Contents x
    Velociraptor
    • 13 Feb 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Velociraptor

    • Updated on 13 Feb 2023
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article Summary

    Overview

    Velociraptor is an open source endpoint visibility tool that includes power digital forensic, incident response, and incident triage capabilities. LimaCharlie can be used to deploy Velociraptor at scale, allowing for easy artifact collection and incident analysis.

    The interface defines 3 main actions:

    1. The list action to list all possible Velociraptor artifacts (we always run the latest version).
    2. The show action to show the arguments and general usage information for a given Velociraptor artifact type.
    3. The collect action to run the Velociraptor artifact collection on a number of endpoints.

    Velociraptor will generate a ZIP file with all collected data, which is automatically ingested into LimaCharlie's Artifact system for download.

    The download from LimaCharlie process can also be automated using an Output with the Artifact stream tipping you off whenever a velociraptor Artifact is ingested into LimaCharlie. You can then export the Artifact using a REST API call.

    Actions

    list

    This action takes no parameters and it returns the list of velociraptor artifacts synchronously.

    show

    This action requires the artifact_name parameter to be specified. It returns the artifact's usage synchronously.

    collect

    This action requires an artifact specification and an endpoint specification.

    An optional ttl parameter will define how long (in seconds) the service will wait for a targeted endpoint to come online and be processed for collection.

    Artifact Spec

    One of the artifact_name, artifact_list or custom_artifact needs to be specified. The artifact_name is the exact name as defined by Velociraptor. The artifact_list is a comma-separated list of Velociraptor artifacts to collect.

    The custom_artifact is the content of a custom Velociraptor YAML artifact definition to execute instead of a pre-defined Velociraptor artifact.

    Note that the resulting artifact zip file is only automatically collected when you specify the artifact_name parameter since we can not predict where/how the custom_artifact will store its output.

    An args parameter specifies a comma-separated list of arguments in the format ARG_NAME=ARG_VALUE given to Velociraptor at collection time.

    Endpoint Spec

    One of sid or tag needs to be specified. If sid is specified, the sensor with the Sensor ID specified will
    be targetted for collection. If tag is specified, all sensors with the given tag will be targetted.

    REST

    collect

    {
  "action": "collect",
  "artifact_name": "Windows.Applications.Chrome.Extensions",
  "tag": "server",
  "ttl": 86400
}
    Was this article helpful?
    What's Next