API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| a24297e7619b70bb | Artifact: Windows.Carving.USN Author: Category: Windows Carve URN Journal records from the disk. The USN journal is a very important source of information about when and how files were manipulated… | velociraptor |
| 8614e0fede1c3678 | Artifact: Windows.Timeline.MFT Author: Matt Green - @mgreen27 Category: Windows Enables querying the MFT with advanced filters such as time, path or other NTFS attributes. Output is to Timeline… | velociraptor |
| a08e36e9d098fcdf | Artifact: Windows.Timeline.Prefetch Author: Matt Green - @mgreen27 Category: Windows Windows keeps a cache of prefetch files. When an executable is run, the system records properties about the… | velociraptor |
| 9607f97ead3d5a55 | Artifact: Windows.Network.NetstatEnriched Author: Matt Green - @mgreen27 Category: Windows NetstatEnhanced adds additional data points to the Netstat artifact and enables verbose search… | velociraptor |
| 26f677b3b8ca2949 | Artifact: Windows.Network.ListeningPorts Author: Category: Windows Processes with listening (bound) network sockets/ports. | velociraptor |
| b53b16245c624a2b | Artifact: Windows.Network.Netstat Author: Category: Windows Show information about open sockets. On windows the time when the socket was first bound is also shown. | velociraptor |
| 6d309025822a65ce | Artifact: Windows.Network.PacketCapture Author: Cybereason <omer.yampel@cybereason.com> Category: Windows Run this artifact twice, the first time, set the StartTrace flag to True to start the PCAP… | velociraptor |
| e16a0ed3ab8cee62 | Artifact: Windows.Network.ArpCache Author: Category: Windows Address resolution cache, both static and dynamic (from ARP, NDP). | velociraptor |
| 5ff4cf986b6f673a | Artifact: Windows.Memory.PEDump Author: Category: Windows This artifact dumps a PE file from memory and uploads the file to the server. NOTE: The output is not exactly the same as the original… | velociraptor |
| b82cf616c6ee2c95 | Artifact: Windows.Memory.ProcessDump Author: Category: Windows Dump process memory and upload to the server. Previously named Windows.Triage.ProcessMemory | velociraptor |
| 1f5949791018780c | Artifact: Windows.Memory.Acquisition Author: Category: Windows Acquires a full memory image by using the built-in WinPmem driver. NOTE: This artifact usually transfers a lot of data. You… | velociraptor |
| 9825e06458711e67 | Artifact: Windows.Memory.Intezer Author: Matt Green - @mgreen27 Category: Windows Runs an Intezer agent scan on the endpoint. - Scan: The scanner collects running code from memory and sends it to… | velociraptor |
| 9999216617a1b99c | Artifact: Windows.Memory.ProcessInfo Author: Category: Windows This artifact returns process information obtained by parsing the PEB directly. Renamed Windows.Forensics.ProcessInfo | velociraptor |
| dda3e52d9ba64607 | Artifact: Windows.ETW.KernelProcess Author: Category: Windows This artifact follows the Microsoft-Windows-Kernel-Process provider. NOTE: We can only attach to this provider when running… | velociraptor |
| af6401b60c09004d | Artifact: Windows.ETW.DotNetRundown Author: @bmcder02 Category: Windows Queries the Microsoft-Windows-DotNETRuntimeRundown provider to collect a list of DotNet modules loaded into a process. This can… | velociraptor |
| 7f3802550e3c632f | Artifact: Windows.ETW.DNS Author: Matt Green - @mgreen27 Category: Windows Monitors DNS queries using ETW. There are several filters available to filter out and/or target using regular expressions.… | velociraptor |
| 6f803d0ade303835 | Artifact: Windows.ETW.EdgeURLs Author: Category: Windows Collects all URLs accessed by the Edge browser using ETW. It also serves as an example of an ETW artifact, in this case using… | velociraptor |
| 19e0c7dbb131e740 | Artifact: Windows.ETW.ETWSessions Author: Category: Windows Windows Event Tracing exposes a lot of low level system information and events. It is normally employed by security tools to… | velociraptor |
| b2f6d85c6b1d43eb | Artifact: Windows.ETW.DNSQueriesServer Author: Jos Clephas - jos-ir Category: Windows Logs DNS queries on DNS servers. This is useful for identifying the true source system that is… | velociraptor |
| 2a17cb60d2b43ee2 | Artifact: Windows.ETW.KernelFile Author: Category: Windows This artifact follows the Microsoft-Windows-Kernel-File provider. NOTE: We can only attach to this provider when running… | velociraptor |
| 1497d2787672c856 | Artifact: Windows.ETW.ViewSessions Author: Category: Windows This artifact enumerates all ETW sessions and optionally kills dangling ones | velociraptor |
| 785f99311dadfc5b | Artifact: Windows.ETW.Registry Author: Category: Windows Windows Registry access is a great source of visibility into system activity. There are many ways of gaining visibility into this, the… | velociraptor |
| 3844d7514b5e1d0c | Artifact: Windows.ETW.WMIProcessCreate Author: Category: Windows This artifact the endpoints for process creation through WMI events. This is a common attacker lateral movement technique. The… | velociraptor |
| d1406eeb21ac2727 | Artifact: Windows.ETW.KernelNetwork Author: Category: Windows This artifact follows the Microsoft-Windows-Kernel-Network provider. NOTE: We can only attach to this provider when running… | velociraptor |
| 34974aeaed898ca0 | Artifact: Windows.Attack.ParentProcess Author: Category: Windows Maps the MITRE Att&ck framework process executions into artifacts. NOTE: This artifact uses the process tracker. If you also enable… | velociraptor |
| 28af0e4e7699fcd0 | Artifact: Windows.Attack.Prefetch Author: Category: Windows Maps the MITRE Att&ck framework process executions into artifacts. This pack was generated… | velociraptor |
| 5b5e57bf3dd5d033 | Artifact: Windows.Attack.UnexpectedImagePath Author: Amged Wageh Category: Windows Some malware are hiding in plain text by masquerading a legitimate executable name. This artifact looks for… | velociraptor |
| dbf9f04484d38cdb | Artifact: Windows.Sysinternals.SysmonLogForward Author: Category: Windows A client-side event forwarder to forward Sysmon events to the server. | velociraptor |
| ff9c7a2727b50798 | Artifact: Windows.Sysinternals.Autoruns Author: Category: Windows Uses Sysinternals autoruns to scan the host. Note this requires syncing the Sysinternals binary from the host. | velociraptor |
| ecefe530838157a1 | Artifact: Windows.Sysinternals.SysmonInstall Author: Category: Windows Sysmon is a kernel level system monitor written by Sysinternals. While we are not able to distribute Sysmon ourselves,… | velociraptor |
| 71d896d4a937358f | Artifact: Windows.Packs.LateralMovement Author: Category: Windows Detect evidence of lateral movement. | velociraptor |
| 04b88b033091e4b2 | Artifact: Windows.Packs.Persistence Author: Category: Windows This artifact pack collects various persistence mechanisms in Windows. | velociraptor |
| 16df2db357df95be | Artifact: Windows.Detection.ProcessCreation Author: Jos Clephas - @DfirJos Category: Windows This artifact logs specific process creation events to Velociraptor. It auto-installs Sysmon and it… | velociraptor |
| 13333686289c37c6 | Artifact: Windows.Detection.Mutants Author: Category: Windows Enumerate the mutants from selected processes. Mutants are often used by malware to prevent re-infection. | velociraptor |
| 3e738c5d4a955cce | Artifact: Windows.Detection.Impersonation Author: Category: Windows An access token is an object that describes the security context of a process or thread. The information in a token includes… | velociraptor |
| 5a50ff8a86863246 | Artifact: Windows.Detection.Usn Author: Category: Windows NTFS is a journal filesystem. This means that it maintains a journal file where intended filesystem changes are written first, then… | velociraptor |
| 62584928bca62c2c | Artifact: Windows.Detection.TemplateInjection Author: Matt Green - @mgreen27 Category: Windows Detects injected templates in Office and RTF documents. Template injection is a form of defense… | velociraptor |
| 3939c0abbe1e3e8d | Artifact: Windows.Detection.EnvironmentVariables Author: Category: Windows Find processes with the specified environment variables. | velociraptor |
| c1cc35ed2b4a9b69 | Artifact: Windows.Detection.ForwardedImports Author: Category: Windows In Windows a common DLL hooking technique is to replace a dll with a forwarder dll - i.e. one that forwards all imports to the… | velociraptor |
| 370f98beea9e81bb | Artifact: Windows.Detection.Registry Author: Jos Clephas - @DfirJos Category: Windows This artifact detects registry changes and triggers an alert. | velociraptor |
| b3bb82df505f6945 | Artifact: Windows.Detection.WMIProcessCreation Author: Category: Windows WMI Process creation is a common lateral movement technique. The attacker simply uses WMI to call the Create() method on… | velociraptor |
| 153652f69d21cde5 | Artifact: Windows.Detection.BinaryRename Author: Matt Green - @mgreen27 Category: Windows This artifact will detect renamed binaries commonly abused by adversaries. Binary rename is a defense… | velociraptor |
| de13383123a89f68 | Artifact: Windows.Detection.PsexecService Author: Category: Windows PsExec works by installing a new service in the system. The service can be renamed by using the `-r` flag and therefore it is not… | velociraptor |
| fcc57fdd95e881be | Artifact: Windows.Detection.BinaryHunter Author: Matt Green - @mgreen27 Category: Windows This artifact enables hunting for binary attributes. The artifact takes a glob targeting input, then checks… | velociraptor |
| 9d3c598c18f7b7c4 | Artifact: Windows.Detection.Amcache Author: Matt Green - @mgreen27 Category: Windows This artifact collects AMCache entries with a SHA1 hash to enable threat detection. AmCache is an artifact which… | velociraptor |
| 32c4fcd8d572754b | Artifact: Windows.ActiveDirectory.SharpHound Author: Matt Green - @mgreen27 Category: Windows This artifact allows deployment of the BloodHound collection tool Sharphound. BloodHound is a popular… | velociraptor |
| 4d4acce374355ca3 | Artifact: Windows.Remediation.Quarantine Author: Matt Green - @mgreen27 Category: Windows Applies quarantine via Windows local IPsec policy. - By default the current client configuration is applied… | velociraptor |
| ecb23e98074d1a7f | Artifact: Windows.Remediation.ScheduledTasks Author: Category: Windows Remove malicious task from the Windows scheduled task list. WARNING: Removing scheduled tasks is potentially dangerous! You… | velociraptor |
| 97ef6a55238d85f9 | Artifact: Windows.Remediation.Sinkhole Author: Matt Green - @mgreen27 Category: Windows **Apply a Sinkhole via Windows hosts file modification** This content will modify the Windows hosts file by a… | velociraptor |
| 74573a7d850fa2eb | Artifact: Windows.Remediation.QuarantineMonitor Author: Category: Windows An event query that will ensure the client is quarantined. We re-calculate the quarantine every 10 minutes by default… | velociraptor |