API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| 3eca2525b56383c4 | Artifact: Windows.System.Shares Author: Matt Green - @mgreen27 Category: Windows This artifact will extract network shares per machine. | velociraptor |
| d8de4966b2055323 | Artifact: Windows.System.Signers Author: Category: Windows This artifact searches for all signed files and stacks them by signer. | velociraptor |
| 74b07b44b63cdc8d | Artifact: Windows.System.DLLs Author: Category: Windows Enumerate the DLLs loaded by a running process. It includes hash value and certificate information. | velociraptor |
| a07971d86a568200 | Artifact: Windows.System.CmdShell Author: Category: Windows This artifact allows running arbitrary commands through the system shell cmd.exe. Since Velociraptor typically runs as system, the… | velociraptor |
| a3f786d7949beb75 | Artifact: Windows.System.TaskScheduler Author: Category: Windows The Windows task scheduler is a common mechanism that malware uses for persistence. It can be used to run arbitrary programs at a… | velociraptor |
| 6938fc3ab268cb2b | Artifact: Windows.System.DomainRole Author: Matt Green - @mgreen27 Category: Windows This artifact will extract Domain Role per machine. | velociraptor |
| f0dbfcdf2df54600 | Artifact: Windows.System.CatFiles Author: Category: Windows Windows stores many hashes in .cat files. These catalog files contain a set of trusted hashes for drivers and other binaries, even if the… | velociraptor |
| 8d598a0d6fc8ccff | Artifact: Windows.System.UntrustedBinaries Author: Category: Windows Windows runs several services and binaries as part of the operating system. Sometimes malware pretends to run as those well known… | velociraptor |
| 5fb29b820fe3cb46 | Artifact: Windows.System.DNSCache Author: Category: Windows Collects DNS cache entries using the WMI class `MSFT_DNSClientCache`. Windows maintains DNS lookups for a short time in the DNS cache. | velociraptor |
| 1871b026a707f87d | Artifact: Windows.System.VAD Author: Matt Green - @mgreen27 Category: Windows This artifact enables enumeration of process memory sections via the Virtual Address Descriptor (VAD). The VAD is used by… | velociraptor |
| c7d1138be0e5dee5 | Artifact: Windows.System.HostsFile Author: Matt Green - @mgreen27 Category: Windows Parses the Windows Hostsfile. Regex searching for Hostname and resolution is enabled over output. NOTE: For… | velociraptor |
| f5fda87df1874b6b | Artifact: Windows.System.LocalAdmins Author: Category: Windows Gets a list of local admin accounts. | velociraptor |
| 16c45dd57ee8e385 | Artifact: Windows.System.Pslist Author: Category: Windows List processes and their running binaries. | velociraptor |
| 4bf01fa3a050a9e0 | Artifact: Windows.System.Threads Author: Category: Windows Enumerates all threads in selected processes. | velociraptor |
| 5bfe8aa8a1b77d2d | Artifact: Windows.System.SVCHost Author: Category: Windows Typically a windows system will have many svchost.exe processes. Sometimes attackers name their processes svchost.exe to try to hide.… | velociraptor |
| 383d742ebf024374 | Artifact: Windows.System.PowerShell Author: Category: Windows This artifact allows running arbitrary commands through the system PowerShell. Since Velociraptor typically runs as system, the… | velociraptor |
| d3f18a103e6dd9a2 | Artifact: Windows.System.CriticalServices Author: Category: Windows This artifact returns information about any services which are considered critical. The default list contains virus scanners. If… | velociraptor |
| 897ea18528b3ede4 | Artifact: Windows.System.AuditPolicy Author: Zach Stanford - @svch0st Category: Windows Uses auditpol to retrieve the logging settings defined in the Windows Audit Policy. Use this artifact to… | velociraptor |
| 241580fe7fc02f3d | Artifact: Windows.System.Handles Author: Category: Windows Enumerate the handles from selected processes. Uncheck all the handle types below to fetch all handle types. | velociraptor |
| 78c6b7602bd20da6 | Artifact: Windows.System.WMIQuery Author: Matt Green - @mgreen27 Category: Windows This artifact enables querying Windows Management Instrumentation (WMI). Windows Management Instrumentation (WMI)… | velociraptor |
| 9b1fb3f648eb1cb7 | Artifact: Windows.System.RootCAStore Author: Category: Windows Enumerate the root certificates in the Windows Root store. | velociraptor |
| 6f94ead1bde448d6 | Artifact: Windows.System.Services Author: Category: Windows List Service details. | velociraptor |
| d7327a419db66cd8 | Artifact: Windows.System.VBScript Author: Matt Green - @mgreen27 Category: Windows This artifact allows running VBScript through cscript.exe. This is a very powerful artifact since it allows for… | velociraptor |
| 9510e4e0a004d7b3 | Artifact: Windows.Applications.OfficeMacros Author: Category: Windows Scans through a given directory glob for common office files. Then tries to extract any embedded macros by parsing the OLE file… | velociraptor |
| 618b8127c69bb23f | Artifact: Windows.Applications.ChocolateyPackages Author: Category: Windows Chocolatey packages installed in a system. | velociraptor |
| 0e3ed5fb4017671d | Artifact: Windows.Applications.SBECmd Author: Eduardo Mattos - @eduardfir Category: Windows Execute Eric Zimmerman's SBECmd and return output for analysis. SBECmd is a CLI for analyzing Shellbags… | velociraptor |
| e3aa3b9a560c8bf1 | Artifact: Windows.Applications.MegaSync Author: Matt Green - @mgreen27 Category: Windows Parses MEGASync logs and allows using regular expressions to search for entries of interest. With… | velociraptor |
| 155126b051f7eb52 | Artifact: Windows.Applications.NirsoftBrowserViewer Author: Category: Windows This artifact wraps the Nirsoft BrowsingHistoryView tool - a tool for parsing browser history from a variety of… | velociraptor |
| 7951bc229304e7eb | Artifact: Windows.Applications.IISLogs Author: Matt Green - @mgreen27, Updated by Stephan Mikiss Category: Windows This artifact enables grep of IISLogs. Parameters include SearchRegex and… | velociraptor |
| 93d694e94660105f | Artifact: Windows.EventLogs.PowershellScriptblock Author: Matt Green - @mgreen27 Category: Windows This Artifact will search and extract ScriptBlock events (Event ID 4104) from Powershell-Operational… | velociraptor |
| ce561fd056894f60 | Artifact: Windows.EventLogs.ServiceCreationComspec Author: Matt Green - @mgreen27 Category: Windows Detects the string "COMSPEC" (nocase) in Windows Service Creation (SCM) events. That is: EventID… | velociraptor |
| 1fc6853c3cf02162 | Artifact: Windows.EventLogs.AlternateLogon Author: Category: Windows Logon specifying alternate credentials - if NLA enabled on destination Current logged-on User Name Alternate User… | velociraptor |
| c0ef0973be061aa8 | Artifact: Windows.EventLogs.Kerberoasting Author: Matt Green - @mgreen27 Category: Windows This Artifact will return all successful Kerberos TGS Ticket events for Service Accounts (SPN attribute)… | velociraptor |
| 423328421f14ce73 | Artifact: Windows.EventLogs.ScheduledTasks Author: @mgreen27 - Matt Green Category: Windows This artifact will extract Event Logs related to ScheduledTasks and provide a nice format for simplified… | velociraptor |
| f063b1580a638f04 | Artifact: Windows.EventLogs.EvtxHunter Author: Matt Green - @mgreen27 Category: Windows This Artifact will hunt the Event Log message field for a regex value. For example and IP, username or… | velociraptor |
| 805a20dac6154c06 | Artifact: Windows.EventLogs.Symantec Author: Matt Green - @mgreen27 Category: Windows Query the Symantec Endpoint Protection Event Logs. The default artifact will return EventId 51 and high value… | velociraptor |
| f4281e5094c39824 | Artifact: Windows.EventLogs.Modifications Author: Category: Windows It is possible to disable windows event logs on a per channel or per provider basis. Attackers may disable critical log sources… | velociraptor |
| d37205b5a61644dd | Artifact: Windows.EventLogs.ExplicitLogon Author: Matt Green - @mgreen27 Category: Windows Searches the Windows Security event log for explicit logon events, that is Event ID 4648: "A logon was… | velociraptor |
| 4d715a8e76014596 | Artifact: Windows.EventLogs.RDPAuth Author: Matt Green - @mgreen27 Category: Windows This artifact will extract Event Logs related to Remote Desktop sessions, logon and logoff. Security channel -… | velociraptor |
| 665618a25121c316 | Artifact: Windows.EventLogs.Cleared Author: Matt Green - @mgreen27 Category: Windows Extract Event Logs related to EventLog clearing - Security Log - EventID 1102 - System Log - EventID 104 | velociraptor |
| 3e0055f95cf05c8b | Artifact: Windows.EventLogs.PowershellModule Author: Matt Green - @mgreen27 Category: Windows This Artifact will search and extract Module events (Event ID 4103) from Powershell-Operational Event… | velociraptor |
| 6d07cbdd3967b026 | Artifact: Windows.EventLogs.Evtx Author: Chris Hendricks (chris@counteractive.net) Category: Windows Parses and returns events from Windows evtx logs. Each event is returned in full, but results can… | velociraptor |
| 9d17e014fb45e9da | Artifact: Windows.EventLogs.DHCP Author: Category: Windows This artifact parses the Windows DHCP event log looking for evidence of IP address assignments. In some investigations it is important to… | velociraptor |
| e9d4b599fad923c5 | Artifact: Windows.EventLogs.Telerik Author: Matt Green - @mgreen27 Category: Windows This Artifact will hunt for evidence of Telerik exploitation in the Application Event Log. Telerik is a commonly… | velociraptor |
| 832f3ef315a5fcd3 | Artifact: Windows.NTFS.I30 Author: Category: Windows Carve the $I30 index stream for a directory. This can reveal previously deleted files. Optionally upload the I30 stream to the server as well. | velociraptor |
| f317895a856aabff | Artifact: Windows.NTFS.ExtendedAttributes Author: Matt Green - @mgreen27 Category: Windows Adversaries may use NTFS file attributes for defense evasion to hide malicious data. This artifact parses… | velociraptor |
| b638341cf84638d2 | Artifact: Windows.NTFS.Recover Author: Category: Windows Attempt to recover deleted files. This artifact uploads all streams from an MFTId. If the MFT entry is not allocated there is a chance that… | velociraptor |
| eaf205c6e05a5d2d | Artifact: Windows.NTFS.ADSHunter Author: Matt Green - @mgreen27 Category: Windows This artifact hunts for Alternate Data Streams on NTFS file systems. Adversaries may use NTFS file attributes for… | velociraptor |
| edfc5b7fcc341c9c | Artifact: Windows.NTFS.MFT Author: Matt Green - @mgreen27 Category: Windows Parses $MFT files and returns rows of each in scope MFT record. This artifact can be used as the basis for other artifacts… | velociraptor |
| 3c2a348e72ddf67a | Artifact: Windows.Registry.PuttyHostKeys Author: Matt Green - @mgreen27 Category: Windows This artifact extracts PuTTY SSH host keys. As a security measure PuTTY and its companion utilities PSCP,… | velociraptor |