API → UI component mappings · 90,813 documents
| ID | Document | Source |
|---|---|---|
| 0d3b1830fd8b9647 | Artifact: Windows.Registry.RecentDocs Author: Matt Green - @mgreen27 Category: Windows This artifact extracts RecentDocs MRU from the target. By default the artifact will target all users on the… | velociraptor |
| 44f2819359fe07f1 | Artifact: Windows.Registry.AppCompatCache Author: Matt Green - @mgreen27 Category: Windows This artifact parses AppCompatCache (shimcache) from target hives. AppCompatCache, also known as Shimcache,… | velociraptor |
| d131b601d7212f95 | Artifact: Windows.Registry.RDP Author: Matt Green - @mgreen27 Category: Windows This artifact will collect historical RDP server names and MRU items stored in each users NTUser.dat 1. Servers -… | velociraptor |
| 1b0722cc0790925f | Artifact: Windows.Registry.UserAssist Author: Category: Windows Windows systems maintain a set of keys in the registry database (UserAssist keys) to keep track of programs that executed. The number… | velociraptor |
| fc68ff7cae7e1b1d | Artifact: Windows.Registry.BackupRestore Author: Matt Green - @mgreen27 Category: Windows This artifact will return BackupRestore configuration. Applications that request or perform backup and… | velociraptor |
| 260783f670412b77 | Artifact: Windows.Registry.EnabledMacro Author: @mgreen27 Category: Windows Checks for Registry key indicating macro was enabled by user. HKEY_USERS\*\Software\Microsoft\Office\*\Security\Trusted… | velociraptor |
| b793058b18d821ab | Artifact: Windows.Registry.NTUser Author: Category: Windows This artifact searches for keys or values within the user's NTUser.dat registry hives. When a user logs into a windows machine the system… | velociraptor |
| 61aec0114770613b | Artifact: Windows.Registry.MountPoints2 Author: Matt Green - @mgreen27 Category: Windows This detection will collect any items in the MountPoints2 registry key. With a "$" in the share path. This key… | velociraptor |
| 74d8b52773b29ff2 | Artifact: Windows.Registry.PortProxy Author: Matt Green - @mgreen27 Category: Windows This artifact will return any items in the Windows PortProxy service registry path. The most common configuration… | velociraptor |
| 4861c9a796b2be30 | Artifact: Windows.Registry.WDigest Author: Eduardo Mattos - @eduardfir, Matt Green - @mgreen27 Category: Windows Find WDigest registry values on the filesystem. The artifact will also use GROUP BY to… | velociraptor |
| 879bd1c736c508ce | Artifact: Windows.Registry.EnableUnsafeClientMailRules Author: @mgreen27 Category: Windows Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on). This registry key enables execution from… | velociraptor |
| 421a5ec1943f010e | Artifact: Windows.Analysis.EvidenceOfDownload Author: M.Soheem @msoheem | Antonio Blescia (TheThMando) Category: Windows Simple artifact to find evidence of user download activity. Based on the… | velociraptor |
| a5b48cd7ffd3e479 | Artifact: Windows.Sigma.EventLogs Author: Category: Windows Parse Windows event logs and matches then against Sigma Rules. NOTE: This is a very simple artifact for demonstration only. For more… | velociraptor |
| 4bc05538f050f98e | Artifact: Windows.OSQuery.Generic Author: Category: Windows OSQuery is an excellent tool for querying system state across the three supported Velociraptor platform (Windows/Linux/MacOS). You can… | velociraptor |
| 76edfac99c1ccfb2 | Artifact: Windows.Events.ProcessCreation Author: Category: Windows Collect all process creation events. This artifact relies on WMI to receive process start events. This method is not as good as… | velociraptor |
| d49680bbdca259b7 | Artifact: Windows.Events.FailedLogBeforeSuccess Author: Category: Windows Sometimes attackers will brute force an local user's account's password. If the account password is strong, brute force… | velociraptor |
| fb087756cdcd9855 | Artifact: Windows.Events.Mutants Author: Jos Clephas - @DfirJos Category: Windows This artifact detects creation of Mutants and triggers an alert. | velociraptor |
| 573e91fde7b7c79d | Artifact: Windows.Events.Kerberoasting Author: Matt Green - @mgreen27 Category: Windows **Description**: This Artifact will monitor all successful Kerberos TGS Ticket events for Service Accounts (SPN… | velociraptor |
| ec75b7d9db18d725 | Artifact: Windows.Events.TrackProcessesETW Author: Category: Windows This artifact uses ETW to track process execution using the Velociraptor Process Tracker. The Process Tracker keeps track of… | velociraptor |
| c1a6c112da404c79 | Artifact: Windows.Events.Trackaccount Author: Jos Clephas - @DfirJos Category: Windows Artifact to detect account usage by monitoring event id 4624. This is useful for tracking attacker activity. If… | velociraptor |
| 1a5c1f9505161425 | Artifact: Windows.Events.EventLogModifications Author: Category: Windows It is possible to disable windows event logs on a per channel or per provider basis. Attackers may disable critical log… | velociraptor |
| db5592c340605928 | Artifact: Windows.Events.ServiceCreation Author: Category: Windows Monitor for creation of new services. New services are typically created by installing new software or kernel drivers. Attackers… | velociraptor |
| 57f8672acdf6a6f2 | Artifact: Windows.Events.TrackProcessesBasic Author: Category: Windows A basic process tracker which uses a simple polled pslist(). The Process Tracker keeps track of exited processes, and resolves… | velociraptor |
| 48392ae0a0de301e | Artifact: Windows.Events.TrackProcesses Author: Category: Windows Uses Sysmon and pslist to keep track of running processes by using the Velociraptor Process Tracker. The Process Tracker keeps… | velociraptor |
| 2425553857721cfa | Artifact: Windows.KapeFiles.Extract Author: Category: Windows Extracts file collected by the `Windows.KapeFiles.Targets` or `Windows.Triage.Targets` artifacts. and restores the original timestamps… | velociraptor |
| 923a0a631e14fc47 | Artifact: Windows.KapeFiles.Remapping Author: Category: Windows Automates the creation of remapping rules to enable post-processing file uploads collected by the `Windows.KapeFiles.Targets`… | velociraptor |
| 00cc894685433cda | Artifact: Windows.Search.VSS Author: Matt Green - @mgreen27 Category: Windows This artifact will find all relevant files in the VSS. Typically used to out deduplicated paths for processing by other… | velociraptor |
| e9b0853cb2c0a29e | Artifact: Windows.Search.Yara Author: Category: Windows Searches for a specific malicious file or set of files by a YARA rule. | velociraptor |
| 29d05d59c10bede1 | Artifact: Windows.Search.WSLFileFinder Author: Category: Windows Find files within the VHDX containers of the Windows Subsystem for Linux (WSL) images. | velociraptor |
| b7bfbf18c605fc97 | Artifact: Windows.Search.FileFinder Author: Category: Windows Find files on the filesystem using the filename or content. ## Performance Note This artifact can be quite expensive, especially if… | velociraptor |
| 90f6303cbe1e6172 | Artifact: Windows.Search.SMBFileFinder Author: Category: Windows Find files on a remote filesystem using the filename or content. ## Security Note To access a remote share we require the… | velociraptor |
| 887485640980d653 | Artifact: Windows.Sys.PhysicalMemoryRanges Author: Category: Windows List Windows physical memory ranges. | velociraptor |
| f2360c5d47a0a6bd | Artifact: Windows.Sys.Users Author: Category: Windows List User accounts by inspecting registry keys. This method is a reliable indicator for users who have physically logged into the system and… | velociraptor |
| 5ff1ca41195806e7 | Artifact: Windows.Sys.CertificateAuthorities Author: Category: Windows Certificate Authorities installed in Keychains/ca-bundles. | velociraptor |
| e2fc814069017299 | Artifact: Windows.Sys.Drivers Author: Category: Windows Details for in-use Windows device drivers. This does not display installed but unused drivers. | velociraptor |
| f705e2782efa76b9 | Artifact: Windows.Sys.AllUsers Author: Category: Windows List User accounts. We combine two data sources - the output from the `NetUserEnum` API (termed `local` users) and the list of SIDs in the… | velociraptor |
| 7139c76a6bdb39f8 | Artifact: Windows.Sys.AppcompatShims Author: Category: Windows Application Compatibility shims are a way to persist malware. This table presents the AppCompat Shim information from the registry in… | velociraptor |
| 87a56c484a931131 | Artifact: Windows.Sys.StartupItems Author: Category: Windows Applications that will be started up from the various run key locations. | velociraptor |
| 73db79f2bf164e23 | Artifact: Windows.Sys.DiskInfo Author: Category: Windows Retrieve basic information about the physical disks of a system. | velociraptor |
| e9fdc6d811da77f7 | Artifact: Windows.Sys.Programs Author: Category: Windows Represents products as they are installed by Windows Installer. A product generally correlates to one installation package on Windows. Some… | velociraptor |
| 98316117578eeec4 | Artifact: Windows.Sys.Interfaces Author: Category: Windows Report information about the systems interfaces. This artifact simply parses the output from `ipconfig /all`. | velociraptor |
| 8356736cec4227ba | Artifact: Windows.Sys.FirewallRules Author: Category: Windows List Windows firewall rules. | velociraptor |
| 426ec2e02e801ebe | Artifact: Windows.Triage.SDS Author: Category: Windows Collects the $Secure:$SDS stream from the NTFS volume. The $Secure stream is both a directory (it has I30 stream) and a file (it has a $DATA… | velociraptor |
| a47ddedaa0af987c | Artifact: Windows.Forensics.LocalHashes.Usn Author: Category: Windows This artifact maintains a local (client side) database of file hashes. It is then possible to query this database by using… | velociraptor |
| ac43b9907e86848c | Artifact: Windows.Timeline.Registry.RunMRU Author: Matt Green - @mgreen27 Category: Windows # Output all available RunMRU registry keys in timeline format. RunMRU is when a user enters a command… | velociraptor |
| 14a77ea1d973dde3 | Artifact: Windows.Detection.Service.Upload Author: Category: Windows When a new service is installed, upload the service binary to the server | velociraptor |
| 4cf127c1b8b721b7 | Artifact: Windows.Detection.YaraX.Glob Author: Matt Green - @mgreen27 Category: Windows This artifact returns a list of target files then runs YARA over the target list. There are 2 kinds of YARA… | velociraptor |
| 530ff7f990def7ad | Artifact: Windows.Detection.Yara.PhysicalMemory Author: Category: Windows This artifact enables running YARA over physical memory. There are 2 kinds of YARA rules that can be deployed: 1. URL link… | velociraptor |
| 51c24489743231c3 | Artifact: Windows.Detection.Yara.NTFS Author: Matt Green - @mgreen27 Category: Windows This artifact searches the MFT, returns a list of target files then runs YARA over the target list. There are 3… | velociraptor |
| 478a088fcfa22a4f | Artifact: Windows.Detection.Yara.Device Author: Matt Green - @mgreen27 Category: Windows This artifact enables running YARA over a Physical device and offset specific targeting. There are 2 kinds of… | velociraptor |