generic Microsoft Office documents among other document format (such as LibraOffice) are actually stored in zip files. The zip file… | velociraptor |
| f721fe4a09afbb3c | Artifact: Generic.Applications.Chrome.SessionStorage Author: Category: Generic Session storage allows a web site to store permanent data in the user's browser. This artifact parses this data from… | velociraptor |
| d5eef3ee5ed7c149 | Artifact: Linux.Syslog.SSHLogin Author: Category: Linux Parses the auth logs to determine all SSH login attempts. | velociraptor |
| 2182f657c8c2ace5 | Artifact: Linux.Forensics.ImmutableFiles Author: Category: Linux Searches the filesystem for immutable files. Attackers sometimes enable immutable files in Linux. This prevents files from being… | velociraptor |
| 9bd72bef948813ab | Artifact: Linux.Forensics.Journal Author: Category: Linux Parses the binary journal logs. Systemd uses a binary log format to store logs. | velociraptor |
| 8d6ba3892bf117a0 | Artifact: Linux.RHEL.Packages Author: Category: Linux Parse packages installed from dnf or yum | velociraptor |
| d39e731bf14d916d | Artifact: Linux.Network.NetstatEnriched Author: Category: Linux Report network connections, and enrich with process information. | velociraptor |
| 8d878880f18592dd | Artifact: Linux.Network.Netstat Author: Category: Linux This artifact will parse /proc and reveal information about current network connections. We also extract corresponding process information. | velociraptor |
| b3427efedc8da1e5 | Artifact: Linux.Network.PacketCapture Author: Wes Lambert, @therealwlambert Category: Linux This artifact uses tcpdump to natively capture packets. The `Duration` parameter is used to define how… | velociraptor |
| e318bf39df5ed9bd | Artifact: Linux.Ssh.AuthorizedKeys Author: Category: Linux Finds and parses SSH authorized keys files. From `man authorized_keys`: `AUTHORIZED_KEYS FILE FORMAT`: Each line of the file contains… | velociraptor |
| afc6f7d49371e9f2 | Artifact: Linux.Ssh.PrivateKeys Author: Category: Linux SSH Private keys can be either encrypted or unencrypted. Unencrypted private keys are more risky because an attacker can use them… | velociraptor |
| 6160f8fa3cd874ba | Artifact: Linux.Ssh.KnownHosts Author: Category: Linux Finds and parses SSH known hosts files. | velociraptor |
| 7dd74c053ce2952c | Artifact: Linux.Detection.AnomalousFiles Author: George-Andrei Iosif (@iosifache) Category: Linux Detects anomalous files in a Linux filesystem. An anomalous file is considered one that matches at… | velociraptor |
| ce20846f9dc49080 | Artifact: Linux.Debian.Packages Author: Andreas Misje – @Misje Category: Linux List all packages installed on the system, both deb packages and "snaps". The installed deb package information is… | velociraptor |
| 72a3299dc4d2cf1b | Artifact: Linux.Debian.AptSources Author: Category: Linux Parse Debian apt sources. This Artifact searches for all apt sources files and parses all fields in both one–line `*.list` files and… | velociraptor |
| cd1efb068f03dd69 | Artifact: Linux.Remediation.Quarantine Author: Category: Linux Applies network quarantine to a Linux system using nftables. It expects the target system to have nftables installed, and uses… | velociraptor |
| 6be94ef93be52542 | Artifact: Linux.Users.RootUsers Author: George-Andrei Iosif (@iosifache) Category: Linux Detects users added in the `sudo` group. | velociraptor |
| 3bd3bb766511bdba | Artifact: Linux.Users.InteractiveUsers Author: George-Andrei Iosif (@iosifache) Category: Linux Gets the interactive users from a Linux host. | velociraptor |
| 97a7d4283c27ad34 | Artifact: Linux.OSQuery.Generic Author: Category: Linux OSQuery is an excellent tool for querying system state across the three supported Velociraptor platform (Windows/Linux/MacOS). You can read… | velociraptor |
| 2c99e3563211cef9 | Artifact: Linux.Proc.Modules Author: Category: Linux Module listing via /proc/modules. | velociraptor |
| e2da8056d92701b5 | Artifact: Linux.Proc.Arp Author: Category: Linux ARP table via /proc/net/arp. | velociraptor |
| d75fe2835358d8ec | Artifact: Linux.Events.SSHLogin Author: Category: Linux This monitoring artifact watches the auth.log file for new successful SSH login events and relays them back to the server. | velociraptor |
| 11d5385e79d615ae | Artifact: Linux.Events.DNS Author: Category: Linux This artifact uses eBPF to track DNS requests from various processes. NOTE: This event is generated from network traffic - it is unable to view… | velociraptor |