Artifact Exchange

This artifact is my attempt at implementing keylogger detection based on research presented by [Asuka Nakajima at NULLCON](https://speakerdeck.com/asuna_jp/nullcon-goa-2025-windows-keylogger-detection-targeting-past-and-present-keylogging-techniques) using the Microsoft-Windows-Win32k ETW provider.

Contributed by zaneGittins

This artifact detects screen captures by correlating events from the Microsoft-Windows-Win32k ETW provider which are triggered by common Windows API calls made when taking a screenshot. This can be useful for detecting remote access trojans, infostealers, and data exfiltration. Tested against Sliver, Meterpreter, and Empire. This will also trigger on legitimate tools such as ZoomIt, Greenshot, MsTeams, etc. which can be excluded on a case by case basis via the ProcessExceptionsRegex parameter.

Contributed by zaneGittins

This artifact deploys honeyfiles according to the Honeyfiles CSV parameter. It then monitors access to these files using eBPF. The process tracker must be enabled, we use this to enrich events. You also must be using Velociraptor >= 0.74 to support eBPF. Honeyfiles created by this artifact are removed at exit.

Contributed by zaneGittins

This artifact deploys honeyfiles according to the Honeyfiles CSV parameter. It then monitors access to these files using etw. The process tracker must be enabled, we use this to enrich etw events. Honeyfiles created by this artifact are removed at exit.

Contributed by zaneGittins

This artifact parses the ASL (Apple System Log) v2 files located at /private/var/log/asl/*.asl

Contributed by ydkhatri

This artifact collects all necessary artifacts files and directories from Linux operating system.

Contributed by kidrek

Uses the Docker UNIX socket to export a Docker image to a tempfile and upload to Velociraptor.

Contributed by DoppioRistretto

docker 

Parses the Win10/11 notifications database, which contains events for badges, tiles, and toasts shown to each user.

Contributed by zaneGittins

Parse logs from ESET antivirus products. This log contains information about detections made by the ESET modules such as Real-time filesystem proteciton, Firewall, HIPS, Device Control, HTTP filter, AMSI Scanner etc.

Contributed by j91321

Allows pulling in JSON lists from an external URL to perform lookups against

Contributed by shortstack

This artifact collects metadata about open file descriptors from active processes on a Linux system. Outputs include regular files, sockets, device files, and deleted files used by each process.

Contributed by chrisdfir

Enumerate Domain Users by creation date. This artifact can be used to quickly detect new domain accounts that may have been created by attackers. This artifact must be run on Domain Joined systems with the PowerShell Active Directory module installed.

Contributed by AnthoLaMalice

Parse the utx file of the system (similar to wtmp on Linux). This covers user sessions, boots, shutdowns and system time changes. Because FreeBSD discards fields for the entries of the utx file based on type (see `man getutxent`), no direct parsing of the file using "vtypes" is done (too complicated for me to define a structure for parsing), but rather native tools are used for accessing the data.

Contributed by Herbert-Karl

This artifact is used to compare other artifacts from two different hunts. The basic idea is that a baseline (Hunt 1) is created from selected artifacts before an attack. A second hunt (Hunt 2) can then be carried out after the attack using the same artifacts. Now, using this script, artifacts from both hunts can be compared. This allows legitimate activities to be filtered out and makes it easier to identify malicious activities in Hunt2.

Contributed by DenKi42

PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software.

Contributed by iboje

This artifact parses `/proc/[0-9]*/status` files and extracts the `ProcessName` and `Kthread` values. Helpful for identifying imposter processes.

Contributed by andy99998

This artifact detects potential persistence mechanisms on Linux systems by analyzing environment variable files and login scripts.

Contributed by ibyf0r3ns1cs

Parses the metadata found in Veeam full backup files (`.vbk`), Veeam incremental backup files (`.vib`) and Veeam reverse incremental backup files (`.vrb`) to extract relevant fields for each Restore Point.

Contributed by cybiosity-syn

Adds a Microsoft Defender real-time scanning process exclusion for Velociraptor.

Contributed by predictiple

microsoft 

Monitor network use per process using the tool "nethogs". This artifact will list all processes that produces (non-local) network traffic on the client. The NetstatEnriched artifact is used to provide detailed information about the process using netstat and the process tracker, along with the bytes received and sent in bytes per second.

Contributed by misje

Monitor network use per process using the tool "nethogs". This artifact will list all processes that produces (non-local) network traffic on the client. The NetstatEnriched artifact is used to provide detailed information about the process using netstat and the process tracker, along with the bytes received and sent in bytes per second.

Contributed by misje

Get Docker containers by connecting to the docker.socket. Same as running `docker ps`

Contributed by j91321

This notebooks lists all recent flows/collections across all orgs on the platform. It may be used for auditing or as a means of finding a collection previously scheduled.

Contributed by misje

Parses Apache access logs to extract detailed request information.

Contributed by Krishna-23

This artifact is meant for monitoring network connections on clients. It periodically queries the existing network connections and emits lines for differences (new connections and missing/removed ones). Network connections are tracked and compared based on following elements: process id, layer 3 protocol, layer 4 protocol, local address used, local port used, remote address used, remote port used.

Contributed by sec-hbaer

This artifact alerts on network connections tracked by Velociraptor on clients. Requires the client_event artifact 'Generic.Events.TrackNetworkConnections' to be enabled.

Contributed by sec-hbaer

DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs

Contributed by AnthoLaMalice

Find and parse ssh authorized keys files on Windows running OpenSSH service.

Contributed by j91321

Gather sysmon process creation events from the sysmon operational event log. Enrich with authenticode signature of image and call chain. Caches authenticode signature by the hash of the image for an hour to reduce number of times it fetches the authenticode signature. Prerequisites: Sysmon, and the process tracker artifact.

Contributed by zaneGittins

Linux detection brute force module. This code is based on https://github.com/RCarras/linforce/blob/main/linforce.sh This module uses btmp/wtmp files to search for possible brute force attacks comparing:

Contributed by RCarras

This artefact will read and correlate several tables to do with Microsoft Recall.

Contributed by zachstanford-cybercx

This artefact will read and correlate several tables to do with Microsoft Recall.

Contributed by zachstanford-cybercx

[Takajo] (https://github.com/Yamato-Security/takajo) is a fast forensics analyzer for Hayabusa results written in Nim. Takajō means "Falconer" in Japanese and was chosen as it analyzes Hayabusa's "catches" (results).

Contributed by x0rPE

This artifact allows to detect responder in the environment https://tcm-sec.com/llmnr-poisoning-and-how-to-prevent-it/

Contributed by Jbhoohe

Trawler [https://github.com/joeavanzato/Trawler] is a PowerShell script designed to help Incident Responders rapidly identify potential adversary persistence mechanisms on Windows. It is similar in nature to PersistenceSniper with additional targeted checks as well as the capability to operate against a 'dead box' (mounted drive). The output is simplified compared to PersistenceSniper, providing the user with the details needed to kick off an investigation into any identified mechanisms. Think of these tools as autoruns on steroids.

Contributed by joeavanzato

Instructions: Upload a yara signature file (signature file must be named yara.yas) and yara64.exe in a single zip file called yara.zip. This artifact is an alternative way to scan processes, or recursively scan the C:\ with a yara file containing multiple yara rules, utilizing the official yara tool.

Contributed by mgreen27

This Velociraptor artifact is tailored for forensics analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines registry keys HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner and HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner\\State for retrieve some informations about: - run: Displays the version of Advanced Port Scanner - locale_timestamp: Indicates the time in EPOCH (UTC +0) at which the application was first launched - locale: Displays the language chosen for the graphical interface, may prove useful to have an idea of the native language of a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag) - LastPortsUsed: Displays the last ports used in the last scan - LastRangeUsed: Displays the last IP range used in the last scan - IpRangesMruList: Displays all the IP ranges scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each range - PortsMruList: Displays all the ports that have been scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each port - SearchMruList: Displays all the IP addresses or hostnames that have been searched using the GUI's "search" feature

Contributed by y0sh1mitsu

This Velociraptor artifact is tailored for forensic analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines HKEY_USERS\\*\\SOFTWARE\\JavaSoft\\Prefs\\ipscan from the registry for retrieve some informations about: - language: Displays the language used in the GUI, may prove useful to have an idea of the language used by a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag) - Version: Displays the version of Angry IP Scanner - LastVersionCheck: Captures the last time (EPOCH format in UTC +0) when the application checked for an update - PortScanConfiguration: Displays the selected ports for scanning

Contributed by y0sh1mitsu

This Velociraptor artifact is tailored for forensic analysis of SoftPerfect Network Scanner (NetScan) usage on Windows platforms. This facilitates the identification of how SoftPerfect Network Scanner was configured and used, aiding in DFIR investigations. It parse the MFT to search and retrieve the content of two files:

Contributed by y0sh1mitsu

ThumbCache_xx.db parser.

Contributed by mgreen27

This artifact parses notepad TabState files in available in Windows 11.

Contributed by mgreen27

This artifact extracts useful data for triage of ConnectWise ScreenConnect CVE-2024-1709 and CVE-2024-1708 impacting versions 23.9.7 and prior.

Contributed by mgreen27

This artifact runs the CISCat-Lite tool on the target machine and uploads the html output on the velociraptor server.

Contributed by ablescia

This artifact looks for evidence of a web shell being present on the system. It targets Windows and Linux hosts. The artifact should be run on web servers, be it dedicated web servers or systems with integrated web servers. For such machines, find the root directory of the web server and change the artifact parameters as needed.

Contributed by sec-hbaer

* Execute Eric Zimmerman's JLECmd to parse AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS files in C:\ drive recursively and return output for analysis. (jlecmd.exe -d C:/ --csvf -csv tmpdir results.csv). * JLECmd.zip is downloaded from the URL to 'C:\Program Files\Velociraptor\Tools' folder. * JLECmd.zip can be uploaded to Velociraptor Server in order to copy it to the clients in case there is no internet connection. * Created using @carlos_cajigas LECmd VQL as a quide. * JLECmd is a CLI tool for analyzing Custom Destinations jump list data. Learn more - https://github.com/EricZimmerman/JLECmd

Contributed by orhan-emre

Find drives/usb mass storage that were mounted

Contributed by hasamba

This artefact will collect Scheduled task information from the registry without relying on the existance of an XML file in C:\\Windows\\System32\\Tasks.

Contributed by mgreen27

This is a server artifact that enables running Generic.Detection.Yara.Glob over ssh.

Contributed by mgreen27

Parses the metadata found in Veeam backup chain metadata files (`.vbm`) to extract relevant fields for each Restore Point.

Contributed by cybiosity-syn

This artifact detects evidence of exploitation of Confluence RCE CVE-2023-22527.

Contributed by mgreen27

PersistenceSniper is a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. It is also available on Powershell Gallery and it is digitally signed with a valid code signing certificate. The tool is under active development with new releases coming out regularly, so make sure to use the up-to-date version. https://github.com/last-byte/PersistenceSniper

Contributed by ablescia

This artifact detects Effluence Webshell observed deployed during exploitation of Atlassian Confluence CVE-2023-22515.

Contributed by mgreen27

This is an artifact that will monitor a local path for collections, which it will then ingest.

Contributed by bmcder02

This is an artifact that will monitor an S3 path for collections, which it will then ingest.

Contributed by bmcder02

Detects artifacts associated with post exploitation activity of LaceTempest related to the SysAid 0day.

Contributed by mgreen27

This artifact gets all Bitlocker volumes using PowerShell, including the recovery password.

Contributed by zaneGittins

This artefact can be used to retrieve and parse some FreeFileSync file in order to: - Identify the latest account used to transfer data and the remote ip adresse destination in the case of SFTP protocol with the qeury GlobalInfo - Identify the latest transfered files with Latest Data Transfer - Identify the presence of others interesting logs about previous or attempt of files transfer

Contributed by freeze-syn

This artefact can be used to retrieve and parse some GoodSync file in order to - identify configured Good Sync account; - identify data and time of transfered files.

Contributed by freeze-syn

Get all currently logged in users via wmi.

Contributed by zaneGittins

Schedules Server.Utils.DeleteMonitoringData to cleanup server monitoring data.

Contributed by zaneGittins

Detects when a new network is added or removed from the system via the NetworkList registry keys.

Contributed by zaneGittins

Acquires a full memory image in LiME output format. We download avml and use it to acquire a full memory image. NOTE: This artifact usually transfers a lot of data. You should increase the default timeout to allow it to complete.

Contributed by Zawadidone

Service Executable Hijacking is a misconfiguration flaw, where a service runs an executable which has overly permissive permissions on it (for example: "Full Control" permissions to "Authenticated Users"). If a service runs under the security context of a user with high permissions (such as: NT Authority\SYSTEM), and an attacker with low privileges is able to modify the executable that service is running (such as replacing it with their own) - the service could run that executable with high privileges.

Contributed by Sam0rai

services hijacking 

This artifact parses Windows MeasuredBoot TCGLogs to extract PathName of EV_EFI_Boot_Services_Application events, which can assist detection of potential ESP based persistance.

Contributed by mgreen27

NOTE: Requires velociraptor 0.7.1 or higher. – Alternatively, import the artifact dependency Linux.Sys.Groups manually into your installation.

Contributed by misje

This artifact will return the Enabled KeyValue in the Hypervisor-protected Code Integrity (HVCI) registry path. An adversary may set the Enabled key to 0 if they intend to manipulate UEFI boot process.

Contributed by mgreen27

This artifact will run Knocknock to collect autorun output.

Contributed by mgreen27

Submit a IP to Virustotal. Default Public API restriction is 4 requests/min (Inspired on Virustotal file Check created by Wes Lambert -- @therealwlambert).

Contributed by AdrianX21

NetworkManager is a popular high-level interface for configuring networks in Linux systems, in particular Ubuntu and other Debian-based flavours. This artifact lists the NetworkManager state, all configured connections and their settings, as well as when the connections were last activated. A list of BSSIDs per connection is also retrieved.

Contributed by misje

NOTE: This is a fixed version of Windows.Timeline.Prefetch which is available in the release binary after 0.7.0-3.

Contributed by scudette

This is an artifact to detect exploitation of a Progress Software's WS_FTP critical vulnerability observed in the wild.

Contributed by mgreen27

This artifact enables running Yara over processes in memory. Targeting detection of IDAT Loader and final payloads observed in field.

Contributed by mgreen27

This server monitoring artifact will automatically zip and backup any collected artifacts to Azure blob storage.

Contributed by zaneGittins

This Artifact enables scoping EventLogs from Microsoft VPN, served by Remote Access Service server role. It is designed to assist in identifying VPN connections on organizations that are using Microsoft VPN service. It targets both server and client side logs.

Contributed by ekt0-syn

Extract keys, fingerprints and identities from GPG keys.

Contributed by misje

**This is a modified version of Windows.Events.TrackProcesses for servers that do not use the Inventory service. It assumes that Sysmon is already installed and running. The option to forward updates to the server is also removed.**

Contributed by SBattaglia-R7

This artifact searches for potential privilege escalation indicators on Linux systems. It identifies processes running as root that were spawned by processes not running as root, which could indicate unauthorized privilege escalation. Created by Leonardo Grossi.

Contributed by leogrossi

Uses CyLR tool to do live forensic on the host.

Contributed by tsauter

Thit artifact enables extracting Windows Defender configuration from SOFTWARE registry hive.

Contributed by mgreen27

Create a Slack/Mattermost notification when a client Flow (with artifacts of interest) has finished. Cancelled collections and collections with artifacts that don't satisfy preconditions do not create notifications when they are stopped.

Contributed by misje

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...

Contributed by hasamba

CVE-2021-34527 or Windows Print Spooler Remote Code Execution Vulnerability

Contributed by DakshGajjar

Kunai is a Linux-based security monitoring and threat hunting tool written in Rust. This artifact parses the Kunai log file.

Contributed by weslambert

This artifact will parse ~/.ssh/authorized_keys and ~/.ssh/id_*.pub looking for the command option to detect potential persistence

Contributed by 4ltern4te

This artifact will parse /proc/*/exe files and look for processes that have been executed from memory via memfd_create()

Contributed by 4ltern4te

Adds Velociraptor rows as timeline entries to [DFIR-IRIS](https://dfir-iris.org/).

Contributed by BadBloopZ

This Artifact enables scoping EventLogs from Progress Software's MoveIT File Transfer. It is designed to assist in identifying exfiltration resulting from the exploitation of CVE-2023-34362

Contributed by mgreen27

This is an artifact to detect exploitation of a MoveIt critical vulnerability observed in the wild. CVE-2023-34362

Contributed by mgreen27

Submit a file to Strelka for analysis using `strelka-oneshot`.

Contributed by weslambert

Parses the RecentFileCache as evidence of execution artifact existing on older Windows systems (<= Win 7).

Contributed by BadBloopZ

Execute Eric Zimmerman's LECmd and return output for analysis. Created using @eduardfir SBECmd VQL as a quide. LECmd is a CLI tool for analyzing lnk data. Learn more - https://github.com/EricZimmerman/LECmd

Contributed by CarlosCajigas

Combination of PSList with Virus Total reputation lookup using the Virus Total Server Enrichment Artifact by Wes Lambert.

Contributed by Shad0wCell

Create an IRIS alert when monitored artifacts complete with results. Alerts are available starting in version 2.1.0 of IRIS. https://github.com/dfir-iris/iris-web/releases/tag/v2.1.0

Contributed by weslambert

Send notification via Mattermost webhook as described in

Contributed by hillu

`man` is typically used to provide information about how to use various commands. It's configuration file is located at `/private/etc/man.conf` on most macOS systems.

Contributed by weslambert

Simply adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets that match the specified criteria via `netsh advfirewall add rule` command. Applicable in case of blocking Internet access.

Contributed by tuedenn

This artifact will show the Clipboard activity.

Contributed by h-adwan

This artifact parses JSONL-formatted logs generated by MacMonitor.

Contributed by weslambert

This artifact by itself only indicates that the PowerPick tool may have been invoked on the client. To capture additional context, ensure that Powershell script block and module logging are enabled on the clients and deploy the Windows.ETW.Powershell artifact from the Exchange.

Contributed by SBattaglia-R7

This artficat will detect running BumbleBee processes and subsequently extract the command and control servers with the destination port 443.

Contributed by angelovioletti

Send a message to telegram when clients become enrolled.

Contributed by tuedenn

Checks the configured domain name on each endpoint

Contributed by angry-bender

This artifact enables Qakbot payload detection and configuration extraction from a byte stream, process or file on disk. The artifact runs a yara scan as a detection step, then attempts to process the payload to extract configuration.

Contributed by mgreen27

Read all Users Firefox history.

Contributed by x64-julian

This artifact searches for evidence of trojanised 3CXDesktopApp.

Contributed by mgreen27

Detects the [Cursed Chrome](https://github.com/mandatoryprogrammer/CursedChrome) extension. Starts by searching for permissive extensions configured within `Secure Preferences`. Locates the path of the extensions and scans using Yara.

Contributed by mattdri-ir

Attackers plant SCF, URL, and LNK files with malicious icon file paths on file shares to escalate privileges or maintain persistence. This attack only requires the user to browse to the location of the malicious file. This artifact enumerates file shares and returns an event for each file with a remote icon. It can also scan a target root directory since attackers commonly use other locations like desktops.

Contributed by acedef

This looks through registry on all disks to determine the hostname for cases where multiple disks are mounted

Contributed by angry-bender

This artifact leverages ChopChopGo to enable usage of Sigma rules to faciliate detection within Linux logs.

Contributed by weslambert

Checks for overly permissive DACLs on scmanager. Low priv Users with KA - SDDL_KEY_ALL could launch SYSTEM services.

Contributed by acedef

Submit an email to Sublime for analysis.

Contributed by weslambert

This artifact runs Get-InjetedThreadEx to detect process injection and hooking.

Contributed by mgreen27

This artifact leverages UAC (Unix-like Artifacts Collector) to collect artifacts from Unix-like systems, and then upload the output to the Velociraptor server.

Contributed by tclahr

Takes a pipe name and returns the owning process and access rights. The primary motivation for this artifact is a vulnerability in RemCom. RemCom is most notably used by impacket psexec.py. It creates a null DACL for its communication pipe. This means a low privileged user could use a stale pipe to get remote execution as SYSTEM. If you uncover any named pipes with the name RemCom_communication, investigate the owning proc and remove it from the system. #impacket

Contributed by acedef

impacket 

Checks for exploitation of vRealize Log Insight VMSA-2023-0001 exploitation artifacts. The presence of a path traversal in the FileName field is evidence of compromise. There is still a path to exploitation without leveraging the path traversal vuln. Any attempt to run REMOTE_PAK_DOWNLOAD_COMMAND from a non-vRealize server is malicious. #VMWare #vRealize #exploit

Contributed by acedef

VMWare vRealize exploit 

This artifact enables detection of malicious .one files and can also be used as an embedded file and metadata parser.

Contributed by mgreen27

This artifact parses VSCode configuration files to find potenital persistence.

Contributed by mgreen27

Extract MobaXterm encrypted saved Master Passwords, Passwords and Credentials from registry. Further information regarding decryption can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/

Contributed by Sam0rai

This artifact completely removes a client from the data store if a configured label is set.

Contributed by mgreen27

This artifact queries for RDP and Authentication events with a Public IP source. The artifact uses Windows.EventLogs.RDPAuth and has several built in notebooks for analysis.

Contributed by mgreen27

Extract WinSCP obfuscated saved passwords from registry. Further information regarding deobfuscation can be found here: https://www.xmcyber.com/blog/extracting-encrypted-credentials-from-common-tools-2/

Contributed by Sam0rai

This artifact will enable discovery of logs associated with observed exploitation of critical ManageEngine vulnerability: CVE-2022-47966.

Contributed by mgreen27

This artifact detects evidence of several common proxy tools.

Contributed by mgreen27

This artifact parses the KACE software monitoring sqlite database - ksw_process.db which provides excellent third party evidence of execution that may be useful during investigation or detection work.

Contributed by mgreen27

This artifact collects various autorun files for upload. Based on TriagePersistence from forensicartifacts.com

Contributed by 4ltern4te

Collect Browser Extensions and upload them. Based on TriageWebBrowserExtensions from forensicartifacts.com

Contributed by 4ltern4te

Collect Browser History and upload them. Based on TriageWebBrowserHistory from forensicartifacts.com

Contributed by 4ltern4te

Collect database configurations and upload them. Based on TriageDatabaseConfigsAndLogs from forensicartifacts.com

Contributed by 4ltern4te

Collect history files from unix/linux utilities and upload them. Based on TriageHistory from forensicartifacts.com

Contributed by 4ltern4te

Collect network config files and upload them. Based on TriageNetwork from forensicartifacts.com

Contributed by 4ltern4te

Collect system configurations and upload them. Based on TriageSystemConfiguration from forensicartifacts.com

Contributed by 4ltern4te

Collect system logs and upload them. Based on TriageSystemLogs from forensicartifacts.com

Contributed by 4ltern4te

Collect user configurations and upload them. Based on TriageUserConfiguration from forensicartifacts.com

Contributed by 4ltern4te

Parse the Program Compatibility Assistant launch dictionary for executable launch times.

Contributed by ecapuano

This artifact analyzes Kerberos tickets and attempts to determine if they are forged, using WonkaVision by @4ndr3w6s and @exploitph.

Contributed by weslambert

Collect WonkaVision logs from Windows hosts.

Contributed by weslambert

This artifact allows for live hunting through Apple's Unified Logs using the native `log` command.

Contributed by weslambert

Capture Bash logout files for examination of abnormal activity.

Contributed by weslambert

This artifact provides details about notes taken using the default Notes application on macOS. These notes can be useful during an investigation, especially if tied to interesting files.

Contributed by weslambert

This artifact enables collection of TeamViewer log entries for keyboard layout changes.

Contributed by mgreen27

It can be useful to view DHCP lease information on an endpoint. If the `LeaseLength`, `RouterIPAddress`, `SSID`, or other values are not as expected, it could potentially indicate a rogue DHCP server on the network, or just misconfiguration.

Contributed by weslambert

Synchronizes client information from Velociraptor to [DFIR-IRIS](https://dfir-iris.org/).

Contributed by BadBloopZ

Parses the 'recently-used.xbel' XML file for all standard Linux users.

Contributed by Seeps

This artifact enumerates applicable lines from the files that reside in `/etc/PAM.d/`. This information can be useful for auditing and compliance purposes, or to identify suspicious activity on Linux systems.

Contributed by weslambert

On macOS, certain application state is saved in `/Users/*/Library/Saved Application State/`.

Contributed by weslambert

Query OpenAI for analysis of data.

Contributed by weslambert

This is a template artifact to allow alerting on a monitoring artifact.

Contributed by mgreen27

APT (Advanced Package Tool) maintains a log of software installation/removal/upgrades, as well as associated command-line invocations.

Contributed by weslambert

This artifact checks for mounted disk images using the `hdiutil` command.

Contributed by weslambert

This artifact uses glob to remove a file or folder. To recursively target a folder: ```C:\folder\path{,\**}``` To target multiple folders: ```C:\{folder2\path2{,\**},folder\path{,\**}}``` however advised to just run 2 collections... WARNING: There has been a bug in older versions of Velociraptor that ```\**``` glob path will select all files. PLEASE SCOPE FIRST and use appropriate targeting.

Contributed by mgreen27

Parse the output of the journalctl command. Journalctl is an interface to the systemd journal, which records information about system events.

Contributed by weslambert

On macOS, the NetUsage DB can provide various details around application network utilization. With this artifact, we can get an idea of what applications are utilizing the network for communications and to what degree. We can also identify if usage has occurred through a WIFI network or a wired network.

Contributed by weslambert

This artifact enables killing a process by Name, Path or PID.

Contributed by mgreen27

This artifact uses glob to remove a registry key.

Contributed by mgreen27

On macOS, the KnowledgeC DB can provide various details around application activities and usage, as well as device power status.

Contributed by weslambert

Grab important events from Windows logs (.evtx) using [EvtxHussar](https://github.com/yarox24/EvtxHussar). Also upload PowerShell ScriptBlocks (reconstructed as files).

Contributed by yarox24

Create a post on a Mastodon server. This could be used for automated alerting purposes, sharing IOCs, etc.

Contributed by weslambert

Applications can use the NSURL cache to store specific data that is useful to the operation of the application in a `Cache.db` file on disk. The data contained within this file could potentially be useful to investigators or incident responders, such as URLs that were accessed, as well as data requested or returned.

Contributed by weslambert

This artifact allows collecting Sysmon Events for Triage around a timestamp.

Contributed by mgreen27

DetectRaptor is a collection of publicly availible Velociraptor detection content. Most content is managed by a series of csv files and artifacts are automatically updated.

Contributed by mgreen27

This artifact is a modified version of the Linux.Sys.BashHistory artifact that enables grep of Bash and alternate shell history and *session* files.

Contributed by weslambert

This artifact detects patched TerminalService / Remote Desktop (RDP) dynamic link library or ServiceDll - termsrv.dll.

Contributed by mgreen27

This artifact collects information about Automator actions and workflows.

Contributed by weslambert

List and parse content of Systemd timers.

Contributed by weslambert

Collect RPC Firewall logs from Windows hosts

Contributed by weslambert

This artifact provides information around the configuration of the application firewall for a macOS host.

Contributed by weslambert

Takes a query and outputs number of unique items per column, as well as the top 10 most frequently occuring items

Contributed by clayscode

This artifact is a wrapper around the Windows.EventLogs.EvtxHunter artifact. It searches the Windows Application event log for logs being written by Nextron System's Aurora/Aurora Lite ('AuroraAgent' provider).

Contributed by weslambert

Collect information about connected or paired Bluetooth-enabled devices.

Contributed by weslambert

This artifact extracts SystemBC RAT configuration from a byte stream, process or file on disk.

Contributed by mgreen27

This artifact looks for recent Wifi networks to which a host has joined. This can be useful in determining where a machine has been, or if a user has joined an illegitimate or unauthorized wireless network. *Tested on macOS Monterey

Contributed by weslambert

This server side event monitoring artifact watches for new client enrollments and automatically labels them according to their domain roles.

Contributed by BadBloopZ

This parses AnyDesk logs to retrieve information about AnyDesk usage. It includes source IP addresses, AnyDesk ID's, and filetransfers.

Contributed by DfirJos

This artifact extracts Brute Ratel C4 (BRc4) configuration from a byte stream, process or file on disk. BRc4 is an emerging red-teaming and adversarial attack simulation tool.

Contributed by mgreen27

This is a simple artifact that leverages Afermath to collect many different forensic artifacts from a macOS host, then uploads the results to the Velociraptor server.

Contributed by weslambert

Dump process memory and upload to the server

Contributed by weslambert

Following Microsoft's decision to block macros by default on MS Office applications, threat actors are increasingly using container files such as ISO files to distribute malware. This artifact will extract evidence of container files being mounted that may be malicious from the Microsoft-Windows-VHDMP-Operational EventLog. The artifact targets the string ".(iso|vhd|vhdx|img)$" in event IDs: 1 (mount), 2 (unmount) and 12 (type, path, handle).

Contributed by cquinn-r7

Looks for suspended Parallels VM owned by any user on a MacOS system. Can automatically upload the virtual memory files if found.

Contributed by DoppioRistretto

This artifact checks the VAD for executable sections that are not maped to disk and has suspicious content which may indicate process injection.

Contributed by mgreen27

This artifact enables Powershell scriptblock and commandlet load monitoring. It uses the ETW provider: Microsoft-Windows-PowerShell

Contributed by mgreen27

This is a simple, un-optimized artifact that leverages Mandiant's `macos-unifiedlogs`/`unifiedlog_parser` to obtain parsed log information from macOS's Unified Log.

Contributed by weslambert

This artifact collects DNS queries for a specified duration. It can be used with an Offline Collector (which is not the case with Windows.ETW.DNS). It uses the artifact (Windows.ETW.DNS) that was built by Matt Green - @mgreen27

Contributed by DfirJos

Create an IRIS case when monitored artifacts complete with results. Adds the ClientId, FlowId as tags to the case. Adds the FQDN as an asset.

Contributed by weslambert

Query an IRIS instance for an indicator.

Contributed by weslambert

This artifact will return COM objects that auto-elevate and bypass UAC (these could potentially be used by adversaries/malware to elevate privileges), and cross-reference the class ID with a name where able.

Contributed by weslambert

This artifact will find evidence of NOBELIUM’s MagicWeb.

Contributed by mgreen27

This pack detects various artefacts left behind by default configurations of the C2 framework Sliver PsExec module

Contributed by svch0stz

This artifact will find unscrubbed passwords in unattend.xml answer files. This file is used for non interactive Windows installation.

Contributed by mgreen27

Quarantine a Linux host using iptables rules.

Contributed by weslambert

This artifact parses Objective-See's FileMonitor log.

Contributed by weslambert

This is artifact parses Little Snitch's network traffic log.

Contributed by weslambert

This artifact will extract evidence of Ntdsutil abuse from the application eventlog. The artifact targets the string "ntds.dit" in event IDs: 216, 325, 326 and 327.

Contributed by mgreen27

Query MalwareBazaar for a hash.

Contributed by weslambert

Query ThreatFox for an indicator.

Contributed by weslambert

If configured, Sysmon EID 23: FileDelete enables archiving file deletes on disk. The challenges of this configuration is management of the archive folder which can grow to be significant size and use up disk space.

Contributed by mgreen27

This artifact enables automatic management of the Sysmon archive folder.

Contributed by mgreen27

Sometimes flows are deleted but there is still outstanding data for them in flight. The server will continue to save this data after the flow is deleted.

Contributed by scudette

Parses several Windows Error Reporting (WER) files that contain information about crashed programs.

Contributed by svch0stz

This artifact reports suspicious WMI Event Consumers and their associated Filters that may indicate a malicious abuse for persistence.

Contributed by AmgdGocha

This hunt runts the Immersive Labs yara rule (https://github.com/Immersive-Labs-Sec/BruteRatel-DetectionTools/blob/main/BruteRatel.yar) across select files to identify the known Brute Ratel config strings.

Contributed by flukes86

Quick and dirty monitoring artifact to kill a process by Image Name. We monitor the Microsoft-Windows-Kernel-Process ETW provider and leverage taskkill to kill the process.

Contributed by mgreen27

This artifact enables monitoring for registry events of interest via the Sysmon ETW proiver.

Contributed by mgreen27

Calculate the Gimphash for a Golang binary.

Contributed by weslambert

This artifact enumerate's all user directories on a system and will parse three files within a users AppData\Roaming\FileZilla directory: filezilla.xml, recentservers.xml, and queue.sqlite3

Contributed by dkelly-r7

This is a process execution enrichment artifact that can be called from within another artifact (such as one looking at running processes) to enrich the data made available by that artifact. We are calling the EchoTrail v2 API which is still in beta.

Contributed by ecapuano

This artifact watches for completion of the `watchArtifact` and assigns the given `setLabel` if the `WHERE` condition is matched.

Contributed by scudette

[Hayabusa](https://github.com/Yamato-Security/hayabusa) is a Windows event log fast forensics timeline generator and threat hunting tool.

Contributed by ecapuano

This content will extract BITS Transfer events and enable filtering by URL and TLD.

Contributed by mgreen27

This artifact enables grep of Linux logs and targets strings observed in exploitation of CVE-2022-26134.

Contributed by mgreen27

This artifact will search Microsoft Support Diagnostic Tool logs for evidence of ms-msdt Follina exploitation (CVE-2022-30190).

Contributed by mgreen27

# Enumerate all NetSh Helper DLLs

Contributed by ecapuano

This artifact searches for logon and logoff events within Security event logs identified by Event ID 4624 and 4634. These logon/logoff events are grouped by "TargetLogonId" field into "logon sessions". For each of these logon sessions, start, end and duration are derived

Contributed by NorthwaveCERT

This artifact hunts for Powershell ISE autosave files and extracts ISE user config.

Contributed by mgreen27

Submit a file to Virustotal for analysis.

Contributed by weslambert

This artifact enables hunting prefetch entries for accessed files of interest.

Contributed by mgreen27

This artefact will highlight any scheduled tasks missing the Security Descriptor (SD) value in the task cache. Without this value, the task is hidden from common query methods.

Contributed by svch0stz

This artifact enables triage to detect potential time stomped files.

Contributed by mgreen27

Extracts Quarantine Files from Windows Defender.

Contributed by eduardomcm

This artifact will attempt to identify Cortex EDR that has been disabled via regkey

Contributed by Rhysistance

This artifact parses the Windows Defender files generated on threat detection and returns the contained parameters created by Windows Defender about the detected threat.

Contributed by rmakuch

Parses Safari downloads for all standard macOS users

Contributed by Seeps

This artifact retrieves outgoing RDP session activity from the Microsoft-Windows-TerminalServices-RDPClient event logs. It aggregates sessions based on ActivityID and outputs hostname, timeframe and disconnect reasons. The latter is filled using a dict that was taken from MS Docs (see references)

Contributed by NorthwaveCERT

This artifact enables hunting for recently used Office Documents.

Contributed by Sam0rai

Parses Safari history database

Contributed by Seeps

This artifact parses the XML Energy Reports from the Power Efficiency Diagnostics feature of Windows, returning the processes which had high CPU usage, including which

Contributed by eduardomcm

Find hidden user accounts through registry values on the filesystem.

Contributed by eduardomcm

Parses the AnyDesk ad.trace log file.

Contributed by RHinDFIR

This artifact will extract condensed information on logon / logoff events.

Contributed by Qazeer

This artifact looks for applications that are registered and allowed for use of location services by checking the plist file in `/var/db/locationd/clients.plist`. This can be useful to help determine if these settings have been modified by an attacker to perform location tracking.

Contributed by weslambert

This artifact lists processes running as root that were spawns by processes that are not running as root. This kind of behavior is normal for things like sudo or su but for other processes (especially /bin/bash) it could represent a process launched via CVE-2021-4034.

Contributed by scudette

This artifact leverages Windows Defender DetectionHistory tool to parse and return the parameters of Windows Defender detections contained in Detection History files.

Contributed by eduardomcm

List the WMI providers in the system.

Contributed by scudette

This artifact collects events associated with creation and deletion of WMI Event Consumers. All Event Consumers created under any namespace will generate events which are filtered on event consumer classes.

Contributed by mgreen27

Linux systems typically store audit events in syslog. In particular successful ssh logins are especially important for some investigations.

Contributed by scudette

Parses syslog for Sysmon events on Linux using a unix domain socket.

Contributed by scudette

Find AteraNetworks configuration details in the registry. This artifact is best combined with Windows.Forensics.FilenameSearch searching for the string "atera".

Contributed by mgreen27

This artifact watches for new client enrollments and automatically label the client with the required label if the user exists.

Contributed by scudette

server event labels 

Uses the Log4Shell scanner of Lunasec to scan the file systems of all drives of the host for any sign of vulnerabilities related to Log4shell

Contributed by scudette

Send a message to slack when clients become enrolled.

Contributed by scudette

This artifact displays the access control lists of files.

Contributed by scudette

This artifact hunts for CVE-2021-27065 (Microsoft Exchange ProxyLogon RCE) and CVE-2021-31207 (Microsoft Exchange ProxyShell RCE) exploitation by parsing entries in the 'MSExchange Management.evtx' log.

Contributed by Seeps

The ConsentStore in CapabilityAccessManager can provide insight to what resources binaries have had access to, such as the microphone and webcam. This artefact returns non-Microsoft executables (ie: entries listed in the `NonPackaged` path).

Contributed by scudette

windows registry 

This artifact searches for Vulnerable log4j libraries.

Contributed by mgreen27

Detection for exploitation attempts against log4j RCE vulnerability CVE-2021-44228.

Contributed by mgreen27

This server monitoring artifact will watch a selection of client monitoring artifacts for new events and push those to a splunk index.

Contributed by jurelou

Monitor for plug in of USB volume. Output drive letter for additional enrichment artifacts

Contributed by mgreen27

Run yara over usb when USB is plugged into machine. Return context and hit details.

Contributed by mgreen27

Zircolite is a standalone tool that can be used to apply Sigma rules to EVTX files on endpoints in an effort to quickly parse large datasets and surface detections. You can read more about Zircolite below: https://github.com/wagga40/Zircolite NOTE: This artifact may take several minutes to run, depending on the size of EVTX files being analyzed.

Contributed by weslambert

This artifact enables searching over client flow results with regex and returns a link to the Flow for followup.

Contributed by mgreen27

This is a simple artifact that leverages Cat-Scale to collect many different artifacts from a Linux host, then uploads the results to the Velociraptor server.

Contributed by weslambert

Execute DetectItEasy (console version) on specified paths and return rows of results to hunt/filter on binaries based types of files (E.g.: Packed binaries and its packers)

Contributed by eduardomcm

This artifact allows you to run Atomic Red Team tests on Windows endpoints using Invoke-AtomicRedTeam. Linux and MacOS endpoints will soon be supported.

Contributed by weslambert

Parses syslog for Sysmon events on Linux

Contributed by weslambert

Analyze/transform data with CyberChef-server.

Contributed by weslambert

This artifact yara-scans memory or process dumps for unpacked SquirrelWaffle Dlls, decodes the configuration and returns the C2s and the payload.

Contributed by eduardomcm

This artifact can be used to extract all binary exports to research potential lolbins. Selecting the AllBinaryInfo tickbox will return complete Binary information.

Contributed by mgreen27

Parse Cylance logs.

Contributed by mgreen27

This artifact implements OleTools MacroRaptor capability in VQL.

Contributed by mgreen27

Search for some simple bulk File IOCs and upload if desired. Typical upload workflow may be to firstly search, then if returned rows match expectations rerun query with upload tickbox selected.

Contributed by mgreen27

This artifact will search the MFT for any matching filenames and return binary details. This artifact can be used to find all instances of a binary on disk so its great for scoping both legititimate and illegitimate files.

Contributed by mgreen27

Analyze PE, ELF, or shellcode files with capa.

Contributed by weslambert

Return Office Internet Server Cache Registry keys and values in order to identify possible C2 URLs from malicious opened Office documents.

Contributed by eduardomcm

Wget creates a HSTS log file in a user's home directory. This can contain forensically relevant information.

Contributed by scudette

This artifact will compare EventLog records and report on abnormalities in RecordID sequence and optional time gap. The artifact can be used for both hunting, remote or local analysis.

Contributed by mgreen27

This artifact will enable both application and removal of the reccomended mitigation for CVE-2021-40444.

Contributed by mgreen27

Detects Process parent spoofing such as SelectMyParent.exe or Cobalt Strike select PPID.

Contributed by scudette

This artifact leverages Chainsaw to enable usage of Sigma rules (in addition to built-in rules) to faciliate detection within Windows Event Logs.

Contributed by Wes Lambert - @therealwlambert

If on a Domain Controller (ProductType = 2), recursively enumerate membership of privileged groups, then for each user, collect details relevant to an investigation: Create Date, Last Logon, Group Membership, SID

Contributed by liteman

This artifact uses Windows.NTFS.MFT (By Matt Green - @mgreen27) to find several files created as part of the POC tooling for HiveNightmare (CVE-2021-36934):

Contributed by svch0stz

Use hollows_hunter to detect suspicious process injections.

Contributed by mgreen27

This artifact returns ETW PrintService events for potential PrintNightmare activity. CVE-2021-1675 and CVE-2021-34527

Contributed by mgreen27

This artifact will enumerate installed PrintDrivers using the Win32_PrinterDriver wmi class and parse each DriverPath, ConfigFile and DataFile.

Contributed by mgreen27

This artifact will enable mitigation of PrintSpooler exploitation used by PrintNightmare - CVE-2021-34527 and CVE-2021-1675.

Contributed by mgreen27

Acquires a full memory image. We download LiME and use it to acquire a full memory image.

Contributed by makhno4n6

This artifact is used to create the profile to the environnements Debian / Ubuntu.

Contributed by makhno4n6

This artifact returns any binaries in the Windows/spool/drivers/** folders with an untrusted Authenticode entry.

Contributed by mgreen27

Create an E01 Image of the C drive using FTK Imager (Command Line Version)

Contributed by eduardomcm

This artifact uses the ETW provider: (Microsoft-Antimalware-Scan-Interface - {2A576B87-09A7-520E-C21A-4942F0271D67}

Contributed by mgreen27

Iterate over all the run keys and locate their binary then hash it.

Contributed by ffh571

windows registry detection