├── .gitattributes ├── .github └── workflows │ ├── go.yml │ ├── musl.yaml │ └── windows.yml ├── .gitignore ├── .golangci.yml ├── .wwhrd.yml ├── CLA.md ├── LICENSE ├── Makefile ├── README.md ├── accessors ├── acl.go ├── api.go ├── api_test.go ├── collector │ ├── collector.go │ ├── collector_test.go │ └── fixtures │ │ └── TestAutomaticDecryption.golden ├── data │ ├── data.go │ ├── data_test.go │ └── scope.go ├── deny.go ├── ewf │ ├── cache.go │ └── ewf.go ├── ext4 │ ├── ext4_accessor.go │ ├── ext4_accessor_linux.go │ └── utils.go ├── fat │ ├── fat_accessor.go │ └── utils.go ├── file │ ├── accessor_common.go │ ├── accessor_darwin.go │ ├── accessor_freebsd.go │ ├── accessor_linux.go │ ├── accessor_linux_test.go │ ├── accessor_test.go │ ├── auto_windows.go │ ├── fixtures │ │ └── TestLinuxSymlinks.golden │ ├── json.go │ └── os_windows.go ├── file_store │ ├── accessor.go │ ├── accessor_test.go │ ├── casing.go │ └── fixtures │ │ └── TestSparseFiles.golden ├── file_store_file_info │ └── file_info.go ├── fixtures │ ├── TestOSPathHumanString.golden │ ├── TestOSPathOperationsAppendComponents.golden │ ├── TestOSPathOperationsTrimComponents.golden │ ├── TestVQLParsing.golden │ └── TestVirtualFileInfo.golden ├── json.go ├── manager.go ├── manipulators.go ├── manipulators_test.go ├── mount.go ├── mount_test.go ├── mscfb │ ├── mscfb_accessor.go │ ├── reader.go │ └── utils.go ├── ntfs │ ├── fixtures │ │ ├── TestNTFSFilesystemAccessor.golden │ │ └── TestNTFSFilesystemAccessorRemapping.golden │ ├── mft.go │ ├── mft_test.go │ ├── ntfs_accessor.go │ ├── ntfs_accessor_test.go │ ├── ntfs_accessor_windows.go │ ├── ntfs_cache.go │ ├── readers │ │ ├── ntfs_reader.go │ │ └── tracker.go │ └── vss.go ├── offset │ ├── offset.go │ └── offset_test.go ├── pathspec.go ├── pipe │ └── pipe.go ├── process │ ├── doc.go │ ├── process_address_space.go │ ├── process_address_space_darwin.go │ ├── process_address_space_darwin_nocgo.go │ ├── process_address_space_linux.go │ └── process_address_space_windows.go ├── protocols.go ├── pst │ ├── cache.go │ ├── doc.go │ └── pst_accessor.go ├── raw_file │ └── raw_file.go ├── raw_registry │ ├── cache.go │ ├── fixtures │ │ └── TestAccessorRawReg.golden │ ├── lru.go │ ├── raw_registry.go │ ├── raw_registry_test.go │ └── value_buffer.go ├── registry │ ├── cache.go │ ├── doc.go │ ├── fixtures │ │ └── TestRegistrtFilesystemAccessor.golden │ ├── lru.go │ ├── registry_windows.go │ ├── registry_windows_test.go │ └── values.go ├── s3 │ ├── docs.go │ ├── file_info.go │ ├── reader.go │ ├── s3.go │ └── session.go ├── scope.go ├── smb │ ├── cache.go │ ├── manipulator.go │ └── smb.go ├── sparse │ ├── ranged.go │ ├── sparse.go │ └── sparse_test.go ├── ssh │ ├── file_info.go │ ├── session.go │ └── ssh.go ├── utils.go ├── vfs │ ├── fixtures │ │ └── TestVFSAccessor.golden │ ├── vfs.go │ └── vfs_test.go ├── vhdx │ ├── cache.go │ └── vhdx.go ├── virtual.go ├── virtual_test.go ├── vmdk │ ├── cache.go │ └── vmdk.go ├── vql_arg_parser.go ├── vql_arg_parser_test.go ├── winpmem │ ├── logger.go │ └── winpmem.go └── zip │ ├── accessor.go │ ├── fixtures │ ├── TestReferenceCount.golden │ └── TestReferenceCountNested.golden │ ├── gzip.go │ ├── gzip_test.go │ ├── me.go │ ├── zip.go │ └── zip_test.go ├── acls ├── acls.go ├── api.go ├── lockdown.go ├── policy.go ├── proto │ ├── acl.pb.go │ └── acl.proto ├── roles.go └── utils.go ├── actions ├── client_info.go ├── events.go ├── events_test.go ├── progress.go ├── proto │ ├── transport.pb.go │ ├── transport.proto │ ├── vql.pb.go │ └── vql.proto ├── query_log.go ├── test_data │ ├── client.config.yaml │ └── hello.txt ├── tracker.go ├── vql.go └── vql_test.go ├── api ├── api.go ├── artifacts.go ├── assets.go ├── auth.go ├── authenticators │ ├── auth.go │ ├── azure.go │ ├── basic.go │ ├── certs.go │ ├── claims.go │ ├── common.go │ ├── github.go │ ├── google.go │ ├── http.go │ ├── ip_filter.go │ ├── logging.go │ ├── multiple.go │ ├── oidc.go │ ├── oidc_cognito.go │ ├── orgs.go │ ├── saml.go │ ├── template.go │ └── users.go ├── builder.go ├── clients.go ├── csrf.go ├── datastore.go ├── datastore_test.go ├── docs.go ├── download.go ├── events.go ├── events_test.go ├── filesearch.go ├── fixtures │ ├── TestBasicAuthenticator.golden │ ├── TestDatastore.golden │ └── TestMultiAuthenticator.golden ├── flows.go ├── handlers.go ├── health.go ├── hunts.go ├── instrument.go ├── mock │ ├── api_mock.go │ └── gen.go ├── notebooks.go ├── proto │ ├── api.pb.go │ ├── api.pb.gw.go │ ├── api.proto │ ├── api_grpc.pb.go │ ├── artifacts.pb.go │ ├── artifacts.proto │ ├── clients.pb.go │ ├── clients.proto │ ├── completions.pb.go │ ├── completions.proto │ ├── csv.pb.go │ ├── csv.proto │ ├── datastore.pb.go │ ├── datastore.proto │ ├── download.pb.go │ ├── download.proto │ ├── flows.pb.go │ ├── flows.proto │ ├── health.pb.go │ ├── health.proto │ ├── hunts.pb.go │ ├── hunts.proto │ ├── notebooks.pb.go │ ├── notebooks.proto │ ├── objects.pb.go │ ├── objects.proto │ ├── orgs.pb.go │ ├── orgs.proto │ ├── scheduler.pb.go │ ├── scheduler.proto │ ├── secrets.pb.go │ ├── secrets.proto │ ├── server_state.pb.go │ ├── server_state.proto │ ├── timeline_api.pb.go │ ├── timeline_api.proto │ ├── users.pb.go │ ├── users.proto │ ├── vfs_api.pb.go │ └── vfs_api.proto ├── proxy.go ├── proxy_test.go ├── query.go ├── reflect.go ├── reformat.go ├── replication.go ├── reports.go ├── scheduler.go ├── secrets.go ├── static.go ├── status.go ├── tables │ ├── doc.go │ ├── notebooks.go │ ├── table.go │ └── timelines.go ├── timelines.go ├── tools.go ├── upload.go ├── users.go ├── utils │ ├── grpc.go │ ├── mux.go │ └── utils.go ├── vfs.go └── vql.go ├── artifacts ├── assets │ ├── .gitignore │ └── docs.go ├── b0x.yaml ├── definitions │ ├── Admin │ │ ├── Client │ │ │ ├── Remove.yaml │ │ │ ├── Uninstall.yaml │ │ │ ├── UpdateClientConfig.yaml │ │ │ └── Upgrade │ │ │ │ ├── Debian.yaml │ │ │ │ ├── RedHat.yaml │ │ │ │ └── Windows.yaml │ │ └── Events │ │ │ └── PostProcessUploads.yaml │ ├── Demo │ │ └── Plugins │ │ │ ├── Fifo.yaml │ │ │ └── GUI.yaml │ ├── Elastic │ │ ├── EventLogs │ │ │ └── Sysmon.yaml │ │ ├── Events │ │ │ └── Upload.yaml │ │ └── Flows │ │ │ └── Upload.yaml │ ├── Generic │ │ ├── Applications │ │ │ ├── Chrome │ │ │ │ └── SessionStorage.yaml │ │ │ └── Office │ │ │ │ └── Keywords.yaml │ │ ├── Client │ │ │ ├── CleanupTemp.yaml │ │ │ ├── DiskSpace.yaml │ │ │ ├── DiskUsage.yaml │ │ │ ├── Info.yaml │ │ │ ├── LocalLogs.yaml │ │ │ ├── LocalLogsRetrieve.yaml │ │ │ ├── Profile.yaml │ │ │ ├── Rekey.yaml │ │ │ ├── Stats.yaml │ │ │ ├── Trace.yaml │ │ │ └── VQL.yaml │ │ ├── Collectors │ │ │ ├── File.yaml │ │ │ ├── SQLECmd.csv │ │ │ └── SQLECmd.yaml │ │ ├── Detection │ │ │ ├── HashHunter.yaml │ │ │ ├── Logs.yaml │ │ │ └── Yara │ │ │ │ ├── Glob.yaml │ │ │ │ └── Zip.yaml │ │ ├── Forensic │ │ │ ├── Carving │ │ │ │ └── URLs.yaml │ │ │ ├── HashLookup.yaml │ │ │ ├── LocalHashes │ │ │ │ ├── Glob.yaml │ │ │ │ ├── Init.yaml │ │ │ │ └── Query.yaml │ │ │ ├── SQLiteHunter.yaml │ │ │ └── Timeline.yaml │ │ ├── Network │ │ │ └── InterfaceAddresses.yaml │ │ ├── System │ │ │ ├── EfiSignatures.yaml │ │ │ ├── HostsFile.yaml │ │ │ ├── ProcessSiblings.yaml │ │ │ └── Pstree.yaml │ │ └── Utils │ │ │ └── FetchBinary.yaml │ ├── Linux │ │ ├── Applications │ │ │ ├── Chrome │ │ │ │ ├── Extensions.yaml │ │ │ │ └── Extensions │ │ │ │ │ └── Upload.yaml │ │ │ └── Docker │ │ │ │ ├── Info.yaml │ │ │ │ └── Version.yaml │ │ ├── Debian │ │ │ ├── AptSources.yaml │ │ │ └── Packages.yaml │ │ ├── Detection │ │ │ ├── AnomalousFiles.yaml │ │ │ └── Yara │ │ │ │ └── Process.yaml │ │ ├── Events │ │ │ ├── DNS.yaml │ │ │ ├── EBPF.yaml │ │ │ ├── HTTPConnections.yaml │ │ │ ├── Journal.yaml │ │ │ ├── ProcessExecutions.yaml │ │ │ ├── SSHBruteforce.yaml │ │ │ ├── SSHLogin.yaml │ │ │ └── TrackProcesses.yaml │ │ ├── Forensics │ │ │ ├── ImmutableFiles.yaml │ │ │ └── Journal.yaml │ │ ├── Mounts.yaml │ │ ├── Network │ │ │ ├── Netstat.yaml │ │ │ ├── NetstatEnriched.yaml │ │ │ └── PacketCapture.yaml │ │ ├── OSQuery │ │ │ └── Generic.yaml │ │ ├── Proc │ │ │ ├── Arp.yaml │ │ │ └── Modules.yaml │ │ ├── RHEL │ │ │ └── Packages.yaml │ │ ├── Remediation │ │ │ └── Quarantine.yaml │ │ ├── Search │ │ │ └── FileFinder.yaml │ │ ├── Ssh │ │ │ ├── AuthorizedKeys.yaml │ │ │ ├── KnownHosts.yaml │ │ │ └── PrivateKeys.yaml │ │ ├── SuSE │ │ │ └── Packages.yaml │ │ ├── Sys │ │ │ ├── ACPITables.yaml │ │ │ ├── BashHistory.yaml │ │ │ ├── BashShell.yaml │ │ │ ├── CPUTime.yaml │ │ │ ├── Crontab.yaml │ │ │ ├── Groups.yaml │ │ │ ├── LastUserLogin.yaml │ │ │ ├── LogGrep.yaml │ │ │ ├── LogHunter.yaml │ │ │ ├── Maps.yaml │ │ │ ├── Pslist.yaml │ │ │ ├── SUID.yaml │ │ │ ├── Services.yaml │ │ │ └── Users.yaml │ │ ├── Syslog │ │ │ └── SSHLogin.yaml │ │ ├── Triage │ │ │ └── ProcessMemory.yaml │ │ ├── Users │ │ │ ├── InteractiveUsers.yaml │ │ │ └── RootUsers.yaml │ │ └── Utils │ │ │ └── InstallDeb.yaml │ ├── LogScale │ │ ├── Events │ │ │ └── Clients.yaml │ │ └── Flows │ │ │ └── Upload.yaml │ ├── MacOS │ │ ├── Applications │ │ │ ├── Chrome │ │ │ │ └── History.yaml │ │ │ └── MRU.yaml │ │ ├── Detection │ │ │ ├── Autoruns.yaml │ │ │ └── InstallHistory.yaml │ │ ├── Forensics │ │ │ ├── AppleDoubleZip.yaml │ │ │ └── FSEvents.yaml │ │ ├── Network │ │ │ ├── Netstat.yaml │ │ │ └── PacketCapture.yaml │ │ ├── OSQuery │ │ │ └── Generic.yaml │ │ ├── Search │ │ │ └── FileFinder.yaml │ │ └── System │ │ │ ├── Dock.yaml │ │ │ ├── Packages.yaml │ │ │ ├── Plist.yaml │ │ │ ├── QuarantineEvents.yaml │ │ │ ├── TCC.yaml │ │ │ ├── TimeMachine.yaml │ │ │ ├── Users.yaml │ │ │ └── Wifi.yaml │ ├── Network │ │ └── ExternalIpAddress.yaml │ ├── Notebooks │ │ ├── Default.yaml │ │ ├── Demo.yaml │ │ ├── Sigma │ │ │ └── Studio.yaml │ │ ├── Timelines.yaml │ │ └── VQLx2.yaml │ ├── Reporting │ │ ├── Default.yaml │ │ └── Hunts │ │ │ └── Details.yaml │ ├── Server │ │ ├── Alerts │ │ │ ├── Notification.yaml │ │ │ ├── ProcessCreation.yaml │ │ │ ├── PsExec.yaml │ │ │ ├── TheHive │ │ │ │ ├── Alert.yaml │ │ │ │ └── Case.yaml │ │ │ ├── Trackaccount.yaml │ │ │ └── WinPmem.yaml │ │ ├── Audit │ │ │ └── Logs.yaml │ │ ├── Enrichment │ │ │ ├── CortexAnalyzer.yaml │ │ │ ├── Elasticsearch,yaml │ │ │ ├── GeoIP.yaml │ │ │ ├── GeoIPISP.yaml │ │ │ ├── GreyNoise.yaml │ │ │ ├── HybridAnalysis.yaml │ │ │ └── Virustotal.yaml │ │ ├── Hunts │ │ │ ├── AddFlow.yaml │ │ │ ├── CancelAndDelete.yaml │ │ │ ├── List.yaml │ │ │ └── Results.yaml │ │ ├── Import │ │ │ ├── ArtifactExchange.yaml │ │ │ ├── CuratedSigma.yaml │ │ │ ├── DeleteArtifacts.yaml │ │ │ ├── PreviousReleases.yaml │ │ │ ├── Rapid7Labs.yaml │ │ │ ├── RegistryHunter.yaml │ │ │ └── UpdatedBuiltin.yaml │ │ ├── Information │ │ │ ├── Clients.yaml │ │ │ └── Users.yaml │ │ ├── Internal │ │ │ ├── Alerts.yaml │ │ │ ├── ArtifactDescription.yaml │ │ │ ├── ArtifactModification.yaml │ │ │ ├── ClientConflict.yaml │ │ │ ├── ClientDelete.yaml │ │ │ ├── ClientInfo.yaml │ │ │ ├── ClientInfoSnapshot.yaml │ │ │ ├── ClientPing.yaml │ │ │ ├── ClientScheduled.yaml │ │ │ ├── ClientTasks.yaml │ │ │ ├── Enrollment.yaml │ │ │ ├── FrontendMetrics.yaml │ │ │ ├── HuntModification.yaml │ │ │ ├── HuntUpdate.yaml │ │ │ ├── Interrogate.yaml │ │ │ ├── Interrogation.yaml │ │ │ ├── Inventory.yaml │ │ │ ├── Label.yaml │ │ │ ├── MasterRegistrations.yaml │ │ │ ├── MetadataModifications.yaml │ │ │ ├── Notifications.yaml │ │ │ ├── Ping.yaml │ │ │ ├── Pong.yaml │ │ │ ├── TimelineAdd.yaml │ │ │ ├── ToolDependencies.tmpl │ │ │ ├── ToolDependencies.yaml │ │ │ ├── UserManager.yaml │ │ │ └── Welcome.yaml │ │ ├── Monitor │ │ │ ├── ClientConflict.yaml │ │ │ ├── Health.yaml │ │ │ ├── Profile.yaml │ │ │ ├── Shell.yaml │ │ │ └── VeloMetrics.yaml │ │ ├── Monitoring │ │ │ ├── ClientCount.yaml │ │ │ ├── ScheduleHunt.yaml │ │ │ └── TimesketchUpload.yaml │ │ ├── Orgs │ │ │ ├── ListOrgs.yaml │ │ │ └── NewOrg.yaml │ │ ├── Powershell │ │ │ └── EncodedCommand.yaml │ │ ├── Slack │ │ │ └── Clients │ │ │ │ └── Online.yaml │ │ └── Utils │ │ │ ├── AddTimeline.yaml │ │ │ ├── AddUser.yaml │ │ │ ├── BackupDirectory.yaml │ │ │ ├── BackupGCS.yaml │ │ │ ├── BackupS3.yaml │ │ │ ├── CancelHunt.yaml │ │ │ ├── CollectClient.yaml │ │ │ ├── CreateCollector.yaml │ │ │ ├── CreateMSI.yaml │ │ │ ├── DeleteClient.yaml │ │ │ ├── DeleteEvents.yaml │ │ │ ├── DeleteFavoriteFlow.yaml │ │ │ ├── DeleteFlow.yaml │ │ │ ├── DeleteManyFlows.yaml │ │ │ ├── DeleteMonitoringData.yaml │ │ │ ├── DeleteNotebook.yaml │ │ │ ├── ImportCollection.yaml │ │ │ ├── KillClient.yaml │ │ │ ├── ListUsers.yaml │ │ │ ├── RemoveTimeline.yaml │ │ │ ├── SaveFavoriteFlow.yaml │ │ │ ├── StartHuntExample.yaml │ │ │ ├── TimesketchUpload.yaml │ │ │ └── UploadTools.yaml │ ├── Splunk │ │ └── Flows │ │ │ └── Upload.yaml │ ├── System │ │ ├── Flow │ │ │ ├── Archive.yaml │ │ │ └── Completion.yaml │ │ ├── Hunt │ │ │ ├── Archive.yaml │ │ │ ├── Creation.yaml │ │ │ └── Participation.yaml │ │ ├── Upload │ │ │ └── Completion.yaml │ │ └── VFS │ │ │ ├── DownloadFile.yaml │ │ │ ├── Export.yaml │ │ │ └── ListDirectory.yaml │ ├── Triage │ │ └── Collection │ │ │ ├── Upload.yaml │ │ │ └── UploadTable.yaml │ └── Windows │ │ ├── ActiveDirectory │ │ └── BloodHound.yaml │ │ ├── Analysis │ │ ├── EvidenceOfDownload.yaml │ │ └── EvidenceOfExecution.yaml │ │ ├── Applications │ │ ├── ChocolateyPackages.yaml │ │ ├── Chrome │ │ │ ├── Cookies.yaml │ │ │ ├── Extensions.yaml │ │ │ └── History.yaml │ │ ├── Edge │ │ │ ├── Favicons.yaml │ │ │ └── History.yaml │ │ ├── Firefox │ │ │ ├── Downloads.yaml │ │ │ └── History.yaml │ │ ├── IISLogs.yaml │ │ ├── MegaSync.yaml │ │ ├── NirsoftBrowserViewer.yaml │ │ ├── OfficeMacros.yaml │ │ ├── SBECmd.yaml │ │ └── TeamViewer │ │ │ └── Incoming.yaml │ │ ├── Attack │ │ ├── ParentProcess.yaml │ │ ├── Prefetch.yaml │ │ └── UnexpectedImagePath.yaml │ │ ├── Carving │ │ ├── CobaltStrike.yaml │ │ └── USN.yaml │ │ ├── Detection │ │ ├── Amcache.yaml │ │ ├── BinaryHunter.yaml │ │ ├── BinaryRename.yaml │ │ ├── EnvironmentVariables.yaml │ │ ├── ForwardedImports.yaml │ │ ├── Impersonation.yaml │ │ ├── Mutants.yaml │ │ ├── ProcessCreation.yaml │ │ ├── PsexecService.yaml │ │ ├── PsexecService │ │ │ └── Kill.yaml │ │ ├── Registry.yaml │ │ ├── Service │ │ │ └── Upload.yaml │ │ ├── TemplateInjection.yaml │ │ ├── Thumbdrives │ │ │ ├── List.yaml │ │ │ ├── OfficeKeywords.yaml │ │ │ └── OfficeMacros.yaml │ │ ├── Usn.yaml │ │ ├── WMIProcessCreation.yaml │ │ └── Yara │ │ │ ├── Device.yaml │ │ │ ├── NTFS.yaml │ │ │ ├── PhysicalMemory.yaml │ │ │ ├── Process.yaml │ │ │ └── UEFI.yaml │ │ ├── ETW │ │ ├── DNS.yaml │ │ ├── DNSQueriesServer.yaml │ │ ├── DotNetRundown.yaml │ │ ├── ETWSessions.yaml │ │ ├── EdgeURLs.yaml │ │ ├── KernelFile.yaml │ │ ├── KernelNetwork.yaml │ │ ├── KernelProcess.yaml │ │ ├── Registry.yaml │ │ ├── ViewSessions.yaml │ │ └── WMIProcessCreate.yaml │ │ ├── EventLogs │ │ ├── AlternateLogon.yaml │ │ ├── Cleared.yaml │ │ ├── DHCP.yaml │ │ ├── Evtx.yaml │ │ ├── EvtxHunter.yaml │ │ ├── ExplicitLogon.yaml │ │ ├── Kerberoasting.yaml │ │ ├── Modifications.yaml │ │ ├── PowershellModule.yaml │ │ ├── PowershellScriptblock.yaml │ │ ├── RDPAuth.yaml │ │ ├── ScheduledTasks.yaml │ │ ├── ServiceCreationComspec.yaml │ │ ├── Symantec.yaml │ │ └── Telerik.yaml │ │ ├── Events │ │ ├── EventLogModifications.yaml │ │ ├── FailedLogBeforeSuccess.yaml │ │ ├── Kerberoasting.yaml │ │ ├── Mutants.yaml │ │ ├── ProcessCreation.yaml │ │ ├── ServiceCreation.yaml │ │ ├── TrackProcesses.yaml │ │ ├── TrackProcessesBasic.yaml │ │ └── Trackaccount.yaml │ │ ├── Forensics │ │ ├── Bam.yaml │ │ ├── BulkExtractor.yaml │ │ ├── CertUtil.yaml │ │ ├── FilenameSearch.yaml │ │ ├── JumpLists.yaml │ │ ├── Lnk.yaml │ │ ├── LocalHashes │ │ │ └── Usn.yaml │ │ ├── PartitionTable.yaml │ │ ├── Prefetch.yaml │ │ ├── Pst.yaml │ │ ├── RDPCache.yaml │ │ ├── RecentApps.yaml │ │ ├── RecycleBin.yaml │ │ ├── SAM.yaml │ │ ├── SRUM.yaml │ │ ├── Shellbags.yaml │ │ ├── SolarwindsSunburst.yaml │ │ ├── Timeline.yaml │ │ ├── UEFI.yaml │ │ ├── UserAccessLogs.yaml │ │ └── Usn.yaml │ │ ├── KapeFiles │ │ ├── Extract.yaml │ │ ├── Remapping.yaml │ │ └── Targets.yaml │ │ ├── Memory │ │ ├── Acquisition.yaml │ │ ├── Intezer.yaml │ │ ├── PEDump.yaml │ │ ├── ProcessDump.yaml │ │ └── ProcessInfo.yaml │ │ ├── NTFS │ │ ├── ADSHunter.yaml │ │ ├── ExtendedAttributes.yaml │ │ ├── I30.yaml │ │ ├── MFT.yaml │ │ └── Recover.yaml │ │ ├── Network │ │ ├── ArpCache.yaml │ │ ├── ListeningPorts.yaml │ │ ├── Netstat.yaml │ │ ├── NetstatEnriched.yaml │ │ └── PacketCapture.yaml │ │ ├── OSQuery │ │ └── Generic.yaml │ │ ├── Packs │ │ ├── LateralMovement.yaml │ │ └── Persistence.yaml │ │ ├── Persistence │ │ ├── Debug.yaml │ │ ├── PermanentWMIEvents.yaml │ │ ├── PowershellProfile.yaml │ │ ├── PowershellRegistry.yaml │ │ ├── SilentProcessExit │ │ └── Wow64cpu.yaml │ │ ├── Registry │ │ ├── AppCompatCache.yaml │ │ ├── BackupRestore.yaml │ │ ├── EnableUnsafeClientMailRules.yaml │ │ ├── EnabledMacro.yaml │ │ ├── MountPoints2.yaml │ │ ├── NTUser.yaml │ │ ├── NTUser │ │ │ └── Upload.yaml │ │ ├── PortProxy.yaml │ │ ├── PuttyHostKeys.yaml │ │ ├── RDP.yaml │ │ ├── RecentDocs.yaml │ │ ├── Sysinternals │ │ │ └── Eulacheck.yaml │ │ ├── UserAssist.yaml │ │ └── WDigest.yaml │ │ ├── Remediation │ │ ├── Quarantine.yaml │ │ ├── QuarantineMonitor.yaml │ │ ├── ScheduledTasks.yaml │ │ └── Sinkhole.yaml │ │ ├── Search │ │ ├── FileFinder.yaml │ │ ├── SMBFileFinder.yaml │ │ ├── VSS.yaml │ │ ├── WSLFileFinder.yaml │ │ └── Yara.yaml │ │ ├── Sigma │ │ └── EventLogs.yaml │ │ ├── Sys │ │ ├── AllUsers.yaml │ │ ├── AppcompatShims.yaml │ │ ├── CertificateAuthorities.yaml │ │ ├── DiskInfo.yaml │ │ ├── Drivers.yaml │ │ ├── FirewallRules.yaml │ │ ├── Interfaces.yaml │ │ ├── PhysicalMemoryRanges.yaml │ │ ├── Programs.yaml │ │ ├── StartupItems.yaml │ │ └── Users.yaml │ │ ├── Sysinternals │ │ ├── Autoruns.yaml │ │ ├── SysmonInstall.yaml │ │ └── SysmonLogForward.yaml │ │ ├── System │ │ ├── Amcache.yaml │ │ ├── AuditPolicy.yaml │ │ ├── CatFiles.yaml │ │ ├── CmdShell.yaml │ │ ├── CriticalServices.yaml │ │ ├── DLLs.yaml │ │ ├── DNSCache.yaml │ │ ├── DomainRole.yaml │ │ ├── Handles.yaml │ │ ├── HostsFile.yaml │ │ ├── LocalAdmins.yaml │ │ ├── PowerShell.yaml │ │ ├── Powershell │ │ │ ├── ModuleAnalysisCache.yaml │ │ │ └── PSReadline.yaml │ │ ├── Pslist.yaml │ │ ├── RootCAStore.yaml │ │ ├── SVCHost.yaml │ │ ├── Services.yaml │ │ ├── Shares.yaml │ │ ├── Signers.yaml │ │ ├── TaskScheduler.yaml │ │ ├── UntrustedBinaries.yaml │ │ ├── VAD.yaml │ │ ├── VBScript.yaml │ │ └── WMIQuery.yaml │ │ ├── Timeline │ │ ├── MFT.yaml │ │ ├── Prefetch.yaml │ │ └── Registry │ │ │ └── RunMRU.yaml │ │ └── Triage │ │ └── SDS.yaml ├── obfuscation.go ├── proto │ ├── artifact.pb.go │ └── artifact.proto ├── testdata │ ├── files │ │ ├── 1.lnk │ │ ├── 3DBuilder.ResourceResolver.exe │ │ ├── 5f7b5f1e01b83767.automaticDestinations-ms │ │ ├── Amcache.hve │ │ ├── AppCompatCache │ │ │ ├── README.txt │ │ │ ├── Win10Creators_trunc.bin │ │ │ ├── Win10_trunc.bin │ │ │ ├── Win80_trunc.bin │ │ │ └── Win81_trunc.bin │ │ ├── CSDump.bin │ │ ├── CSSectionPE.zip.xor │ │ ├── CSShellcode.zip.xor │ │ ├── CSsectionStager.zip.xor │ │ ├── CSx86sleep.bin │ │ ├── ChromeHistory.sqlite │ │ ├── Collection-WIN-E5K9RC5GU23-2021-11-21T18_05_56-08_00.zip │ │ ├── Connection_incoming.txt │ │ ├── Current.mdb │ │ ├── DE_104_system_log_cleared.evtx │ │ ├── EID4103_PowershellModule.evtx │ │ ├── EID4104_PowershellScriptblock.evtx │ │ ├── EID4769_Kerberoasting.evtx │ │ ├── MBR │ │ ├── ModuleAnalysisCache │ │ ├── RDPAuth_LocalSessionManager.evtx │ │ ├── RDPAuth_RemoteConnectionManager.evtx │ │ ├── RDPAuth_Security.evtx │ │ ├── RDPAuth_System.evtx │ │ ├── SAM │ │ ├── SPApplicationsDataType.json │ │ ├── SecurityTasks.evtx │ │ ├── Security_1_record.evtx │ │ ├── Session Storage.zip │ │ ├── SystemIdentity.mdb │ │ ├── TaskScheduler.evtx │ │ ├── UsrClass.dat │ │ ├── VELOCIRAPTOR.EXE-DB95245D.pf │ │ ├── access.log │ │ ├── com.apple.dock.plist │ │ ├── compressedpe.zip │ │ ├── csv │ │ │ ├── autoruns.csv │ │ │ ├── bad.csv │ │ │ ├── exchange.log │ │ │ └── iis.log │ │ ├── debian │ │ │ ├── .gitattributes │ │ │ ├── au.archive.ubuntu.com_ubuntu_dists_jammy_InRelease │ │ │ ├── snaps.json │ │ │ ├── sources.list │ │ │ │ ├── misc.sources │ │ │ │ ├── osquery.list │ │ │ │ └── sources.list │ │ │ └── status │ │ ├── efi │ │ │ ├── db.bin │ │ │ └── dbx.bin │ │ ├── encrypted_collector_password.zip │ │ ├── encrypted_collector_pki.zip │ │ ├── evtx │ │ │ ├── Microsoft-Windows-Sysmon%4Operational.evtx │ │ │ └── proc_creation_win_whoami_as_system.yml │ │ ├── ext4_tests.zip │ │ ├── fat_very_small.dd │ │ ├── fs_events_00000000007cff3d │ │ ├── fs_events_000000002fc5e551 │ │ ├── goodbye.bz2 │ │ ├── hello.zip │ │ ├── hi.gz │ │ ├── history.sqlite │ │ ├── hosts │ │ ├── infected.zip.xor │ │ ├── keys │ │ │ ├── EncryptedRSAKeyPair.pem │ │ │ ├── UnencryptedED25519KeyPair.pem │ │ │ ├── UnencryptedRSAKeyPair.pem │ │ │ ├── encrypted.key.pem │ │ │ ├── pkcs8_encryped.pem │ │ │ ├── pkcs8_unencryped.pem │ │ │ └── unencrypted.key.pem │ │ ├── lines.txt │ │ ├── linux │ │ │ ├── authorized_keys │ │ │ ├── group │ │ │ └── passwd │ │ ├── logo.zip │ │ ├── malware.zip.xor │ │ ├── memory │ │ │ ├── 9604 │ │ │ └── 9604.idx │ │ ├── nested.zip │ │ ├── notnbt.exe │ │ ├── ntexe.cat │ │ ├── ntuser.dat │ │ ├── password.txt.lnk │ │ ├── pst │ │ │ └── Outlook.pst │ │ ├── root_store_reg.bin │ │ ├── system.journal.zip │ │ ├── tar_test.tgz │ │ ├── test.docx │ │ ├── test.elf │ │ ├── test.ntfs.dd │ │ ├── test.ntfs.dd.E01 │ │ ├── test.odt │ │ ├── test.vhdx.zip │ │ ├── test.yarac │ │ ├── test.zip │ │ ├── unencrypted_collector.zip │ │ ├── vagrant.plist │ │ ├── winpmem_x64.sys │ │ ├── wkscli.dll │ │ ├── wtmp.1 │ │ ├── yara_test.txt │ │ └── {03A01CC5-91BB-4936-B685-63697785D39E}.mdb │ ├── manual │ │ ├── Custom.Test.Artifact.Deps.yaml │ │ ├── Custom.Test.Artifact.Types.yaml │ │ ├── Error.yaml │ │ ├── MultiColumns.yaml │ │ ├── README │ │ ├── Server.Sleep.yaml │ │ ├── Sleep.yaml │ │ ├── Test.Crash.yaml │ │ ├── Test.Sparse.yaml │ │ ├── TestLog.yaml │ │ ├── Upload.Limits.yaml │ │ └── Work.yaml │ ├── server │ │ ├── .gitignore │ │ ├── README.txt │ │ ├── client_idx │ │ │ ├── all │ │ │ │ └── c.4 │ │ │ │ │ └── f5e │ │ │ │ │ └── 52a │ │ │ │ │ └── df0 │ │ │ │ │ └── a33 │ │ │ │ │ └── 7a9 │ │ │ │ │ └── C.4f5e52adf0a337a9.db │ │ │ ├── des │ │ │ │ └── kto │ │ │ │ │ └── p-6 │ │ │ │ │ └── cbj │ │ │ │ │ └── 8mj │ │ │ │ │ └── c.4 │ │ │ │ │ └── f5e │ │ │ │ │ └── 52a │ │ │ │ │ └── df0 │ │ │ │ │ └── a33 │ │ │ │ │ └── 7a9 │ │ │ │ │ └── C.4f5e52adf0a337a9.db │ │ │ └── hos │ │ │ │ └── t%3Ad │ │ │ │ └── esk │ │ │ │ └── top │ │ │ │ └── -6c │ │ │ │ └── bj8 │ │ │ │ └── mjc │ │ │ │ └── %2E4f │ │ │ │ └── 5e5 │ │ │ │ └── 2ad │ │ │ │ └── f0a │ │ │ │ └── 337 │ │ │ │ └── a9 │ │ │ │ └── C.4f5e52adf0a337a9.db │ │ ├── clients │ │ │ ├── .gitignore │ │ │ ├── C.4f5e52adf0a337a9.db │ │ │ └── C.4f5e52adf0a337a9 │ │ │ │ ├── artifacts │ │ │ │ ├── System.VFS.ListDirectory │ │ │ │ │ ├── F.BN2HJBD1R85EA.json │ │ │ │ │ └── F.BN2HJBD1R85EA.json.index │ │ │ │ ├── Windows.Applications.ChocolateyPackages │ │ │ │ │ ├── F.BN2HP3OSS3LK6.csv │ │ │ │ │ └── F.BN2HP3OSS3LK6.json │ │ │ │ └── Windows.Network.NetstatEnriched │ │ │ │ │ └── F.BSJMEJIPT6P9I │ │ │ │ │ └── Netstat.json │ │ │ │ ├── collections │ │ │ │ ├── F.BN21C7HOQ10VQ.db │ │ │ │ ├── F.BN21C7HOQ10VQ │ │ │ │ │ ├── logs │ │ │ │ │ └── task.db │ │ │ │ ├── F.BN2HJBD1R85EA.db │ │ │ │ ├── F.BN2HJBD1R85EA │ │ │ │ │ ├── logs.json │ │ │ │ │ ├── logs.json.index │ │ │ │ │ ├── task.db │ │ │ │ │ ├── uploads.json │ │ │ │ │ ├── uploads.json.index │ │ │ │ │ └── uploads │ │ │ │ │ │ └── sparse │ │ │ │ │ │ ├── X.txt │ │ │ │ │ │ └── X.txt.idx │ │ │ │ ├── F.BN2HJCPOF5U7U.db │ │ │ │ ├── F.BN2HJCPOF5U7U │ │ │ │ │ ├── logs │ │ │ │ │ ├── task.db │ │ │ │ │ ├── uploads.json │ │ │ │ │ └── uploads │ │ │ │ │ │ └── file │ │ │ │ │ │ └── C%3A │ │ │ │ │ │ └── 1.zip │ │ │ │ ├── F.BN2HP3OSS3LK6.db │ │ │ │ ├── F.BN2HP3OSS3LK6 │ │ │ │ │ ├── logs.json │ │ │ │ │ └── task.db │ │ │ │ ├── F.BSJMEJIPT6P9I.json.db │ │ │ │ ├── F.BSJMEJIPT6P9I │ │ │ │ │ ├── logs.json │ │ │ │ │ ├── stats.json.db │ │ │ │ │ └── task.db │ │ │ │ ├── F.Monitoring.db │ │ │ │ └── F.Monitoring │ │ │ │ │ └── logs │ │ │ │ ├── key.db │ │ │ │ ├── monitoring │ │ │ │ ├── Generic.Client.Stats │ │ │ │ │ ├── 2021-12-07.json │ │ │ │ │ └── 2021-12-07.json.tidx │ │ │ │ └── Windows.Events.ProcessCreation │ │ │ │ │ ├── 2019-10-25.json │ │ │ │ │ └── 2019-10-25.json.tidx │ │ │ │ ├── monitoring_logs │ │ │ │ └── Generic.Client.Stats │ │ │ │ │ ├── 2021-12-07.json │ │ │ │ │ └── 2021-12-07.json.tidx │ │ │ │ ├── ping.json.db │ │ │ │ ├── vfs │ │ │ │ ├── file.db │ │ │ │ ├── file │ │ │ │ │ └── C%3A.db │ │ │ │ ├── ntfs.db │ │ │ │ └── ntfs │ │ │ │ │ └── C%3A.db │ │ │ │ └── vfs_files │ │ │ │ └── file │ │ │ │ └── C%3A │ │ │ │ └── 1.zip.db │ │ ├── downloads │ │ │ └── .gitignore │ │ ├── hunt_index │ │ │ └── h.49ba8939 │ │ │ │ └── C.4f5e52adf0a337a9.db │ │ ├── hunts │ │ │ ├── H.19c0c0a2.db │ │ │ ├── H.19c0c0a2 │ │ │ │ ├── notebook │ │ │ │ │ └── N.H.19c0c0a2 │ │ │ │ │ │ └── NC.BUURUOMSSMJ5I │ │ │ │ │ │ ├── query_1.json │ │ │ │ │ │ └── query_1.json.index │ │ │ │ └── stats.db │ │ │ ├── H.49ba8939.db │ │ │ ├── H.49ba8939.json │ │ │ └── H.49ba8939 │ │ │ │ └── stats.db │ │ ├── notebooks │ │ │ ├── N.CG74N2JSSV75S.json.db │ │ │ └── N.CG74N2JSSV75S │ │ │ │ ├── NC.CG74N2HMAK01C.json.db │ │ │ │ ├── NC.CG74N2HMAK01C │ │ │ │ ├── logs.json │ │ │ │ └── logs.json.index │ │ │ │ ├── NC.CG74N5GVJAA2E.json.db │ │ │ │ ├── NC.CG74N5GVJAA2E │ │ │ │ ├── logs.json │ │ │ │ ├── logs.json.index │ │ │ │ ├── query_1.json │ │ │ │ ├── query_1.json.index │ │ │ │ └── uploads │ │ │ │ │ └── test.txt │ │ │ │ └── files │ │ │ │ └── NA.CG75NPHSURTDQimage.png │ │ ├── server_artifacts │ │ │ └── Server.Monitor.Health │ │ │ │ └── Prometheus │ │ │ │ ├── 2020-11-08.json │ │ │ │ ├── 2020-11-08.json.index │ │ │ │ ├── 2023-09-07.json │ │ │ │ └── 2023-09-07.json.tidx │ │ └── testcases │ │ │ ├── README.md │ │ │ ├── accessors.in.yaml │ │ │ ├── accessors.out.yaml │ │ │ ├── amcache.in.yaml │ │ │ ├── amcache.out.yaml │ │ │ ├── appcompatcache.in.yaml │ │ │ ├── appcompatcache.out.yaml │ │ │ ├── application.in.yaml │ │ │ ├── application.out.yaml │ │ │ ├── array.in.yaml │ │ │ ├── array.out.yaml │ │ │ ├── artifacts.in.yaml │ │ │ ├── artifacts.out.yaml │ │ │ ├── atexit.in.yaml │ │ │ ├── atexit.out.yaml │ │ │ ├── binary_blobs.in.yaml │ │ │ ├── binary_blobs.out.yaml │ │ │ ├── binary_parsers.in.yaml │ │ │ ├── binary_parsers.out.yaml │ │ │ ├── chrome.in.yaml │ │ │ ├── chrome.out.yaml │ │ │ ├── clients.in.yaml │ │ │ ├── clients.out.yaml │ │ │ ├── cobalt.in.yaml │ │ │ ├── cobalt.out.yaml │ │ │ ├── cobalt2.in.yaml │ │ │ ├── cobalt2.out.yaml │ │ │ ├── collections.in.yaml │ │ │ ├── collections.out.yaml │ │ │ ├── common.in.yaml │ │ │ ├── common.out.yaml │ │ │ ├── crypto.in.yaml │ │ │ ├── crypto.out.yaml │ │ │ ├── csv.in.yaml │ │ │ ├── csv.out.yaml │ │ │ ├── debian.in.yaml │ │ │ ├── debian.out.yaml │ │ │ ├── delay.in.yaml │ │ │ ├── delay.out.yaml │ │ │ ├── detection.in.yaml │ │ │ ├── detection.out.yaml │ │ │ ├── doc.in.yaml │ │ │ ├── doc.out.yaml │ │ │ ├── downloads.in.yaml │ │ │ ├── downloads.out.yaml │ │ │ ├── efi.in.yaml │ │ │ ├── efi.out.yaml │ │ │ ├── eval.in.yaml │ │ │ ├── eval.out.yaml │ │ │ ├── evtx.in.yaml │ │ │ ├── evtx.out.yaml │ │ │ ├── ewf.in.yaml │ │ │ ├── ewf.out.yaml │ │ │ ├── export.in.yaml │ │ │ ├── export.out.yaml │ │ │ ├── ext4.in.yaml │ │ │ ├── ext4.out.yaml │ │ │ ├── fat.in.yaml │ │ │ ├── fat.out.yaml │ │ │ ├── fifo.in.yaml │ │ │ ├── fifo.out.yaml │ │ │ ├── file_finder.in.yaml │ │ │ ├── file_finder.out.yaml │ │ │ ├── filestore.in.yaml │ │ │ ├── filestore.out.yaml │ │ │ ├── functions.in.yaml │ │ │ ├── functions.out.yaml │ │ │ ├── generator.in.yaml │ │ │ ├── generator.out.yaml │ │ │ ├── grok.in.yaml │ │ │ ├── grok.out.yaml │ │ │ ├── hash.in.yaml │ │ │ ├── hash.out.yaml │ │ │ ├── hostsfile.in.yaml │ │ │ ├── hostsfile.out.yaml │ │ │ ├── http_client.in.yaml │ │ │ ├── http_client.out.yaml │ │ │ ├── hunts.in.yaml │ │ │ ├── hunts.out.yaml │ │ │ ├── import_collection.in.yaml │ │ │ ├── import_collection.out.yaml │ │ │ ├── ip.in.yaml │ │ │ ├── ip.out.yaml │ │ │ ├── json.in.yaml │ │ │ ├── json.out.yaml │ │ │ ├── kapefiles_extract.in.yaml │ │ │ ├── kapefiles_extract.out.yaml │ │ │ ├── kapefiles_remap.in.yaml │ │ │ ├── kapefiles_remap.out.yaml │ │ │ ├── kerberoasting.in.yaml │ │ │ ├── kerberoasting.out.yaml │ │ │ ├── labels.in.yaml │ │ │ ├── labels.out.yaml │ │ │ ├── link_to.in.yaml │ │ │ ├── link_to.out.yaml │ │ │ ├── linux_last_login.in.yaml │ │ │ ├── linux_last_login.out.yaml │ │ │ ├── linux_passwd.in.yaml │ │ │ ├── linux_passwd.out.yaml │ │ │ ├── linux_ssh_authorized_keys.in.yaml │ │ │ ├── linux_ssh_authorized_keys.out.yaml │ │ │ ├── linux_systemd.in.yaml │ │ │ ├── linux_systemd.out.yaml │ │ │ ├── localhashes.in.yaml │ │ │ ├── localhashes.out.yaml │ │ │ ├── loghunter.in.yaml │ │ │ ├── loghunter.out.yaml │ │ │ ├── lru.in.yaml │ │ │ ├── lru.out.yaml │ │ │ ├── macos.in.yaml │ │ │ ├── macos.out.yaml │ │ │ ├── magic.in.yaml │ │ │ ├── magic.out.yaml │ │ │ ├── materialize.in.yaml │ │ │ ├── materialize.out.yaml │ │ │ ├── memoize.in.yaml │ │ │ ├── memoize.out.yaml │ │ │ ├── mft.in.yaml │ │ │ ├── mft.out.yaml │ │ │ ├── mock.in.yaml │ │ │ ├── mock.out.yaml │ │ │ ├── monitoring.in.yaml │ │ │ ├── monitoring.out.yaml │ │ │ ├── mru.in.yaml │ │ │ ├── mru.out.yaml │ │ │ ├── notebook.in.yaml │ │ │ ├── notebook.out.yaml │ │ │ ├── ntfs.in.yaml │ │ │ ├── ntfs.out.yaml │ │ │ ├── ntfs_ea.in.yaml │ │ │ ├── ntfs_ea.out.yaml │ │ │ ├── ole.in.yaml │ │ │ ├── ole.out.yaml │ │ │ ├── orgs.in.yaml │ │ │ ├── orgs.out.yaml │ │ │ ├── paths.in.yaml │ │ │ ├── paths.out.yaml │ │ │ ├── pe.in.yaml │ │ │ ├── pe.out.yaml │ │ │ ├── pe_dump.in.yaml │ │ │ ├── pe_dump.out.yaml │ │ │ ├── pe_hunter.in.yaml │ │ │ ├── pe_hunter.out.yaml │ │ │ ├── pipe.in.yaml │ │ │ ├── pipe.out.yaml │ │ │ ├── plist.in.yaml │ │ │ ├── plist.out.yaml │ │ │ ├── prefetch.in.yaml │ │ │ ├── prefetch.out.yaml │ │ │ ├── process_tracker.in.yaml │ │ │ ├── process_tracker.out.yaml │ │ │ ├── profile.in.yaml │ │ │ ├── profile.out.yaml │ │ │ ├── protocols.in.yaml │ │ │ ├── protocols.out.yaml │ │ │ ├── pst.in.yaml │ │ │ ├── pst.out.yaml │ │ │ ├── quarantine.in.yaml │ │ │ ├── quarantine.out.yaml │ │ │ ├── raw_registry.in.yaml │ │ │ ├── raw_registry.out.yaml │ │ │ ├── regex.in.yaml │ │ │ ├── regex.out.yaml │ │ │ ├── remapping.in.yaml │ │ │ ├── remapping.out.yaml │ │ │ ├── remapping_registry.in.yaml │ │ │ ├── remapping_registry.out.yaml │ │ │ ├── remapping_ssh.in.yaml │ │ │ ├── remapping_ssh.out.yaml │ │ │ ├── remediation.in.yaml │ │ │ ├── remediation.out.yaml │ │ │ ├── results.in.yaml │ │ │ ├── results.out.yaml │ │ │ ├── rhel.in.yaml │ │ │ ├── rhel.out.yaml │ │ │ ├── sequence.in.yaml │ │ │ ├── sequence.out.yaml │ │ │ ├── sigma.in.yaml │ │ │ ├── sigma.out.yaml │ │ │ ├── sparse.in.yaml │ │ │ ├── sparse.out.yaml │ │ │ ├── sqlite.in.yaml │ │ │ ├── sqlite.out.yaml │ │ │ ├── ssh.in.yaml │ │ │ ├── ssh.out.yaml │ │ │ ├── suse.in.yaml │ │ │ ├── suse.out.yaml │ │ │ ├── templateinjection.in.yaml │ │ │ ├── templateinjection.out.yaml │ │ │ ├── time.in.yaml │ │ │ ├── time.out.yaml │ │ │ ├── timeline.in.yaml │ │ │ ├── timeline.out.yaml │ │ │ ├── tools.in.yaml │ │ │ ├── tools.out.yaml │ │ │ ├── ual.in.yaml │ │ │ ├── ual.out.yaml │ │ │ ├── users.in.yaml │ │ │ ├── users.out.yaml │ │ │ ├── verify.in.yaml │ │ │ ├── verify.out.yaml │ │ │ ├── vfs.in.yaml │ │ │ ├── vfs.out.yaml │ │ │ ├── vhdx.in.yaml │ │ │ ├── vhdx.out.yaml │ │ │ ├── yara.in.yaml │ │ │ ├── yara.out.yaml │ │ │ ├── yara_detection.in.yaml │ │ │ ├── yara_detection.out.yaml │ │ │ ├── yara_detection_zip.in.yaml │ │ │ ├── yara_detection_zip.out.yaml │ │ │ ├── yara_lint.in.yaml │ │ │ ├── yara_lint.out.yaml │ │ │ ├── zip.in.yaml │ │ │ └── zip.out.yaml │ └── windows │ │ ├── authenticode.in.yaml │ │ ├── authenticode.out.yaml │ │ ├── autoexec.in.yaml │ │ ├── autoexec.out.yaml │ │ ├── etw.in.yaml │ │ ├── etw.out.yaml │ │ ├── evtx.in.yaml │ │ ├── evtx.out.yaml │ │ ├── file.in.yaml │ │ ├── file.out.yaml │ │ ├── filesystem.in.yaml │ │ ├── filesystem.out.yaml │ │ ├── github_actions.config.yaml │ │ ├── init.reg │ │ ├── ntfs.in.yaml │ │ ├── ntfs.out.yaml │ │ ├── processes.in.yaml │ │ ├── processes.out.yaml │ │ ├── raw_reg.in.yaml │ │ ├── raw_reg.out.yaml │ │ ├── registry.in.yaml │ │ ├── registry.out.yaml │ │ ├── shell.in.yaml │ │ ├── shell.out.yaml │ │ ├── startup.in.yaml │ │ ├── startup.out.yaml │ │ ├── test.config.yaml │ │ ├── thread.in.yaml │ │ ├── thread.out.yaml │ │ ├── token.in.yaml │ │ ├── token.out.yaml │ │ ├── users.in.yaml │ │ ├── users.out.yaml │ │ ├── vss.in.yaml │ │ ├── vss.out.yaml │ │ ├── wmi.in.yaml │ │ ├── wmi.out.yaml │ │ ├── yara.in.yaml │ │ └── yara.out.yaml └── utils.go ├── bin ├── admin_generic.go ├── admin_windows.go ├── allowlist.go ├── analysis_target.go ├── artifacts.go ├── banner.go ├── binary_test.go ├── browser.go ├── client.go ├── collector_test.go ├── config.go ├── config_merge.go ├── config_test.go ├── csv.go ├── deaddisk.go ├── deaddisk_test.go ├── debian.go ├── debug.go ├── deprecated.go ├── fixtures │ └── Serialization.golden ├── flags.go ├── frontend.go ├── fs.go ├── fuse_unix.go ├── golden.go ├── grant.go ├── gui.go ├── hunts.go ├── installer_darwin.go ├── installer_windows.go ├── logging.go ├── main.go ├── marshal.go ├── marshal_test.go ├── metrics.go ├── minions.go ├── mutant_windows.go ├── offline.go ├── panic.go ├── pool.go ├── prompt.go ├── proxy.go ├── query.go ├── reformat.go ├── repack.go ├── rpm.go ├── rsrc_windows_386.syso ├── rsrc_windows_amd64.syso ├── server_service_windows.go ├── timezone.go ├── tools.go ├── unzip.go ├── users.go ├── utils.go ├── verify.go ├── version.go └── vql.go ├── config ├── assets.go ├── b0x.yaml ├── config.go ├── default.yaml ├── doc.go ├── embedded.go ├── loader.go ├── migration.go ├── offline.sh ├── proto │ ├── config.pb.go │ └── config.proto └── validate.go ├── constants └── constants.go ├── crypto ├── api.go ├── b0x.yaml ├── ca-certificates.crt ├── ca.go ├── client │ ├── cipher.go │ ├── client.go │ ├── docs.go │ ├── lru.go │ ├── lru_test.go │ ├── manager.go │ └── resolver.go ├── crypto_test.go ├── doc.go ├── messages.go ├── proto │ ├── jobs.pb.go │ └── jobs.proto ├── root.go ├── server │ ├── docs.go │ └── manager.go ├── simple.go ├── simple_test.go ├── storage │ ├── fixtures │ │ ├── .gitignore │ │ ├── TestWritingAndReading.golden │ │ └── writeback.yaml │ ├── header.go │ ├── reader.go │ ├── server.go │ ├── storage_test.go │ └── writer.go ├── testing │ └── testing_utils.go ├── transport.go └── utils │ └── utils.go ├── datastore ├── datastore.go ├── datastore_test.go ├── filebased.go ├── filebased_benchmark_test.go ├── filebased_generic.go ├── filebased_supported.go ├── filebased_test.go ├── filebased_utils.go ├── fixtures │ └── TestDirectoryOverflow.golden ├── instrument.go ├── memcache.go ├── memcache_data.go ├── memcache_file.go ├── memcache_file_test.go ├── memcache_stats.go ├── memcache_test.go ├── readonly.go ├── remote.go ├── remote_test.go ├── test_data │ └── mysql.config.yaml └── utils.go ├── debian ├── changelog ├── compat ├── control ├── copyright ├── rules ├── velociraptor.config.yaml ├── velociraptor.init ├── velociraptor.install ├── velociraptor.nanny ├── velociraptor.postinst ├── velociraptor.preinst ├── velociraptor.service ├── velociraptor.substvars └── velociraptor.upstart ├── docs.go ├── docs ├── deadcode.yaml ├── elastic │ ├── README.md │ └── winlogbeat_schema.json ├── freebsd │ └── velociraptor.rc ├── monitoring │ ├── README.md │ ├── graphana.json │ └── prometheus.yaml ├── offline_collector │ ├── offline_collector.sh │ └── sample.spec.yaml ├── references │ ├── sample_config │ │ ├── Makefile │ │ ├── README.md │ │ ├── go.mod │ │ ├── go.sum │ │ └── main.go │ ├── server.config.yaml │ └── vql.yaml ├── saml │ └── README.md ├── winres │ ├── README.md │ ├── icon.png │ ├── winres.json │ └── winres_template.json └── wix │ ├── README.md │ ├── build_amd64.bat │ ├── build_x86.bat │ ├── icon.ico │ ├── output │ └── client.config.yaml │ ├── velociraptor_amd64.xml │ └── velociraptor_x86.xml ├── executor ├── crash.go ├── doc.go ├── executor.go ├── executor_test.go ├── fixtures │ └── TestFlowStatsRequest.golden ├── flows.go ├── nanny.go ├── nanny_test.go ├── pool.go ├── startup.go ├── stats.go ├── tempfile.go ├── testutils.go └── throttler │ ├── cpu.go │ ├── cpu_linux.go │ ├── cpu_windows.go │ ├── stats_collector.go │ ├── throttler.go │ └── tracker.go ├── file_store ├── api │ ├── adapter.go │ ├── extensions.go │ ├── file_store.go │ ├── instrument.go │ ├── paths.go │ ├── queues.go │ ├── utils.go │ └── walk.go ├── csv │ ├── doc.go │ ├── options.go │ ├── reader.go │ ├── reader_test.go │ ├── utils.go │ ├── writer.go │ └── writer_test.go ├── directory │ ├── buffer.go │ ├── directory.go │ ├── directory_test.go │ ├── fixtures │ │ ├── TestListChildrenComplicatedNames.golden │ │ └── TestListChildrenSameNameDifferentTypes.golden │ ├── listener.go │ ├── listener_test.go │ ├── queue.go │ └── queue_test.go ├── file_store.go ├── memcache │ ├── memcache.go │ ├── memcache_test.go │ └── profile.go ├── memory │ ├── fixtures │ │ ├── TestListChildrenComplicatedNames.golden │ │ └── TestListChildrenSameNameDifferentTypes.golden │ ├── memory.go │ ├── memory_test.go │ ├── queue.go │ └── queue_test.go ├── path_specs │ ├── fs_path_spec.go │ ├── path_specs.go │ └── utils.go ├── queue.go ├── test_utils │ ├── query.go │ ├── retry.go │ ├── server_config.go │ ├── testing.go │ ├── testsuite.go │ └── unzip.go ├── tests │ └── testsuite.go ├── uploader │ ├── sparse.go │ └── uploader.go └── utils.go ├── flows ├── artifacts.go ├── artifacts_test.go ├── client_flow_runner.go ├── client_flow_runner_test.go ├── client_info.go ├── collection_context.go ├── docs.go ├── fixtures │ ├── TestMonitoringAlerts.golden │ ├── TestVQLResponseRetransmission.golden │ └── compileFileFinderArgs.golden ├── housekeeping.go ├── limits.go ├── logs.go ├── monitoring.go └── proto │ ├── artifact_collector.pb.go │ ├── artifact_collector.proto │ ├── vfs.pb.go │ └── vfs.proto ├── glob ├── fileinfo.go ├── fixtures │ └── TestGlobWithContext.golden ├── glob.go ├── glob_test.go ├── protocol.go └── tracker.go ├── go.mod ├── go.sum ├── grpc_client ├── dummy.go └── grpc.go ├── gui ├── assets │ ├── .gitignore │ └── init.go └── velociraptor │ ├── .env │ ├── .env.production │ ├── .eslintignore │ ├── .eslintrc.cjs │ ├── .gitattributes │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── b0x.yaml │ ├── build │ └── .keep │ ├── docs.go │ ├── package-lock.json │ ├── package.json │ ├── patches │ └── react-calendar-timeline+0.28.0.patch │ ├── src │ ├── App.jsx │ ├── components │ │ ├── artifacts │ │ │ ├── artifacts-link.jsx │ │ │ ├── artifacts-upload.css │ │ │ ├── artifacts-upload.jsx │ │ │ ├── artifacts.css │ │ │ ├── artifacts.jsx │ │ │ ├── line-charts.css │ │ │ ├── line-charts.jsx │ │ │ ├── new-artifact.jsx │ │ │ ├── reporting.css │ │ │ ├── reporting.jsx │ │ │ ├── sigma-editor.css │ │ │ ├── sigma-editor.jsx │ │ │ └── syntax.jsx │ │ ├── clients │ │ │ ├── client-link.css │ │ │ ├── client-link.jsx │ │ │ ├── client-status.css │ │ │ ├── client-status.jsx │ │ │ ├── client-summary.css │ │ │ ├── client-summary.jsx │ │ │ ├── client_info.jsx │ │ │ ├── clients-list.css │ │ │ ├── clients-list.jsx │ │ │ ├── host-info.css │ │ │ ├── host-info.jsx │ │ │ ├── inflight_viewer.jsx │ │ │ ├── label-form.jsx │ │ │ ├── metadata.jsx │ │ │ ├── search.css │ │ │ ├── search.jsx │ │ │ ├── shell-viewer.css │ │ │ └── shell-viewer.jsx │ │ ├── core │ │ │ ├── ace-config.jsx │ │ │ ├── ace.css │ │ │ ├── ace.jsx │ │ │ ├── api-service.jsx │ │ │ ├── column-resizer.jsx │ │ │ ├── keyboard-help.css │ │ │ ├── keyboard-help.jsx │ │ │ ├── mode-markdown.jsx │ │ │ ├── mode-regex.jsx │ │ │ ├── mode-sigma.jsx │ │ │ ├── mode-vql.jsx │ │ │ ├── mode-yaml.jsx │ │ │ ├── mode-yara.jsx │ │ │ ├── notimplemented.jsx │ │ │ ├── paged-table.css │ │ │ ├── paged-table.jsx │ │ │ ├── sanitize.jsx │ │ │ ├── snackbar.css │ │ │ ├── snackbar.jsx │ │ │ ├── stack.jsx │ │ │ ├── table.css │ │ │ ├── table.jsx │ │ │ ├── tree-cell.css │ │ │ ├── tree-cell.jsx │ │ │ └── user.jsx │ │ ├── events │ │ │ ├── delete.jsx │ │ │ ├── event-notebook.jsx │ │ │ ├── event-table.jsx │ │ │ ├── event-timeline.css │ │ │ ├── events.css │ │ │ ├── events.jsx │ │ │ ├── timeline-viewer.jsx │ │ │ └── utils.jsx │ │ ├── flows │ │ │ ├── client-flows-view.jsx │ │ │ ├── flow-full-notebook.jsx │ │ │ ├── flow-link.jsx │ │ │ ├── flow-logs.jsx │ │ │ ├── flow-notebook.jsx │ │ │ ├── flow-overview.jsx │ │ │ ├── flow-requests.jsx │ │ │ ├── flow-results.jsx │ │ │ ├── flow-uploads.jsx │ │ │ ├── flows-add-to-hunt.jsx │ │ │ ├── flows-inspector.jsx │ │ │ ├── flows-list.jsx │ │ │ ├── flows.css │ │ │ ├── new-collection.css │ │ │ ├── new-collection.jsx │ │ │ ├── new-collections-parameters.jsx │ │ │ ├── offline-collector.jsx │ │ │ ├── server-flows-view.jsx │ │ │ └── utils.jsx │ │ ├── forms │ │ │ ├── csv.jsx │ │ │ ├── dict.css │ │ │ ├── dict.jsx │ │ │ ├── form.jsx │ │ │ ├── forms.css │ │ │ ├── regex.css │ │ │ ├── regex.jsx │ │ │ ├── regex_array.jsx │ │ │ ├── upload.jsx │ │ │ ├── validated.css │ │ │ ├── validated_int.jsx │ │ │ └── yara.jsx │ │ ├── hunts │ │ │ ├── estimate.css │ │ │ ├── estimate.jsx │ │ │ ├── hunt-clients.jsx │ │ │ ├── hunt-full-notebook.jsx │ │ │ ├── hunt-inspector.jsx │ │ │ ├── hunt-list.jsx │ │ │ ├── hunt-notebook.jsx │ │ │ ├── hunt-overview.jsx │ │ │ ├── hunt-request.jsx │ │ │ ├── hunt.css │ │ │ ├── hunts.jsx │ │ │ ├── new-hunt.jsx │ │ │ └── orgs.jsx │ │ ├── i8n │ │ │ ├── README.md │ │ │ ├── de.json │ │ │ ├── de.jsx │ │ │ ├── de_automated.json │ │ │ ├── de_new.json │ │ │ ├── en.jsx │ │ │ ├── es.json │ │ │ ├── es.jsx │ │ │ ├── es_automated.json │ │ │ ├── es_new.json │ │ │ ├── fr.json │ │ │ ├── fr.jsx │ │ │ ├── fr_automated.json │ │ │ ├── fr_new.json │ │ │ ├── i8n.jsx │ │ │ ├── jp.json │ │ │ ├── jp.jsx │ │ │ ├── jp_automated.json │ │ │ ├── jp_new.json │ │ │ ├── por.json │ │ │ ├── por.jsx │ │ │ ├── por_automated.json │ │ │ ├── por_new.json │ │ │ ├── utils.jsx │ │ │ ├── vi.json │ │ │ ├── vi.jsx │ │ │ ├── vi_automated.json │ │ │ └── vi_new.json │ │ ├── notebooks │ │ │ ├── add-cell-from-flow.jsx │ │ │ ├── create-artifact-from-cell.jsx │ │ │ ├── downloads.jsx │ │ │ ├── export-notebook.jsx │ │ │ ├── full_notebook.jsx │ │ │ ├── logs.jsx │ │ │ ├── new-notebook.jsx │ │ │ ├── notebook-cell-renderer.css │ │ │ ├── notebook-cell-renderer.jsx │ │ │ ├── notebook-chart-renderer.jsx │ │ │ ├── notebook-copy-cell.jsx │ │ │ ├── notebook-delete.jsx │ │ │ ├── notebook-format-tables.jsx │ │ │ ├── notebook-renderer.jsx │ │ │ ├── notebook-report-renderer.jsx │ │ │ ├── notebook-table-renderer.jsx │ │ │ ├── notebook-uploads.jsx │ │ │ ├── notebook.jsx │ │ │ ├── notebooks-list.css │ │ │ ├── notebooks-list.jsx │ │ │ ├── timelines.css │ │ │ └── timelines.jsx │ │ ├── secrets │ │ │ ├── secrets.css │ │ │ └── secrets.jsx │ │ ├── server │ │ │ └── server-info.jsx │ │ ├── sidebar │ │ │ ├── hotkeys.jsx │ │ │ ├── navigator.css │ │ │ ├── navigator.jsx │ │ │ ├── user-dashboard.css │ │ │ ├── user-dashboard.jsx │ │ │ └── velo.svg │ │ ├── timeline │ │ │ ├── timeline.css │ │ │ └── timeline.jsx │ │ ├── tools │ │ │ ├── tool-viewer.css │ │ │ └── tool-viewer.jsx │ │ ├── users │ │ │ ├── add_orgs.jsx │ │ │ ├── add_user.jsx │ │ │ ├── edit-user.jsx │ │ │ ├── user-inspector.jsx │ │ │ ├── user-label.css │ │ │ ├── user-label.jsx │ │ │ └── user.css │ │ ├── utils │ │ │ ├── annotations.jsx │ │ │ ├── clock.css │ │ │ ├── clock.jsx │ │ │ ├── context.css │ │ │ ├── context.jsx │ │ │ ├── csv.jsx │ │ │ ├── hex.css │ │ │ ├── hex.jsx │ │ │ ├── json.css │ │ │ ├── json.jsx │ │ │ ├── json_parse.jsx │ │ │ ├── labels.jsx │ │ │ ├── log-level.css │ │ │ ├── log_level.jsx │ │ │ ├── number.css │ │ │ ├── number.jsx │ │ │ ├── paths.jsx │ │ │ ├── spinner.css │ │ │ ├── spinner.jsx │ │ │ ├── time.css │ │ │ ├── time.jsx │ │ │ ├── tree │ │ │ │ ├── tree.css │ │ │ │ └── tree.jsx │ │ │ ├── url.css │ │ │ ├── url.jsx │ │ │ ├── users.css │ │ │ ├── users.jsx │ │ │ └── value.jsx │ │ ├── vfs │ │ │ ├── browse-vfs.css │ │ │ ├── browse-vfs.jsx │ │ │ ├── file-list.css │ │ │ ├── file-list.jsx │ │ │ ├── file-stats.css │ │ │ ├── file-stats.jsx │ │ │ ├── file-tree.jsx │ │ │ ├── utils.jsx │ │ │ └── vfs-setter.jsx │ │ ├── welcome │ │ │ ├── Github-octocat-icon-vector-01.svg │ │ │ ├── Google-icon-vector-04.svg │ │ │ ├── Microsoft_Azure_Logo.svg │ │ │ ├── OpenID_logo.svg │ │ │ ├── login.css │ │ │ ├── login.jsx │ │ │ ├── logoff.jsx │ │ │ └── welcome.jsx │ │ └── widgets │ │ │ ├── datetime.css │ │ │ ├── datetime.jsx │ │ │ ├── download.jsx │ │ │ ├── logs.css │ │ │ ├── logs.jsx │ │ │ ├── pagination.jsx │ │ │ ├── preview_uploads.css │ │ │ ├── preview_uploads.jsx │ │ │ ├── search.css │ │ │ ├── search.jsx │ │ │ ├── tooltip.css │ │ │ └── tooltip.jsx │ ├── css │ │ ├── App.css │ │ ├── _variables.css │ │ └── index.css │ ├── fonts │ │ ├── fixedsysexcelsioriiib-l2-mono-webfont.woff2 │ │ ├── iosevka-term-bold-subset.woff2 │ │ ├── iosevka-term-medium-subset.woff2 │ │ ├── iosevka-term-regular-subset.woff2 │ │ ├── noto-sans-v27-latin-ext_latin-600.woff2 │ │ └── noto-sans-v27-latin-ext_latin-regular.woff2 │ ├── index.html │ ├── index.jsx │ ├── public │ │ ├── favicon.ico │ │ ├── manifest.json │ │ ├── robots.txt │ │ └── velo.svg │ ├── serviceWorker.js │ └── themes │ │ ├── coolgray-dark.css │ │ ├── github-dimmed-dark.css │ │ ├── github-light.css │ │ ├── midnight.css │ │ ├── ncurses-dark.css │ │ ├── ncurses-light.css │ │ ├── no-theme.css │ │ ├── pink-light.css │ │ ├── veloci-dark.css │ │ ├── veloci-docs.css │ │ └── veloci-light.css │ ├── template.go │ └── vite.config.js ├── http_comms ├── comms.go ├── comms_test.go ├── doc.go ├── e2e_test.go ├── ring_buffer.go ├── ring_buffer_posix.go ├── ring_buffer_test.go ├── ring_buffer_windows.go ├── sender.go ├── sender_test.go ├── service.go ├── test_data │ ├── client.config.yaml │ └── server.config.yaml ├── websocket.go ├── websocket_connection.go └── websocket_test.go ├── json ├── csv.go ├── csv_test.go ├── debug.go ├── fixtures │ ├── TestCSVUtils.golden │ ├── TestJsonFormat.golden │ └── TestJsonlShortcuts.golden ├── json.go ├── proto.go ├── protobuf.go ├── registry.go ├── shortcuts.go ├── shortcuts_test.go ├── string.go ├── timezone.go └── wrappers.go ├── logging ├── fixtures │ └── TestAuditLog.golden ├── formatter.go ├── levels.go ├── logging.go ├── logging_generic.go ├── logging_test.go ├── logging_windows.go ├── syslog_nonwindows.go └── syslog_windows.go ├── magefile.go ├── make.go ├── make_proto.sh ├── notifications ├── notifications.go └── notifications_test.go ├── paths ├── artifacts.go ├── artifacts │ ├── logs.go │ ├── paths.go │ └── paths_test.go ├── artifacts_test.go ├── backups.go ├── client.go ├── client_test.go ├── constants.go ├── dashboard.go ├── doc.go ├── flow_metadata.go ├── flow_metadata_test.go ├── forms.go ├── hunt_metadata.go ├── hunt_metadata_test.go ├── inventory.go ├── notebooks.go ├── notebooks_test.go ├── ntfs.go ├── ntfs_test.go ├── orgs.go ├── paths.go ├── paths_test.go ├── repository.go ├── secrets.go ├── server.go ├── temp.go ├── timelines.go ├── timelines_test.go ├── users.go ├── users_test.go └── utils.go ├── proto ├── flow_metadata.pb.go ├── flow_metadata.proto ├── semantic.pb.go └── semantic.proto ├── reporting ├── container.go ├── doc.go ├── expand.go ├── fixtures │ └── VQL2MarkdownConversion.golden ├── functions.go ├── gui.go ├── logging.go ├── paths.go ├── profile.go ├── progress.go ├── report.go ├── result_sets.go ├── table.go ├── templates │ └── index.html ├── timelines.go ├── tmpfiles.go ├── uploader.go └── vql.go ├── responder ├── api.go ├── flow_context.go ├── flow_manager.go ├── monitoring.go ├── responder.go ├── testutils.go └── utils.go ├── result_sets ├── api.go ├── registration.go ├── simple │ ├── docs.go │ ├── fixtures │ │ ├── TestResultSets.golden │ │ ├── TestTransformFilter.golden │ │ └── TestTransformed.golden │ ├── simple.go │ ├── simple_test.go │ ├── sink.go │ ├── transformed.go │ ├── transformed_test.go │ ├── update.go │ └── wrapper.go └── timed │ ├── docs.go │ ├── factory.go │ ├── fixtures │ ├── TestTimedResultSetMigration.golden │ └── TestTimedResultSetWriting.golden │ ├── reader.go │ ├── reader_test.go │ ├── writer.go │ └── writer_test.go ├── scripts ├── api_checker.py ├── find_i8n_translations.py ├── kape_files.py ├── sqlecmd_convert.py ├── sync_artifact_paths.py └── templates │ ├── kape_files_state.json │ └── kape_files_win.yaml.tpl ├── security.md ├── server ├── comms.go ├── docs.go ├── enroll.go ├── limits.go ├── limits_linux.go ├── loadshed.go ├── metrics.go ├── server.go ├── startup.go └── websocket.go ├── services ├── acl_manager.go ├── acl_manager │ ├── acl_manager.go │ └── backup.go ├── alerts.go ├── audit.go ├── audit_manager │ └── audit_manager.go ├── backup.go ├── backup │ ├── backup.go │ ├── backup_test.go │ ├── delegates.go │ └── fixtures │ │ └── TestBackups.golden ├── broadcast.go ├── broadcast │ ├── broadcast.go │ └── tracker.go ├── client_info.go ├── client_info │ ├── backup.go │ ├── client_info.go │ ├── client_info_test.go │ ├── delete.go │ ├── housekeep.go │ ├── metadata.go │ ├── mutations.go │ ├── storage.go │ ├── tasks.go │ ├── tasks_test.go │ └── validate.go ├── client_monitoring.go ├── client_monitoring │ ├── client_monitoring.go │ ├── client_monitoring_test.go │ └── events.go ├── ddclient │ ├── api.go │ ├── cloudflare.go │ ├── ddclient.go │ └── noip.go ├── debug │ ├── decorator.go │ ├── profile.go │ └── server │ │ ├── handlers.go │ │ └── template.go ├── doc.go ├── encrypted_logs │ └── encrypted_logs.go ├── exports.go ├── exports │ └── exports.go ├── frontend.go ├── frontend │ ├── frontend.go │ ├── proto │ │ ├── frontend.pb.go │ │ └── frontend.proto │ └── urls.go ├── hunt_dispatcher.go ├── hunt_dispatcher │ ├── backup.go │ ├── docs.go │ ├── flows.go │ ├── hunt_dispatcher.go │ ├── hunt_dispatcher_test.go │ ├── hunts_test.go │ ├── index.go │ ├── list.go │ ├── modify.go │ ├── storage.go │ ├── update.go │ └── utils.go ├── hunt_manager │ ├── hunt_manager.go │ ├── hunt_manager_test.go │ └── mutations.go ├── indexing.go ├── indexing │ ├── client_resolver.go │ ├── clients.go │ ├── fixtures │ │ └── TestWildCardSearch.golden │ ├── index.go │ ├── index_test.go │ ├── ip.go │ ├── mru.go │ ├── rebuild.go │ ├── search.go │ ├── search_chan.go │ ├── search_test.go │ ├── simple.go │ └── simple_test.go ├── interrogation │ ├── interrogation.go │ └── interrogation_test.go ├── inventory.go ├── inventory │ ├── docs.go │ ├── dummy.go │ ├── dummy_test.go │ ├── fixtures │ │ ├── TestExpectedHash.golden │ │ ├── TestGihubToolServedLocally.golden │ │ ├── TestGihubTools.golden │ │ ├── TestGihubToolsUninitialized.golden │ │ └── TestMultipleSemanticVersions.golden │ ├── inventory.go │ └── inventory_test.go ├── journal.go ├── journal │ ├── buffer.go │ ├── journal.go │ ├── journal_test.go │ ├── replication.go │ ├── replication_test.go │ └── utils.go ├── labels.go ├── labels │ ├── labels.go │ └── labels_test.go ├── launcher.go ├── launcher │ ├── acls.go │ ├── artifacts_test.go │ ├── compiler.go │ ├── delete.go │ ├── dummy.go │ ├── fixtures │ │ ├── TestCompilingServerEvents.golden │ │ ├── TestGetDependentArtifactsWithImports.golden │ │ ├── TestParameterTypes.golden │ │ ├── TestParameterTypesDeps.golden │ │ ├── TestParameterTypesDepsQuery.golden │ │ ├── TestPreconditionRecursive.golden │ │ ├── TestPreconditionSourceLevel.golden │ │ └── TestPreconditionTopLevel.golden │ ├── flows.go │ ├── flows_reader.go │ ├── index.go │ ├── journal.go │ ├── launcher.go │ ├── launcher_test.go │ ├── redact.go │ ├── storage.go │ ├── trace.go │ ├── verifier.go │ └── verifier_test.go ├── notebook.go ├── notebook │ ├── acls_test.go │ ├── annotator.go │ ├── api.go │ ├── calculate.go │ ├── calculate_test.go │ ├── cells.go │ ├── delete.go │ ├── downloads.go │ ├── fixtures │ │ ├── TestInitialNotebook.golden │ │ ├── TestNotebookFromTemplate.golden │ │ ├── TestNotebookManagerTimelineAnnotations.golden │ │ ├── TestNotebookManagerTimelines.golden │ │ └── TestNotebookManagerUpdateCell.golden │ ├── initial.go │ ├── initial_test.go │ ├── notebook.go │ ├── progress.go │ ├── shared.go │ ├── storage.go │ ├── storage_test.go │ ├── timeline_filter.go │ ├── timeline_storer.go │ ├── timelines.go │ ├── timelines_test.go │ ├── utils.go │ ├── version.go │ ├── version_test.go │ └── worker.go ├── notifications.go ├── notifications │ ├── debug.go │ └── notifications.go ├── orgs.go ├── orgs │ ├── delete.go │ ├── ids.go │ ├── orgs.go │ ├── services.go │ └── tests.go ├── repository.go ├── repository │ ├── backups.go │ ├── files.go │ ├── filestore.go │ ├── fixtures │ │ ├── TestArtifactMetadata.golden │ │ ├── TestArtifactPluginWithPrecondition.golden │ │ ├── TestClientPluginMultipleSources.golden │ │ ├── TestClientPluginMultipleSourcesAndPrecondtions.golden │ │ ├── TestClientPluginMultipleSourcesAndPrecondtionsEvents.golden │ │ └── TestReformat.golden │ ├── manager.go │ ├── manager_test.go │ ├── metadata.go │ ├── plugin.go │ ├── plugin_test.go │ ├── reformat.go │ ├── reformat_test.go │ ├── repository.go │ ├── repository_test.go │ └── scope.go ├── sanity │ ├── api.go │ ├── certs.go │ ├── fixtures │ │ ├── TestCreateUser.golden │ │ ├── TestCreateUserInOrgs.golden │ │ └── TestUpgradeTools.golden │ ├── frontend.go │ ├── index_migration.go │ ├── lockdown.go │ ├── orgs.go │ ├── sanity.go │ ├── sanity_test.go │ ├── secrets.go │ ├── server_artifacts.go │ └── users.go ├── scheduler.go ├── scheduler │ ├── fixtures │ │ └── TestNotebookMinionScheduler.golden │ ├── minion.go │ ├── minion_test.go │ ├── scheduler.go │ └── scheduler_test.go ├── secrets.go ├── secrets │ ├── fixtures │ │ └── TestSecretsService.golden │ ├── secrets.go │ └── secrets_test.go ├── server_artifacts.go ├── server_artifacts │ ├── api.go │ ├── collection_context.go │ ├── fixtures │ │ ├── TestMultiSource.golden │ │ └── TestMultiSourceSerial.golden │ ├── flusher.go │ ├── logger.go │ ├── query_context.go │ ├── server_artifacts.go │ ├── server_artifacts_test.go │ └── server_uploader.go ├── server_monitoring.go ├── server_monitoring │ ├── fixtures │ │ ├── TestAlertEvent.golden │ │ └── TestMultipleArtifacts.golden │ ├── logger.go │ ├── server_monitoring.go │ ├── server_monitoring_test.go │ └── tracer.go ├── services.go ├── spec.go ├── test_utils.go ├── users.go ├── users │ ├── acls.go │ ├── add_org.go │ ├── add_org_test.go │ ├── delete.go │ ├── delete_test.go │ ├── docs.go │ ├── favorites.go │ ├── fixtures │ │ ├── TestAddUserToOrg.golden │ │ ├── TestDeleteUser.golden │ │ ├── TestGetUsers.golden │ │ ├── TestListOrgs.golden │ │ ├── TestListUsers.golden │ │ └── TestMakeUsers.golden │ ├── get.go │ ├── get_test.go │ ├── grpc.go │ ├── links.go │ ├── list.go │ ├── list_test.go │ ├── orgs.go │ ├── orgs_test.go │ ├── set_user.go │ ├── set_user_test.go │ ├── storage.go │ ├── test_utils.go │ ├── users.go │ ├── users_test.go │ └── validation.go ├── vfs_service.go ├── vfs_service │ ├── api.go │ ├── directory.go │ ├── downloads.go │ ├── fixtures │ │ └── TestRecursiveVFSListDirectoryApiAccess.golden │ ├── list_files.go │ ├── utils.go │ ├── vfs_service.go │ └── vfs_service_test.go └── writeback │ ├── api.go │ ├── manager.go │ ├── reg_store.go │ ├── storage.go │ ├── storage_unix.go │ ├── writeback.go │ └── writeback_test.go ├── startup ├── allowlists.go ├── client.go ├── frontend.go ├── pool.go └── tool.go ├── staticcheck.conf ├── third_party ├── cache │ ├── lru_cache.go │ └── lru_cache_test.go ├── googleapis │ └── google │ │ └── api │ │ ├── annotations.proto │ │ └── http.proto └── zip │ ├── LICENSE │ ├── README.md │ ├── README.txt │ ├── crypto.go │ ├── crypto_test.go │ ├── example_test.go │ ├── reader.go │ ├── reader_test.go │ ├── register.go │ ├── struct.go │ ├── testdata │ ├── crc32-not-streamed.zip │ ├── dd.zip │ ├── go-no-datadesc-sig.zip │ ├── go-with-datadesc-sig.zip │ ├── gophercolor16x16.png │ ├── hello-aes.zip │ ├── macbeth-act1.zip │ ├── readme.notzip │ ├── readme.zip │ ├── symlink.zip │ ├── test-trailing-junk.zip │ ├── test.zip │ ├── time-22738.zip │ ├── time-7zip.zip │ ├── time-go.zip │ ├── time-infozip.zip │ ├── time-osx.zip │ ├── time-win7.zip │ ├── time-winrar.zip │ ├── time-winzip.zip │ ├── unix.zip │ ├── utf8-7zip.zip │ ├── utf8-infozip.zip │ ├── utf8-osx.zip │ ├── utf8-winrar.zip │ ├── utf8-winzip.zip │ ├── winxp.zip │ ├── world-aes.zip │ ├── zip64-2.zip │ └── zip64.zip │ ├── writer.go │ ├── writer_test.go │ ├── zip_test.go │ ├── zipcrypto.go │ └── zipcrypto_test.go ├── timelines ├── api.go ├── proto │ ├── timelines.pb.go │ └── timelines.proto ├── reader.go ├── supertimeline.go ├── timelines.go ├── timelines_test.go ├── transformer.go └── writer.go ├── tools ├── fuse │ ├── accessors.go │ ├── nodes.go │ ├── options.go │ ├── paths.go │ └── times.go ├── grpc-gateway.go ├── mkwinsyscall.go └── survey │ ├── README.md │ ├── allowlist.go │ ├── api_config.go │ ├── autocert.go │ ├── compile.go │ ├── frontend.go │ ├── keys.go │ ├── network.go │ ├── self_signed.go │ ├── server.go │ ├── sso.go │ ├── storage.go │ ├── survey.go │ └── theme.go ├── uploads ├── api.go ├── client_uploader.go ├── client_uploader_test.go ├── deduplication.go ├── file_based.go ├── file_based_nonwindows.go ├── file_based_windows.go ├── fixtures │ ├── ClientUploaderSparse.golden │ ├── ClientUploaderSparseMultiBuffer.golden │ ├── TestClientUploaderDeduplicateStoreAsName.golden │ ├── TestClientUploaderMultipleBuffers.golden │ ├── TestClientUploaderMultipleUploads.golden │ ├── TestClientUploaderUploadId.golden │ └── TestGetNextRange.golden ├── ranges.go ├── ranges_test.go └── utils.go ├── utils ├── alloc.go ├── buffer.go ├── clock.go ├── compat.go ├── completer.go ├── compression.go ├── concurrency.go ├── copy.go ├── counter.go ├── debug.go ├── dict.go ├── dict_test.go ├── dir_unix.go ├── endian.go ├── env.go ├── errors.go ├── file.go ├── file_unix.go ├── file_windows.go ├── files │ └── tracker.go ├── fixtures │ ├── TestDictUtils.golden │ ├── TestSanitize.golden │ └── TestSanitizeForZip.golden ├── flows.go ├── http │ └── logging.go ├── hunts.go ├── hunts_test.go ├── json.go ├── lru.go ├── memory_buffer.go ├── mime.go ├── nil.go ├── notebook_id.go ├── orgs.go ├── paged_reader.go ├── paged_reader_test.go ├── panic.go ├── path.go ├── path_test.go ├── progress.go ├── prometheus.go ├── proxy.go ├── proxy │ ├── proxy.go │ └── proxy_test.go ├── queries.go ├── quotes.go ├── read_seek_reader_adapter.go ├── readers.go ├── readers_test.go ├── reflect.go ├── regexp.go ├── retry.go ├── sanitize.go ├── sanitize_test.go ├── semver.go ├── semver_test.go ├── sleep.go ├── slice.go ├── string.go ├── stub.go ├── tempfile │ ├── mktemp.go │ └── tempfile.go ├── throttler.go ├── time.go ├── urls.go ├── users.go ├── utils.go ├── writers.go └── yaml.go ├── vql ├── acl_managers │ ├── null.go │ ├── remapping.go │ ├── role.go │ ├── server.go │ └── server_test.go ├── acls.go ├── aggregates │ ├── all.go │ ├── any.go │ └── stats.go ├── common │ ├── batch.go │ ├── cache.go │ ├── chain.go │ ├── clock.go │ ├── columns.go │ ├── dedup.go │ ├── diff.go │ ├── env.go │ ├── fifo.go │ ├── fixtures │ │ ├── TestDefaultPipeReader.golden │ │ ├── TestYara.golden │ │ └── TestYaraLinter.golden │ ├── items.go │ ├── lru.go │ ├── sampler.go │ ├── sequence.go │ ├── shell.go │ ├── shell_test.go │ ├── switch.go │ ├── version.go │ ├── yara.go │ ├── yara_rules.go │ └── yara_test.go ├── constants │ └── ntfs.go ├── darwin │ ├── fixtures │ │ └── TestXAttr.golden │ ├── vad.go │ ├── xattr.go │ ├── xattr_darwin.go │ ├── xattr_linux.go │ └── xattr_test.go ├── efi │ ├── efivariables.go │ ├── efivariables_linux.go │ ├── efivariables_not_impl.go │ └── efivariables_windows.go ├── filesystem │ ├── copy.go │ ├── filesystem.go │ ├── filesystems.go │ ├── pathspec.go │ ├── raw_registry.go │ ├── rm.go │ ├── tempfile.go │ └── vfs.go ├── functions │ ├── alerts.go │ ├── commandline.go │ ├── dict.go │ ├── encode.go │ ├── entropy.go │ ├── eval.go │ ├── expand.go │ ├── expand_test.go │ ├── format.go │ ├── functions.go │ ├── gunzip.go │ ├── hash.go │ ├── humanize.go │ ├── ints.go │ ├── lists.go │ ├── log.go │ ├── networks.go │ ├── patch.go │ ├── paths.go │ ├── pid.go │ ├── pskill.go │ ├── rc4.go │ ├── rot13.go │ ├── similarity.go │ ├── sleep.go │ ├── strings.go │ ├── time.go │ ├── tlsh.go │ ├── unhex.go │ ├── url.go │ ├── uuid.go │ └── xor.go ├── golang │ ├── generators.go │ ├── goroutines.go │ ├── memory.go │ ├── profile.go │ ├── profile.pb.go │ ├── profile.proto │ ├── trace.go │ ├── typeof.go │ └── verify.go ├── grouper │ ├── fixtures │ │ └── TestGroupBy.golden │ ├── grouper_test.go │ └── mergegrouper.go ├── info.go ├── is_admin.go ├── is_admin_windows.go ├── json.go ├── linux │ ├── audit.go │ ├── compatibility.go │ ├── connections.go │ ├── ebpf │ │ ├── dns.go │ │ ├── doc.go │ │ ├── ebpf.go │ │ ├── logger.go │ │ └── profile.go │ └── sysinfo.go ├── materializer │ └── materialize.go ├── metadata.go ├── metrics.go ├── networking │ ├── cidrmatch.go │ ├── cookiejar.go │ ├── dns.go │ ├── fixtures │ │ └── TestMultipartUploadTest.golden │ ├── host.go │ ├── http_client.go │ ├── mail.go │ ├── multipart.go │ ├── multipart_test.go │ ├── netcat.go │ ├── netstat_common.go │ ├── netstat_darwin.go │ ├── netstat_freebsd.go │ ├── netstat_linux.go │ ├── netstat_windows.go │ ├── network.go │ ├── secrets.go │ ├── spy.go │ ├── tls.go │ ├── tls_test.go │ ├── transport.go │ ├── upload.go │ └── wrapper.go ├── parsers │ ├── appcache.go │ ├── authenticode │ │ ├── authenticode.go │ │ ├── cat.go │ │ ├── compat.go │ │ ├── doc.go │ │ └── pefile.go │ ├── binary.go │ ├── crypto │ │ ├── bigint.go │ │ ├── pkcs7.go │ │ └── pubkey.go │ ├── csv │ │ ├── csv.go │ │ ├── csv_test.go │ │ ├── fixtures │ │ │ └── TestCSVParser.golden │ │ └── watcher.go │ ├── ese │ │ ├── conversion.spec.yaml │ │ ├── ese.go │ │ ├── profile_gen.go │ │ ├── sid.go │ │ ├── sid_test.go │ │ └── vtype_profile.json │ ├── event_logs │ │ ├── evtx.go │ │ ├── pool.go │ │ ├── tracker.go │ │ └── watcher.go │ ├── fixtures │ │ ├── TestGrokParser.golden │ │ ├── TestParseFileWithRegex.golden │ │ ├── TestSplitRecordParser.golden │ │ └── TestYamlParser.golden │ ├── grok.go │ ├── grok_test.go │ ├── journald │ │ ├── journald.go │ │ └── watcher.go │ ├── json.go │ ├── leveldb.go │ ├── lzxpress.go │ ├── ntfs.go │ ├── ntfs_context.go │ ├── ntfs_protocols.go │ ├── ole.go │ ├── parsers_test.go │ ├── pe.go │ ├── pe_dump.go │ ├── plist.go │ ├── prefetch.go │ ├── pst_parser.go │ ├── recyclebin.go │ ├── recyclebin │ │ ├── conversion.spec.yaml │ │ ├── parse_recyclebin.go │ │ ├── profile_gen.go │ │ └── vtype_profile.json │ ├── regexparser.go │ ├── regexparser_test.go │ ├── splitparser.go │ ├── sql │ │ ├── fixtures │ │ │ └── TestSQLite.golden │ │ ├── sql.go │ │ ├── sql_cache.go │ │ ├── sqlite.go │ │ ├── sqlite_test.go │ │ └── sqlite_windows.go │ ├── syslog │ │ ├── auditd.go │ │ ├── fixtures │ │ │ └── TestSyslogReader.golden │ │ ├── scanner.go │ │ ├── watcher.go │ │ └── watcher_test.go │ ├── usn │ │ ├── carver.go │ │ ├── usn.go │ │ └── watcher.go │ ├── xml.go │ └── yaml.go ├── process.go ├── protocols │ ├── dict.go │ ├── fspathspec.go │ ├── lambda.go │ ├── lazy.go │ ├── protocols.go │ ├── regex.go │ ├── slice.go │ └── time.go ├── psutils │ ├── common.go │ ├── connections.go │ ├── disk.go │ ├── doc.go │ ├── gopsutil_LICENSE.txt │ ├── host.go │ ├── host_darwin.go │ ├── host_darwin_cgo.go │ ├── host_freebsd.go │ ├── host_linux.go │ ├── host_windows.go │ ├── net.go │ ├── process.go │ ├── process_darwin.go │ ├── process_darwin_cgo.go │ ├── process_darwin_nocgo.go │ ├── process_posix.go │ ├── process_windows.go │ ├── process_windows_amd64.go │ ├── process_windows_arm64.go │ └── process_windows_i386.go ├── readers │ ├── paged.go │ └── paged_reader_test.go ├── remapping │ ├── fixtures │ │ └── TestConfigFileRemap.golden │ ├── impersonation.go │ ├── install.go │ ├── mocker.go │ ├── remapping.go │ └── remapping_test.go ├── scope.go ├── server │ ├── backup.go │ ├── clients │ │ ├── clients.go │ │ ├── delete.go │ │ ├── delete_test.go │ │ ├── fixtures │ │ │ └── TestDeleteClient.golden │ │ ├── metadata.go │ │ └── new.go │ ├── compress.go │ ├── crypto.go │ ├── crypto │ │ ├── reader.go │ │ └── writer.go │ ├── downloads │ │ ├── downloads.go │ │ ├── downloads_test.go │ │ ├── fixtures │ │ │ ├── TestExportCollectionServerArtifact.golden │ │ │ ├── TestExportCollectionUploads.golden │ │ │ ├── TestExportHunt.golden │ │ │ ├── export.zip │ │ │ └── export_server_artifact.zip │ │ └── pool.go │ ├── elastic.go │ ├── events.go │ ├── favorites │ │ ├── create.go │ │ ├── delete.go │ │ └── list.go │ ├── file_store.go │ ├── flows │ │ ├── create.go │ │ ├── delete.go │ │ ├── fixtures │ │ │ ├── TestEnumerateFlow.golden │ │ │ └── TestHuntsSource.golden │ │ ├── flow_test.go │ │ ├── flows.go │ │ ├── logs.go │ │ ├── monitoring.go │ │ ├── parallel.go │ │ ├── parallel_test.go │ │ ├── results.go │ │ └── uploads.go │ ├── hunts │ │ ├── create.go │ │ ├── create_test.go │ │ ├── delete.go │ │ ├── fixtures │ │ │ └── TestCreateHunt.golden │ │ ├── hunts.go │ │ ├── info.go │ │ └── stop.go │ ├── inventory.go │ ├── kill.go │ ├── labels.go │ ├── links.go │ ├── logging.go │ ├── monitoring │ │ ├── add_monitoring.go │ │ ├── add_monitoring_test.go │ │ ├── delete.go │ │ ├── event_monitoring.go │ │ ├── fixtures │ │ │ ├── TestAddClientMonitoring.golden │ │ │ └── TestAddServerMonitoring.golden │ │ ├── monitoring_logs.go │ │ └── rm_monitoring.go │ ├── notebooks │ │ ├── create.go │ │ ├── delete.go │ │ ├── download.go │ │ ├── export.go │ │ ├── get.go │ │ ├── notebooks_test.go │ │ └── update.go │ ├── orgs │ │ ├── create.go │ │ ├── current.go │ │ ├── delete.go │ │ └── orgs.go │ ├── repository.go │ ├── secrets │ │ ├── add.go │ │ ├── define.go │ │ ├── grant.go │ │ └── list.go │ ├── splunk.go │ ├── timelines │ │ ├── create.go │ │ ├── delete.go │ │ └── reader.go │ └── users │ │ ├── create.go │ │ ├── delete.go │ │ ├── get.go │ │ ├── grant.go │ │ ├── options.go │ │ ├── password.go │ │ ├── users.go │ │ └── whoami.go ├── sigma │ ├── details.go │ ├── evaluator │ │ ├── checks.go │ │ ├── correlation.go │ │ ├── evaluate.go │ │ ├── evaluate_search.go │ │ ├── event.go │ │ ├── fieldmapping.go │ │ ├── indexes.go │ │ └── modifiers │ │ │ ├── base64.go │ │ │ ├── comparators.go │ │ │ ├── modifiers.go │ │ │ ├── re.go │ │ │ ├── vql.go │ │ │ └── wide.go │ ├── fixtures │ │ ├── TestSigma.golden │ │ └── TestSigmaCorrelation.golden │ ├── logsource.go │ ├── logsource_test.go │ ├── pool.go │ ├── protocols.go │ ├── runner.go │ ├── sigma.go │ ├── sigma_test.go │ └── tracker.go ├── sorter │ ├── fixtures │ │ ├── TestMergeSorter.golden │ │ ├── TestMergeSorterDesc.golden │ │ └── newDataFile.golden │ ├── mergesort.go │ └── mergesort_test.go ├── tools │ ├── artifacts.go │ ├── atexit.go │ ├── azure_upload.go │ ├── collector │ │ ├── collector.go │ │ ├── collector_manager.go │ │ ├── collector_test.go │ │ ├── fixtures │ │ │ ├── TestCollectionWithArtifacts.golden │ │ │ ├── TestCollectionWithTypes.golden │ │ │ ├── TestCollectionWithUpload.golden │ │ │ ├── TestCreateAndImportCollection.golden │ │ │ ├── TestCreateAndImportHunt.golden │ │ │ ├── TestImportCollectionFromFixture.golden │ │ │ ├── TestImportHuntFromFixture.golden │ │ │ ├── import.zip │ │ │ ├── import_hunt.zip │ │ │ ├── invalid_dir.zip │ │ │ └── offline_encrypted.zip │ │ ├── import.go │ │ ├── import_hunt_test.go │ │ └── import_test.go │ ├── delay.go │ ├── dns │ │ └── tracker.go │ ├── fixtures │ │ └── TestStarlark.golden │ ├── gcs_pubsub_publish.go │ ├── gcs_upload.go │ ├── geoip.go │ ├── js.go │ ├── logscale │ │ ├── logscale.go │ │ ├── logscale_test.go │ │ ├── plugin.go │ │ └── plugin_test.go │ ├── magic.go │ ├── panic.go │ ├── process │ │ ├── api.go │ │ ├── callchain.go │ │ ├── children.go │ │ ├── dummy.go │ │ ├── fixtures │ │ │ └── TestProcessTracker.golden │ │ ├── mock_test.go │ │ ├── pid.go │ │ ├── protocols.go │ │ ├── pslist.go │ │ ├── tracker.go │ │ ├── tracker_test.go │ │ ├── tree.go │ │ └── utils.go │ ├── query.go │ ├── rekey.go │ ├── repack.go │ ├── repack_test.go │ ├── rsyslog │ │ ├── cache.go │ │ ├── connect.go │ │ └── rsyslog.go │ ├── s3_upload.go │ ├── s3_upload_test.go │ ├── sftp_upload.go │ ├── smb_upload.go │ ├── starlark.go │ ├── starlark_test.go │ ├── unzip.go │ └── webdav_upload.go ├── unimplemented.go ├── unimplemented_cgo.go ├── unimplemented_nocgo.go ├── unimplemented_test.go ├── utils.go ├── utils │ ├── help.go │ └── repository.go ├── vql.go └── windows │ ├── aliases.go │ ├── amsi.go │ ├── crypto.c │ ├── crypto.go │ ├── doc.go │ ├── etw │ ├── context.go │ ├── doc.go │ ├── etw_sessions.go │ ├── options.go │ ├── protocols.go │ ├── stats.go │ ├── watch_etw.go │ └── watcher.go │ ├── filesystems │ ├── doc.go │ └── utils.go │ ├── gen.go │ ├── process │ ├── common.go │ ├── dump.c │ ├── dump.go │ ├── handles.go │ ├── sedebug.go │ ├── thread.go │ ├── token.go │ ├── utils.go │ ├── vad.go │ ├── vad_32.go │ └── winobj.go │ ├── processes.go │ ├── registry │ └── write.go │ ├── status.go │ ├── users.go │ ├── win32_windows.go │ ├── win32_windows_32.go │ ├── winpmem.go │ ├── wmi │ ├── events.c │ ├── events.go │ ├── parse │ │ ├── fixtures │ │ │ ├── sample.golden │ │ │ └── sample.txt │ │ ├── parse.go │ │ └── parse_test.go │ └── wmi.go │ ├── zwin32_windows_386.go │ ├── zwin32_windows_amd64.go │ └── zwin32_windows_arm64.go ├── vql_plugins ├── accessors.go ├── plugins.go ├── plugins_darwin.go ├── plugins_linux.go ├── plugins_windows.go ├── result_sets.go └── server.go └── vtesting ├── assert ├── retry.go ├── retry_test.go └── wrapper.go ├── config.go ├── file_info.go ├── goldie ├── goldie.go └── utils.go ├── helpers.go ├── logging.go ├── metrics.go ├── ports.go └── tls.go /.gitattributes: -------------------------------------------------------------------------------- 1 | * text=auto 2 | 3 | *.go text eol=lf 4 | *.yaml text eol=lf 5 | *.yml text eol=lf 6 | *.c text eol=lf 7 | *.h text eol=lf 8 | *.md text eol=lf 9 | *.golden text eol=lf 10 | *.txt text eol=lf 11 | logs text eol=lf 12 | *.html text eol=lf 13 | *.js text eol=lf 14 | *.css text eol=lf 15 | 16 | *.db binary 17 | *.json -text 18 | *.json.db -text 19 | *.csv binary 20 | *.zip binary 21 | *.index binary 22 | *.log binary 23 | *.idx binary -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | vendor/ 2 | *~ 3 | *.config.yaml 4 | ./velociraptor 5 | emacs.desktop 6 | /debian/debhelper-build-stamp 7 | /debian/files 8 | /debian/velociraptor.debhelper.log 9 | *.debhelper 10 | ab0x.go 11 | output/ 12 | .velociraptor_history.json 13 | .idea/ 14 | node_modules/ 15 | package-lock.json 16 | __debug_bin 17 | bin/rsrc.syso 18 | 19 | artifacts/assets/ab0x.go 20 | gui/assets/ab0x.go 21 | config/ab0x.go 22 | .eslintcache 23 | **/.DS_Store 24 | .DS_Store 25 | /googleapis 26 | 27 | __debug* 28 | debug.test* -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | run: 2 | tests: false 3 | build-tags: 4 | - server_vql 5 | - extras 6 | - release 7 | - yara 8 | - codeanalysis 9 | 10 | allow-parallel-runners: true 11 | 12 | linters-settings: 13 | govet: 14 | settings: 15 | printf: 16 | funcs: 17 | - (www.velocidex.com/golang/velociraptor/logging.LogContext).Error 18 | -------------------------------------------------------------------------------- /.wwhrd.yml: -------------------------------------------------------------------------------- 1 | --- 2 | blacklist: 3 | - GPL-2.0 4 | 5 | whitelist: 6 | - Apache-2.0 7 | - BSD-2-Clause 8 | - BSD-2-Clause-Views 9 | - BSD-3-Clause 10 | - MIT 11 | - NewBSD 12 | - FreeBSD 13 | - ISC 14 | - MPL-2.0 15 | - LGPL-3.0 16 | 17 | exceptions: 18 | # Really MIT 19 | - github.com/mattn/go-pointer 20 | -------------------------------------------------------------------------------- /accessors/acl.go: -------------------------------------------------------------------------------- 1 | package accessors 2 | -------------------------------------------------------------------------------- /accessors/collector/fixtures/TestAutomaticDecryption.golden: -------------------------------------------------------------------------------- 1 | [ 2 | "/collection_context.json", 3 | "/log.json", 4 | "/log.json.index", 5 | "/requests.json", 6 | "/results", 7 | "/results/Demo.Plugins.GUI.json", 8 | "/results/Demo.Plugins.GUI.json.index" 9 | ] -------------------------------------------------------------------------------- /accessors/file/fixtures/TestLinuxSymlinks.golden: -------------------------------------------------------------------------------- 1 | [ 2 | "/second_bin/ls", 3 | "/subdir/ls", 4 | "/subdir/sym2/subdir/ls", 5 | "/sym1/ls" 6 | ] -------------------------------------------------------------------------------- /accessors/file/json.go: -------------------------------------------------------------------------------- 1 | package file 2 | -------------------------------------------------------------------------------- /accessors/file_store/fixtures/TestSparseFiles.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Offset": 0, 4 | "Length": 5, 5 | "IsSparse": false 6 | }, 7 | { 8 | "Offset": 5, 9 | "Length": 5, 10 | "IsSparse": true 11 | }, 12 | { 13 | "Offset": 10, 14 | "Length": 5, 15 | "IsSparse": false 16 | } 17 | ] -------------------------------------------------------------------------------- /accessors/fixtures/TestOSPathHumanString.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Deep Pathspec": "/shared/mnt/flat -\u003e /122683392 -\u003e Windows\\System32\\Config\\SYSTEM -\u003e /ControlSet001", 3 | "Normal path": "C:/Windows/System32" 4 | } -------------------------------------------------------------------------------- /accessors/fixtures/TestOSPathOperationsAppendComponents.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple Path": "C:\\Windows\\System32\\notepad.exe", 3 | "Complex Pathspec": "{\"DelegateAccessor\":\"raw_ntfs\",\"Delegate\":{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"/mnt/flat\",\"Path\":\"/Windows/System32/Config/SYSTEM\"},\"Path\":\"ControlSet001\\\\Foo\\\\Bar\"}" 4 | } -------------------------------------------------------------------------------- /accessors/fixtures/TestOSPathOperationsTrimComponents.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple Path": "Windows\\System32", 3 | "Simple Path Deep": "System32", 4 | "Complex Pathspec": "{\"DelegateAccessor\":\"raw_ntfs\",\"Delegate\":{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"/mnt/flat\",\"Path\":\"/Windows/System32/Config/SYSTEM\"}}", 5 | "Complex Pathspec Deep": "{\"DelegateAccessor\":\"raw_ntfs\",\"Delegate\":{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"/mnt/flat\",\"Path\":\"/Windows/System32/Config/SYSTEM\"},\"Path\":\"Foo\\\\Bar\"}" 6 | } -------------------------------------------------------------------------------- /accessors/fixtures/TestVirtualFileInfo.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "FullPath": "/foo", 4 | "Size": 0, 5 | "Mode": 2147484141, 6 | "ModeStr": "drwxr-xr-x", 7 | "ModTime": "0001-01-01T00:00:00Z", 8 | "Data": {}, 9 | "Mtime": "0001-01-01T00:00:00Z", 10 | "Ctime": "0001-01-01T00:00:00Z", 11 | "Atime": "0001-01-01T00:00:00Z" 12 | } 13 | ] -------------------------------------------------------------------------------- /accessors/ntfs/fixtures/TestNTFSFilesystemAccessor.golden: -------------------------------------------------------------------------------- 1 | [ 2 | "$AttrDef", 3 | "$BadClus", 4 | "$BadClus:$Bad", 5 | "$Bitmap", 6 | "$Boot", 7 | "$Extend", 8 | "$LogFile", 9 | "$MFT", 10 | "$MFTMirr", 11 | "$RECYCLE.BIN", 12 | "$Secure", 13 | "$Secure:$SDS", 14 | "$UpCase", 15 | "$UpCase:$Info", 16 | "$Volume", 17 | "Folder A", 18 | "System Volume Information", 19 | "another_file.txt", 20 | "just_a_file.txt", 21 | "ones.bin" 22 | ] -------------------------------------------------------------------------------- /accessors/ntfs/fixtures/TestNTFSFilesystemAccessorRemapping.golden: -------------------------------------------------------------------------------- 1 | [ 2 | "\\\\.\\C:\\$MFT", 3 | "\\\\.\\D:\\$MFT" 4 | ] -------------------------------------------------------------------------------- /accessors/process/process_address_space_darwin_nocgo.go: -------------------------------------------------------------------------------- 1 | //go:build darwin && !cgo 2 | // +build darwin,!cgo 3 | 4 | package process 5 | 6 | import ( 7 | "errors" 8 | 9 | "www.velocidex.com/golang/velociraptor/accessors" 10 | ) 11 | 12 | var ( 13 | notSupportedError = errors.New("ProcessAccessor: This binary is not build with cgo support. Process access not enabled.") 14 | ) 15 | 16 | func (self *ProcessAccessor) OpenWithOSPath( 17 | path *accessors.OSPath) (accessors.ReadSeekCloser, error) { 18 | return nil, notSupportedError 19 | } 20 | -------------------------------------------------------------------------------- /accessors/pst/doc.go: -------------------------------------------------------------------------------- 1 | package pst 2 | 3 | // Parser for PST files 4 | -------------------------------------------------------------------------------- /accessors/raw_registry/fixtures/TestAccessorRawReg.golden: -------------------------------------------------------------------------------- 1 | [ 2 | "SAM\\Domains\\Account\\Aliases", 3 | "SAM\\Domains\\Account\\F", 4 | "SAM\\Domains\\Account\\Groups", 5 | "SAM\\Domains\\Account\\Users", 6 | "SAM\\Domains\\Account\\V", 7 | "SAM\\Domains\\Builtin\\Aliases", 8 | "SAM\\Domains\\Builtin\\F", 9 | "SAM\\Domains\\Builtin\\Groups", 10 | "SAM\\Domains\\Builtin\\PerComponentWellKnownAccountAppliedUpdates", 11 | "SAM\\Domains\\Builtin\\Users", 12 | "SAM\\Domains\\Builtin\\V" 13 | ] -------------------------------------------------------------------------------- /accessors/raw_registry/lru.go: -------------------------------------------------------------------------------- 1 | package raw_registry 2 | 3 | import ( 4 | "www.velocidex.com/golang/regparser" 5 | "www.velocidex.com/golang/velociraptor/accessors" 6 | ) 7 | 8 | type readDirLRUItem struct { 9 | children []accessors.FileInfo 10 | err error 11 | 12 | key *regparser.CM_KEY_NODE 13 | } 14 | -------------------------------------------------------------------------------- /accessors/registry/doc.go: -------------------------------------------------------------------------------- 1 | // Accessor to make the registry available via OS API 2 | 3 | package registry 4 | -------------------------------------------------------------------------------- /accessors/registry/lru.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | package registry 5 | 6 | import ( 7 | "time" 8 | 9 | "www.velocidex.com/golang/velociraptor/accessors" 10 | ) 11 | 12 | type readDirLRUItem struct { 13 | children []accessors.FileInfo 14 | err error 15 | age time.Time 16 | } 17 | -------------------------------------------------------------------------------- /accessors/s3/docs.go: -------------------------------------------------------------------------------- 1 | package s3 2 | 3 | // This is an S3 accessor 4 | 5 | // Sample query: 6 | 7 | // LET S3_CREDENTIALS <= dict(endpoint='http://127.0.0.1:4566/', credentials_key='admin', credentials_secret='password', no_verify_cert=1) 8 | // SELECT *, read_file(filename=OSPath, length=10, accessor='s3') AS Data FROM glob(globs='/velociraptor/orgs/root/clients/C.39a107c4c58c5efa/collections/*/uploads/auto/*', accessor='s3') 9 | -------------------------------------------------------------------------------- /accessors/scope.go: -------------------------------------------------------------------------------- 1 | package accessors 2 | -------------------------------------------------------------------------------- /accessors/vfs/fixtures/TestVFSAccessor.golden: -------------------------------------------------------------------------------- 1 | { 2 | "DirectoryListings": [ 3 | "/vfs_test/C:", 4 | "/vfs_test/C:/Windows", 5 | "/vfs_test/C:/Windows/File1.txt", 6 | "/vfs_test/C:/Windows/System32", 7 | "/vfs_test/C:/Windows/System32/File.txt", 8 | "/vfs_test/D:" 9 | ], 10 | "FileContents": { 11 | "/vfs_test/C:/Windows/File1.txt": "File in Windows", 12 | "/vfs_test/C:/Windows/System32/File.txt": "File in System32" 13 | } 14 | } -------------------------------------------------------------------------------- /accessors/zip/fixtures/TestReferenceCount.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Base": "/hello.txt", 4 | "Data": "hello\n" 5 | }, 6 | { 7 | "Base": "/hello1.txt", 8 | "Data": "hello1\n" 9 | }, 10 | { 11 | "Base": "/hello2.txt", 12 | "Data": "hello2\n" 13 | }, 14 | { 15 | "Base": "/hello3.txt", 16 | "Data": "hello3\n" 17 | }, 18 | { 19 | "Base": "/hello4.txt", 20 | "Data": "hello4\n" 21 | } 22 | ] -------------------------------------------------------------------------------- /acls/api.go: -------------------------------------------------------------------------------- 1 | package acls 2 | 3 | import "errors" 4 | 5 | var ( 6 | PermissionDenied = errors.New("PermissionDenied") 7 | ) 8 | -------------------------------------------------------------------------------- /acls/lockdown.go: -------------------------------------------------------------------------------- 1 | package acls 2 | 3 | import ( 4 | "sync" 5 | 6 | acl_proto "www.velocidex.com/golang/velociraptor/acls/proto" 7 | ) 8 | 9 | var ( 10 | mu sync.Mutex 11 | lockdown_token *acl_proto.ApiClientACL 12 | ) 13 | 14 | func LockdownToken() *acl_proto.ApiClientACL { 15 | mu.Lock() 16 | defer mu.Unlock() 17 | return lockdown_token 18 | } 19 | 20 | func SetLockdownToken(token *acl_proto.ApiClientACL) { 21 | mu.Lock() 22 | defer mu.Unlock() 23 | lockdown_token = token 24 | } 25 | -------------------------------------------------------------------------------- /acls/utils.go: -------------------------------------------------------------------------------- 1 | package acls 2 | -------------------------------------------------------------------------------- /actions/test_data/client.config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/actions/test_data/client.config.yaml -------------------------------------------------------------------------------- /actions/test_data/hello.txt: -------------------------------------------------------------------------------- 1 | hello world 2 | -------------------------------------------------------------------------------- /api/fixtures/TestDatastore.golden: -------------------------------------------------------------------------------- 1 | { 2 | "children": [ 3 | { 4 | "components": [ 5 | "A", 6 | "B", 7 | "C" 8 | ] 9 | }, 10 | { 11 | "components": [ 12 | "A", 13 | "B", 14 | "D" 15 | ] 16 | } 17 | ] 18 | } -------------------------------------------------------------------------------- /api/health.go: -------------------------------------------------------------------------------- 1 | package api 2 | 3 | import ( 4 | "context" 5 | 6 | "www.velocidex.com/golang/velociraptor/api/proto" 7 | api_proto "www.velocidex.com/golang/velociraptor/api/proto" 8 | ) 9 | 10 | func (self *ApiServer) Check( 11 | ctx context.Context, 12 | in *api_proto.HealthCheckRequest) (*api_proto.HealthCheckResponse, error) { 13 | 14 | return &proto.HealthCheckResponse{ 15 | Status: api_proto.HealthCheckResponse_SERVING, 16 | }, nil 17 | } 18 | -------------------------------------------------------------------------------- /api/mock/gen.go: -------------------------------------------------------------------------------- 1 | //go:generate mockgen -destination api_mock.go www.velocidex.com/golang/velociraptor/api/proto APIClient,API_WatchEventClient 2 | 3 | package mock_proto 4 | -------------------------------------------------------------------------------- /api/proto/health.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package proto; 4 | 5 | option go_package = "www.velocidex.com/golang/velociraptor/api/proto"; 6 | 7 | message HealthCheckRequest { 8 | string service = 1; 9 | } 10 | 11 | message HealthCheckResponse { 12 | enum ServingStatus { 13 | UNKNOWN = 0; 14 | SERVING = 1; 15 | NOT_SERVING = 2; 16 | } 17 | ServingStatus status = 1; 18 | } 19 | -------------------------------------------------------------------------------- /api/proto/objects.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package proto; 4 | 5 | option go_package = "www.velocidex.com/golang/velociraptor/api/proto"; 6 | 7 | message ServerState { 8 | // Currently running server state 9 | string version = 1; 10 | } -------------------------------------------------------------------------------- /api/proto/orgs.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package proto; 4 | 5 | option go_package = "www.velocidex.com/golang/velociraptor/api/proto"; 6 | 7 | message OrgRecord { 8 | string name = 1; 9 | string nonce = 2; 10 | string id = 3; 11 | 12 | // Deprecated do not use 13 | string org_id = 4; 14 | } -------------------------------------------------------------------------------- /api/proto/server_state.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package proto; 4 | 5 | option go_package = "www.velocidex.com/golang/velociraptor/api/proto"; 6 | 7 | message ServerInstallRecord { 8 | uint64 install_time = 1; 9 | } -------------------------------------------------------------------------------- /api/proto/timeline_api.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | package proto; 4 | 5 | option go_package = "www.velocidex.com/golang/velociraptor/api/proto"; 6 | 7 | message AnnotationRequest { 8 | int64 timestamp = 1; 9 | string super_timeline = 2; 10 | string notebook_id = 3; 11 | string note = 4; 12 | string event_json = 5; 13 | } -------------------------------------------------------------------------------- /api/tables/doc.go: -------------------------------------------------------------------------------- 1 | package tables 2 | 3 | // The GUI frequently needs to display tables. This package manages 4 | // the GUI's table access: 5 | 6 | // 1. Central place for managing where result sets are stored and 7 | // accessed for the different tables needed 8 | 9 | // 2. Apply any result set transformations needed on the underlying 10 | // result set implementation. 11 | -------------------------------------------------------------------------------- /artifacts/assets/.gitignore: -------------------------------------------------------------------------------- 1 | * -------------------------------------------------------------------------------- /artifacts/assets/docs.go: -------------------------------------------------------------------------------- 1 | package assets 2 | -------------------------------------------------------------------------------- /artifacts/b0x.yaml: -------------------------------------------------------------------------------- 1 | pkg: assets 2 | 3 | # We assume we are run from the toplevel directory: 4 | # fileb0x gui/b0x.yaml 5 | dest: "artifacts/assets/" 6 | 7 | fmt: false 8 | compression: 9 | compress: true 10 | 11 | output: "ab0x.go" 12 | custom: 13 | - files: 14 | - "artifacts/definitions/**/*.yaml" 15 | - "docs/references/vql.yaml" 16 | -------------------------------------------------------------------------------- /artifacts/definitions/Generic/Client/VQL.yaml: -------------------------------------------------------------------------------- 1 | name: Generic.Client.VQL 2 | description: | 3 | Run arbitrary VQL on the endpoint. 4 | 5 | required_permissions: 6 | - IMPERSONATION 7 | 8 | parameters: 9 | - name: Command 10 | default: SELECT * FROM info() 11 | 12 | sources: 13 | - query: | 14 | SELECT * FROM query(query=Command, env=dict(config=config)) 15 | -------------------------------------------------------------------------------- /artifacts/definitions/Linux/Proc/Arp.yaml: -------------------------------------------------------------------------------- 1 | name: Linux.Proc.Arp 2 | description: ARP table via /proc/net/arp. 3 | parameters: 4 | - name: ProcNetArp 5 | default: /proc/net/arp 6 | sources: 7 | - precondition: | 8 | SELECT OS From info() where OS = 'linux' 9 | 10 | query: | 11 | SELECT * from split_records( 12 | filenames=ProcNetArp, 13 | regex='\\s{3,20}', 14 | first_row_is_headers=true) 15 | -------------------------------------------------------------------------------- /artifacts/definitions/Network/ExternalIpAddress.yaml: -------------------------------------------------------------------------------- 1 | name: Network.ExternalIpAddress 2 | description: Detect the external ip address of the end point. 3 | parameters: 4 | - name: externalUrl 5 | default: http://www.myexternalip.com/raw 6 | description: The URL of the external IP detection site. 7 | sources: 8 | - precondition: SELECT * from info() 9 | query: | 10 | SELECT Content as IP from http_client(url=externalUrl) 11 | -------------------------------------------------------------------------------- /artifacts/definitions/Notebooks/VQLx2.yaml: -------------------------------------------------------------------------------- 1 | name: Notebooks.VQLx2 2 | description: | 3 | A notebook initialized with 2 VQL cells 4 | 5 | type: NOTEBOOK 6 | 7 | sources: 8 | - notebook: 9 | - type: vql 10 | name: First Cell 11 | output: | 12 | << 1st cell: Click here to edit >> 13 | template: | 14 | SELECT * FROM orgs() 15 | - type: vql 16 | name: Second Cell 17 | output: | 18 | << 2nd cell: Click here to edit >> 19 | template: | 20 | SELECT * FROM gui_users() WHERE name = whoami() 21 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Audit/Logs.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Audit.Logs 2 | description: | 3 | This internal event artifact collects relevant audit events from the 4 | server. Audit events are significant auditable actions that a user 5 | takes, for example, starting a new collection, creating a new hunt, 6 | updating an artifact definition etc. 7 | 8 | type: SERVER_EVENT 9 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Hunts/List.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Hunts.List 2 | description: | 3 | List Hunts currently scheduled on the server. 4 | 5 | type: SERVER 6 | 7 | sources: 8 | - query: | 9 | SELECT hunt_id, 10 | timestamp(epoch=create_time) as Created, 11 | join(array=start_request.artifacts, sep=",") as Artifact, 12 | state 13 | FROM hunts() 14 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Hunts/Results.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Hunts.Results 2 | description: | 3 | Show the results from each artifact collection hunt. 4 | parameters: 5 | - name: huntId 6 | default: H.d05b2482 7 | - name: ArtifactName 8 | default: Linux.Mounts 9 | 10 | type: SERVER 11 | 12 | sources: 13 | - query: | 14 | SELECT * FROM hunt_results(hunt_id=huntId, artifact=ArtifactName) 15 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Import/RegistryHunter.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Import.RegistryHunter 2 | description: | 3 | This artifact will import the latest Registry Hunter artifact. 4 | 5 | To read more about the Registry Hunter, see 6 | https://registry-hunter.velocidex.com/ 7 | 8 | type: SERVER 9 | 10 | required_permissions: 11 | - SERVER_ADMIN 12 | 13 | sources: 14 | - query: | 15 | SELECT * FROM Artifact.Server.Import.ArtifactExchange( 16 | ExchangeURL="https://registry-hunter.velocidex.com/Windows.Registry.Hunter.zip", 17 | Prefix="") 18 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Alerts.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Alerts 2 | description: | 3 | An internal event queue for alerts. All alerts sent from clients are 4 | collected in this event queue. 5 | 6 | Alerts are expected to be low frequency and high value and may be 7 | generated client or server side. 8 | 9 | type: SERVER_EVENT 10 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ArtifactModification.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ArtifactModification 2 | description: | 3 | This event artifact is an internal event stream over which 4 | notifications of artifact modifications are sent. Interested parties 5 | can watch for new artifact modification events and rebuild caches 6 | etc. 7 | 8 | Note: This is an automated system artifact. You do not need to start it. 9 | 10 | type: SERVER_EVENT 11 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientConflict.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientConflict 2 | description: | 3 | This event artifact is an internal event stream receiving events 4 | about client conflict. 5 | 6 | When two clients attempt to connect to the server with the same 7 | client id, the server rejects one of these with a 409 Conflict HTTP 8 | message. The client id will be forwarded on this artifact as well so 9 | the server may take action. 10 | 11 | type: INTERNAL 12 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientDelete.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientDelete 2 | description: | 3 | An internal queue that receives events when a client is deleted. 4 | 5 | type: SERVER_EVENT 6 | 7 | column_types: 8 | - name: ClientId 9 | description: The client that was deleted. 10 | - name: Principal 11 | description: The principal who initiated the deletion. 12 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientInfo.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientInfo 2 | type: INTERNAL 3 | description: | 4 | An internal artifact collecting client information. This is used to 5 | update the client info indexes. Client send this automatically at 6 | startup and then every day. 7 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientInfoSnapshot.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientInfoSnapshot 2 | type: INTERNAL 3 | description: | 4 | An internal artifact that fires when the master node writes a new 5 | snapshot. Minion use this to trigger a refresh of their client info 6 | snapshots. 7 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientPing.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientPing 2 | type: INTERNAL 3 | description: | 4 | An internal event channel for notifying about client pings. 5 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientScheduled.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientScheduled 2 | description: | 3 | This event will be fired when a client was sent flows to process. 4 | 5 | type: INTERNAL 6 | column_types: 7 | - name: ClientId 8 | - name: InFlightFlows 9 | description: New flows scheduled for the client 10 | - name: ClearFlows 11 | description: If this is set we clear all in flight flows. 12 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/ClientTasks.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.ClientTasks 2 | description: | 3 | This event will be fired when a client has new tasks scheduled. 4 | 5 | type: INTERNAL 6 | column_types: 7 | - name: ClientId 8 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Enrollment.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Enrollment 2 | description: | 3 | This event artifact is an internal event stream over which client 4 | enrollments are sent. You can watch this event queue to be notified 5 | on any new clients enrolling for the first time. 6 | 7 | Note: This is an automated system artifact. You do not need to start it. 8 | 9 | type: INTERNAL 10 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/FrontendMetrics.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.FrontendMetrics 2 | description: | 3 | An internal queue that receives metrics from all frontends. The 4 | master Frontend manager service will aggregate these into a combined 5 | metric stream. 6 | 7 | type: INTERNAL 8 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/HuntModification.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.HuntModification 2 | description: | 3 | An internal queue to watch modifications of hunts. The hunt 4 | dispatcher from all nodes sends this mutation to the hunt manager 5 | which applies it. 6 | 7 | type: INTERNAL 8 | 9 | column_types: 10 | - name: HuntId 11 | - name: Mutation 12 | type: json 13 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/HuntUpdate.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.HuntUpdate 2 | description: | 3 | An internal queue to notify hunt dispatchers on all minions that a 4 | certain hunt has changed and should be updated from the internal 5 | cache. 6 | 7 | type: INTERNAL 8 | 9 | column_types: 10 | - name: HuntId 11 | - name: Hunt 12 | type: json 13 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Interrogation.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Interrogation 2 | description: | 3 | This event artifact is an internal event stream over which client 4 | interrogations are sent. When the interrogation service finishes 5 | updating a client record, it will send an event on this artifact. 6 | 7 | Note: This is an automated system artifact. You do not need to start it. 8 | 9 | type: INTERNAL 10 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Inventory.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Inventory 2 | description: | 3 | An internal artifact to listen to inventory (tools) changes. 4 | 5 | type: INTERNAL 6 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Label.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Label 2 | description: | 3 | An internal artifact used to track new labeling events. 4 | 5 | type: INTERNAL 6 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/MasterRegistrations.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.MasterRegistrations 2 | description: | 3 | The master will advertise to the minions the events it is interested 4 | in. 5 | 6 | type: INTERNAL 7 | column_types: 8 | - name: Events 9 | type: json_array 10 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/MetadataModifications.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.MetadataModifications 2 | description: | 3 | This event artifact is an internal event stream over which 4 | notifications of server metadata modifications are sent. 5 | 6 | Note: This is an automated system artifact. You do not need to start it. 7 | 8 | type: SERVER_EVENT 9 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Notifications.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Notifications 2 | description: | 3 | This event artifact is an internal event stream over which client 4 | notifications are sent. A frontend will watch for events over this 5 | stream and if a client is actively connected to this frontend, the 6 | client will be notified that new work is available to it. 7 | 8 | Note: This is an automated system artifact. You do not need to start it. 9 | 10 | type: INTERNAL 11 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Ping.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Ping 2 | description: | 3 | An internal queue for Ping requests. The queue is watched by the 4 | replication service on the slave nodes which will notify the target 5 | specified. 6 | 7 | type: INTERNAL 8 | 9 | column_types: 10 | - name: ClientId 11 | - name: NotifyTarget 12 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/Pong.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.Pong 2 | description: | 3 | An internal queue for Ping replies 4 | 5 | type: INTERNAL 6 | 7 | column_types: 8 | - name: ClientId 9 | - name: Connected 10 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/TimelineAdd.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.TimelineAdd 2 | type: SERVER_EVENT 3 | description: | 4 | This artifact will fire whenever a timeline is added to a super 5 | timeline. You can use this to monitor for users adding timelines and 6 | forward them to an external timeline system (e.g. TimeSketch) 7 | 8 | column_types: 9 | - name: NotebookId 10 | - name: SuperTimelineName 11 | - name: Timeline 12 | 13 | # What type of event this is: can be Delete, AddTimeline 14 | - name: Action 15 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Internal/UserManager.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Internal.UserManager 2 | type: INTERNAL 3 | description: | 4 | An internal artifact notifying when user accounts are modified. 5 | -------------------------------------------------------------------------------- /artifacts/definitions/Server/Utils/ListUsers.yaml: -------------------------------------------------------------------------------- 1 | name: Server.Utils.ListUsers 2 | description: | 3 | This server artifact is used to list all current users and their 4 | permissions and org access. 5 | 6 | NOTE: When collected in an org context only users belonging to the 7 | current org are visible. When collected in the context of the root 8 | org, all users in all orgs are visible. 9 | 10 | type: SERVER 11 | 12 | sources: 13 | - query: | 14 | SELECT * FROM gui_users(all_orgs=TRUE) 15 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Flow/Archive.yaml: -------------------------------------------------------------------------------- 1 | name: System.Flow.Archive 2 | description: | 3 | An internal artifact that produces events for every flow completion 4 | in the system. 5 | 6 | type: CLIENT_EVENT 7 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Flow/Completion.yaml: -------------------------------------------------------------------------------- 1 | name: System.Flow.Completion 2 | description: | 3 | An internal artifact that produces events for every flow completion 4 | in the system. 5 | 6 | type: CLIENT_EVENT 7 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Hunt/Archive.yaml: -------------------------------------------------------------------------------- 1 | name: System.Hunt.Archive 2 | description: | 3 | An internal artifact that receives events when a hunt is archived. 4 | 5 | You can write a server event artifact to do something about the 6 | hunts (like remove flows, generate zip file etc). 7 | 8 | type: CLIENT_EVENT 9 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Hunt/Creation.yaml: -------------------------------------------------------------------------------- 1 | name: System.Hunt.Creation 2 | description: | 3 | An event artifact that fires when a user schedules a new hunt. 4 | 5 | type: SERVER_EVENT 6 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Hunt/Participation.yaml: -------------------------------------------------------------------------------- 1 | name: System.Hunt.Participation 2 | description: | 3 | Endpoints may participate in hunts. This artifact collects which 4 | hunt each system participated in. 5 | 6 | # Will not be written but will be relayed between minions and server. 7 | type: INTERNAL 8 | -------------------------------------------------------------------------------- /artifacts/definitions/System/Upload/Completion.yaml: -------------------------------------------------------------------------------- 1 | name: System.Upload.Completion 2 | description: | 3 | An internal artifact that produces events for every file that is 4 | uploaded to the system. 5 | 6 | type: CLIENT_EVENT 7 | -------------------------------------------------------------------------------- /artifacts/testdata/files/1.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/1.lnk -------------------------------------------------------------------------------- /artifacts/testdata/files/3DBuilder.ResourceResolver.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/3DBuilder.ResourceResolver.exe -------------------------------------------------------------------------------- /artifacts/testdata/files/5f7b5f1e01b83767.automaticDestinations-ms: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/5f7b5f1e01b83767.automaticDestinations-ms -------------------------------------------------------------------------------- /artifacts/testdata/files/Amcache.hve: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/Amcache.hve -------------------------------------------------------------------------------- /artifacts/testdata/files/AppCompatCache/README.txt: -------------------------------------------------------------------------------- 1 | These files came from https://github.com/EricZimmerman/AppCompatCacheParser 2 | -------------------------------------------------------------------------------- /artifacts/testdata/files/AppCompatCache/Win10Creators_trunc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/AppCompatCache/Win10Creators_trunc.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/AppCompatCache/Win10_trunc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/AppCompatCache/Win10_trunc.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/AppCompatCache/Win80_trunc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/AppCompatCache/Win80_trunc.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/AppCompatCache/Win81_trunc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/AppCompatCache/Win81_trunc.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/CSDump.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/CSDump.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/CSSectionPE.zip.xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/CSSectionPE.zip.xor -------------------------------------------------------------------------------- /artifacts/testdata/files/CSShellcode.zip.xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/CSShellcode.zip.xor -------------------------------------------------------------------------------- /artifacts/testdata/files/CSsectionStager.zip.xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/CSsectionStager.zip.xor -------------------------------------------------------------------------------- /artifacts/testdata/files/CSx86sleep.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/CSx86sleep.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/ChromeHistory.sqlite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/ChromeHistory.sqlite -------------------------------------------------------------------------------- /artifacts/testdata/files/Collection-WIN-E5K9RC5GU23-2021-11-21T18_05_56-08_00.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/Collection-WIN-E5K9RC5GU23-2021-11-21T18_05_56-08_00.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/Connection_incoming.txt: -------------------------------------------------------------------------------- 1 | 2 | 248257009 Machine1 05-08-2020 13:36:21 05-08-2020 13:38:33 yolo RemoteControl {e03e5706-1972-4ced-b209-3fa9b230d62b} 3 | 248257009 Machine1 05-08-2020 13:39:53 05-08-2020 13:42:44 yolo RemoteControl {af03e0b1-85c3-49b2-8074-c66ce0fd5f4a} -------------------------------------------------------------------------------- /artifacts/testdata/files/Current.mdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/Current.mdb -------------------------------------------------------------------------------- /artifacts/testdata/files/DE_104_system_log_cleared.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/DE_104_system_log_cleared.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/EID4103_PowershellModule.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/EID4103_PowershellModule.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/EID4104_PowershellScriptblock.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/EID4104_PowershellScriptblock.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/EID4769_Kerberoasting.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/EID4769_Kerberoasting.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/MBR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/MBR -------------------------------------------------------------------------------- /artifacts/testdata/files/ModuleAnalysisCache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/ModuleAnalysisCache -------------------------------------------------------------------------------- /artifacts/testdata/files/RDPAuth_LocalSessionManager.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/RDPAuth_LocalSessionManager.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/RDPAuth_RemoteConnectionManager.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/RDPAuth_RemoteConnectionManager.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/RDPAuth_Security.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/RDPAuth_Security.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/RDPAuth_System.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/RDPAuth_System.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/SAM: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/SAM -------------------------------------------------------------------------------- /artifacts/testdata/files/SPApplicationsDataType.json: -------------------------------------------------------------------------------- 1 | { 2 | "SPApplicationsDataType" : [ 3 | { 4 | "_name" : "Slack", 5 | "arch_kind" : "arch_arm_i64", 6 | "lastModified" : "2022-04-06T21:28:40Z", 7 | "obtained_from" : "identified_developer", 8 | "path" : "/Applications/Slack.app", 9 | "signed_by" : [ 10 | "Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)", 11 | "Developer ID Certification Authority", 12 | "Apple Root CA" 13 | ], 14 | "version" : "4.25.0" 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /artifacts/testdata/files/SecurityTasks.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/SecurityTasks.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/Security_1_record.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/Security_1_record.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/Session Storage.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/Session Storage.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/SystemIdentity.mdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/SystemIdentity.mdb -------------------------------------------------------------------------------- /artifacts/testdata/files/TaskScheduler.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/TaskScheduler.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/UsrClass.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/UsrClass.dat -------------------------------------------------------------------------------- /artifacts/testdata/files/VELOCIRAPTOR.EXE-DB95245D.pf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/VELOCIRAPTOR.EXE-DB95245D.pf -------------------------------------------------------------------------------- /artifacts/testdata/files/com.apple.dock.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/com.apple.dock.plist -------------------------------------------------------------------------------- /artifacts/testdata/files/compressedpe.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/compressedpe.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/csv/bad.csv: -------------------------------------------------------------------------------- 1 | Foo,Bar 2 | FirstColumn, SecondColumnWithLeadingSpace 3 | Second with trailing space ,Some other field 4 | Line with illegal " quote will be parsed, "Field with proper quote" 5 | "field with "" quote", "other field "" with "" more "" quotes " 6 | 3,4 -------------------------------------------------------------------------------- /artifacts/testdata/files/debian/.gitattributes: -------------------------------------------------------------------------------- 1 | * text eol=lf -------------------------------------------------------------------------------- /artifacts/testdata/files/debian/sources.list/osquery.list: -------------------------------------------------------------------------------- 1 | deb [arch=amd64 signed-by=/usr/share/keyrings/osquery.gpg] https://pkg.osquery.io/deb deb main 2 | -------------------------------------------------------------------------------- /artifacts/testdata/files/efi/db.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/efi/db.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/efi/dbx.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/efi/dbx.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/encrypted_collector_password.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/encrypted_collector_password.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/encrypted_collector_pki.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/encrypted_collector_pki.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/evtx/Microsoft-Windows-Sysmon%4Operational.evtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/evtx/Microsoft-Windows-Sysmon%4Operational.evtx -------------------------------------------------------------------------------- /artifacts/testdata/files/ext4_tests.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/ext4_tests.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/fat_very_small.dd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/fat_very_small.dd -------------------------------------------------------------------------------- /artifacts/testdata/files/fs_events_00000000007cff3d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/fs_events_00000000007cff3d -------------------------------------------------------------------------------- /artifacts/testdata/files/fs_events_000000002fc5e551: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/fs_events_000000002fc5e551 -------------------------------------------------------------------------------- /artifacts/testdata/files/goodbye.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/goodbye.bz2 -------------------------------------------------------------------------------- /artifacts/testdata/files/hello.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/hello.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/hi.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/hi.gz -------------------------------------------------------------------------------- /artifacts/testdata/files/history.sqlite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/history.sqlite -------------------------------------------------------------------------------- /artifacts/testdata/files/infected.zip.xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/infected.zip.xor -------------------------------------------------------------------------------- /artifacts/testdata/files/keys/UnencryptedED25519KeyPair.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN OPENSSH PRIVATE KEY----- 2 | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtz 3 | c2gtZWQyNTUxOQAAACB0M7NQwWgHF3xirTctmn/yw9tpd3vRdRBK8Z9oIGTJ4gAA 4 | AIhf0wxxX9MMcQAAAAtzc2gtZWQyNTUxOQAAACB0M7NQwWgHF3xirTctmn/yw9tp 5 | d3vRdRBK8Z9oIGTJ4gAAAEAwUQIBATAFBgMrZXAEIgQgp08TdS3yr6NMV4lPZzPn 6 | CXQzs1DBaAcXfGKtNy2af/LD22l3e9F1EErxn2ggZMniAAAAAAECAwQF 7 | -----END OPENSSH PRIVATE KEY----- 8 | -------------------------------------------------------------------------------- /artifacts/testdata/files/lines.txt: -------------------------------------------------------------------------------- 1 | 11111111111111111111111 2 | 22222222222222222222222222222222222 3 | 33333333333333 4 | -------------------------------------------------------------------------------- /artifacts/testdata/files/logo.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/logo.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/malware.zip.xor: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/malware.zip.xor -------------------------------------------------------------------------------- /artifacts/testdata/files/memory/9604: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/memory/9604 -------------------------------------------------------------------------------- /artifacts/testdata/files/nested.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/nested.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/notnbt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/notnbt.exe -------------------------------------------------------------------------------- /artifacts/testdata/files/ntexe.cat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/ntexe.cat -------------------------------------------------------------------------------- /artifacts/testdata/files/ntuser.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/ntuser.dat -------------------------------------------------------------------------------- /artifacts/testdata/files/password.txt.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/password.txt.lnk -------------------------------------------------------------------------------- /artifacts/testdata/files/pst/Outlook.pst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/pst/Outlook.pst -------------------------------------------------------------------------------- /artifacts/testdata/files/root_store_reg.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/root_store_reg.bin -------------------------------------------------------------------------------- /artifacts/testdata/files/system.journal.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/system.journal.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/tar_test.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/tar_test.tgz -------------------------------------------------------------------------------- /artifacts/testdata/files/test.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.docx -------------------------------------------------------------------------------- /artifacts/testdata/files/test.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.elf -------------------------------------------------------------------------------- /artifacts/testdata/files/test.ntfs.dd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.ntfs.dd -------------------------------------------------------------------------------- /artifacts/testdata/files/test.ntfs.dd.E01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.ntfs.dd.E01 -------------------------------------------------------------------------------- /artifacts/testdata/files/test.odt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.odt -------------------------------------------------------------------------------- /artifacts/testdata/files/test.vhdx.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.vhdx.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/test.yarac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.yarac -------------------------------------------------------------------------------- /artifacts/testdata/files/test.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/test.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/unencrypted_collector.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/unencrypted_collector.zip -------------------------------------------------------------------------------- /artifacts/testdata/files/vagrant.plist: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/vagrant.plist -------------------------------------------------------------------------------- /artifacts/testdata/files/winpmem_x64.sys: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/winpmem_x64.sys -------------------------------------------------------------------------------- /artifacts/testdata/files/wkscli.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/wkscli.dll -------------------------------------------------------------------------------- /artifacts/testdata/files/wtmp.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/wtmp.1 -------------------------------------------------------------------------------- /artifacts/testdata/files/yara_test.txt: -------------------------------------------------------------------------------- 1 | regfXXXXXXXXprogram 2 | -------------------------------------------------------------------------------- /artifacts/testdata/files/{03A01CC5-91BB-4936-B685-63697785D39E}.mdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/files/{03A01CC5-91BB-4936-B685-63697785D39E}.mdb -------------------------------------------------------------------------------- /artifacts/testdata/manual/Error.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Error 2 | description: | 3 | Test errors are flagged by the server artifact runner. Should raise 4 | an error and fail collection. 5 | 6 | type: SERVER 7 | sources: 8 | - name: First 9 | query: | 10 | SELECT "Hello" FROM scope() 11 | 12 | - name: Second 13 | query: | 14 | SELECT log(message="Oops", level="ERROR") FROM scope() 15 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Server.Sleep.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Server.Sleep 2 | description: | 3 | Used to test cancellation and artifact timeout on server artifact 4 | collector. 5 | 6 | type: SERVER 7 | 8 | sources: 9 | - query: | 10 | SELECT sleep(time=60) FROM scope() 11 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Sleep.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Sleep 2 | description: | 3 | Used to test cancellation and artifact timeout on client 4 | collections. Change to SERVER to test server cancellation. 5 | 6 | type: CLIENT 7 | 8 | sources: 9 | - query: | 10 | SELECT sleep(time=10) 11 | FROM range(end=100) 12 | WHERE log(message=format(format="Sent data %v", args=now())) 13 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Test.Crash.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Crash 2 | description: | 3 | Kill the client and test that a crash message is sent when the 4 | client resumes. 5 | 6 | sources: 7 | - query: | 8 | SELECT pskill(pid=getpid()) FROM scope() 9 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Test.Sparse.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Sparse 2 | description: Test that sparse uploads are properly stored and processed. 3 | sources: 4 | - query: | 5 | -- Create a sparse file in memory. 6 | LET FileName = pathspec( 7 | DelegateAccessor="data", 8 | DelegatePath="The quick red fox jumped oved the lazy", 9 | Path=[dict(Offset=0,Length=5), dict(Offset=10,Length=5)]) 10 | 11 | -- Upload to the server 12 | SELECT upload(accessor="sparse", file=FileName, name="X.txt") 13 | FROM scope() 14 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/TestLog.yaml: -------------------------------------------------------------------------------- 1 | name: Test.TestLog 2 | description: | 3 | Stream logs slowly - test that GUI updates logs 4 | 5 | sources: 6 | - query: | 7 | SELECT sleep(time=1), 8 | log(message="Message %v", args=_value, dedup=-1) AS Log 9 | FROM range(end=100) 10 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Upload.Limits.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Upload.Limits 2 | description: | 3 | Used to test upload limits cancel the collection once they are 4 | exceeded. 5 | sources: 6 | - query: | 7 | SELECT upload(accessor="data", 8 | file="This is a long test with many letters", 9 | name=format(format="File%v.txt", args=_value)) AS Upload 10 | FROM range(end=10) 11 | 12 | resources: 13 | max_upload_bytes: 50 14 | -------------------------------------------------------------------------------- /artifacts/testdata/manual/Work.yaml: -------------------------------------------------------------------------------- 1 | name: Test.Work 2 | description: | 3 | Used to test CPU rate limiting works. 4 | 5 | sources: 6 | - query: | 7 | SELECT * FROM foreach(query={ 8 | SELECT * FROM range(end=10000) 9 | WHERE FALSE 10 | }, row={ 11 | SELECT * FROM range(end=1000) 12 | }, workers=20) 13 | LIMIT 10 14 | 15 | resources: 16 | cpu_limit: 20 17 | -------------------------------------------------------------------------------- /artifacts/testdata/server/.gitignore: -------------------------------------------------------------------------------- 1 | config 2 | public 3 | server_artifacts 4 | server_artifact_logs 5 | *.json.db 6 | client_idx 7 | artifact_definitions 8 | orgs 9 | snapshot.json 10 | snapshot.json.index 11 | clients/C.123 12 | clients/C.4f5e52adf0a337a9/flow_index.json* 13 | 14 | hunts/index.* -------------------------------------------------------------------------------- /artifacts/testdata/server/README.txt: -------------------------------------------------------------------------------- 1 | This directory contains a sample of the server's filestore and datastore. This is used for testing server base VQL queries. 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/client_idx/all/c.4/f5e/52a/df0/a33/7a9/C.4f5e52adf0a337a9.db: -------------------------------------------------------------------------------- 1 | 2 | C.4f5e52adf0a337a9all -------------------------------------------------------------------------------- /artifacts/testdata/server/client_idx/des/kto/p-6/cbj/8mj/c.4/f5e/52a/df0/a33/7a9/C.4f5e52adf0a337a9.db: -------------------------------------------------------------------------------- 1 | 2 | C.4f5e52adf0a337a9desktop-6cbj8mj -------------------------------------------------------------------------------- /artifacts/testdata/server/client_idx/hos/t%3Ad/esk/top/-6c/bj8/mjc/%2E4f/5e5/2ad/f0a/337/a9/C.4f5e52adf0a337a9.db: -------------------------------------------------------------------------------- 1 | 2 | C.4f5e52adf0a337a9host:desktop-6cbj8mj -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/.gitignore: -------------------------------------------------------------------------------- 1 | C.11a3013ccaXXXXX -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/artifacts/System.VFS.ListDirectory/F.BN2HJBD1R85EA.json: -------------------------------------------------------------------------------- 1 | {"upload(accessor=\"sparse\", file=FileName, name=\"X.txt\")":{"Path":"{\"DelegateAccessor\":\"data\",\"DelegatePath\":\"The quick red fox jumped oved the lazy\",\"Path\":\"[{\\\"Offset\\\":0,\\\"Length\\\":5},{\\\"Offset\\\":10,\\\"Length\\\":5}]\"}","Size":15,"StoredSize":10,"sha256":"5131e4491efdc758c6df326f49e1d05cf2e40a420a217c3390f35161c0d8e25d","md5":"c983ef648022eb030be9707dfe4ddce2"}} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/artifacts/System.VFS.ListDirectory/F.BN2HJBD1R85EA.json.index: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/artifacts/Windows.Applications.ChocolateyPackages/F.BN2HP3OSS3LK6.csv: -------------------------------------------------------------------------------- 1 | OSPath,Name,Version,Summary,Authors,License 2 | \C:\ProgramData\chocolatey\lib\wmiexplorer\wmiexplorer.nuspec,wmiexplorer,2.0.0.0,WMI Explorer is a utility intended to provide the ability to browse and view WMI namespaces/classes/instances/properties in a single pane of view.,Vinay Pamnani,https://wmie.codeplex.com/license 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/artifacts/Windows.Applications.ChocolateyPackages/F.BN2HP3OSS3LK6.json: -------------------------------------------------------------------------------- 1 | {"OSPath":"\\C:\\ProgramData\\chocolatey\\lib\\wmiexplorer\\wmiexplorer.nuspec","Name":"wmiexplorer","Version":"2.0.0.0","Summary":"WMI Explorer is a utility intended to provide the ability to browse and view WMI namespaces/classes/instances/properties in a single pane of view.","Authors":"Vinay Pamnani","License":"https://wmie.codeplex.com/license"} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN21C7HOQ10VQ.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN21C7HOQ10VQ.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN21C7HOQ10VQ/logs: -------------------------------------------------------------------------------- 1 | Timestamp,time,message 2 | 1573131808332661,2019-11-07 13:03:28 +0000 UTC,Time 0: Generic.Client.Info/BasicInformation: Sending response part 0 344 B (1 rows). 3 | 1573131808340374,2019-11-07 13:03:28 +0000 UTC,Time 0: Generic.Client.Info/Users: Sending response part 0 1.2 kB (8 rows). 4 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN21C7HOQ10VQ/task.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN21C7HOQ10VQ/task.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/logs.json.index: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/logs.json.index -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/task.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/task.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/uploads.json: -------------------------------------------------------------------------------- 1 | {"Timestamp":1664618674,"started":"2022-10-01 10:04:34.132068067 +0000 UTC","vfs_path":"X.txt","Type":"","_Components":["clients","C.4f5e52adf0a337a9","collections","F.BN2HJBD1R85EA","uploads","sparse","X.txt"],"file_size":15,"uploaded_size":10} 2 | {"Timestamp":1664618674,"started":"2022-10-01 10:04:34.13217806 +0000 UTC","vfs_path":"X.txt.idx","Type":"idx","_Components":["clients","C.4f5e52adf0a337a9","collections","F.BN2HJBD1R85EA","uploads","sparse","X.txt"],"file_size":225,"uploaded_size":225} 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/uploads.json.index: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/uploads.json.index -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/uploads/sparse/X.txt: -------------------------------------------------------------------------------- 1 | The qred f -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJBD1R85EA/uploads/sparse/X.txt.idx: -------------------------------------------------------------------------------- 1 | { 2 | "ranges": [ 3 | { 4 | "file_length": 5, 5 | "length": 5 6 | }, 7 | { 8 | "file_offset": 5, 9 | "original_offset": 5, 10 | "length": 5 11 | }, 12 | { 13 | "file_offset": 5, 14 | "original_offset": 10, 15 | "file_length": 5, 16 | "length": 5 17 | } 18 | ] 19 | } -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/logs: -------------------------------------------------------------------------------- 1 | Timestamp,time,message 2 | 1573198259910238,2019-11-08 07:30:59 +0000 UTC,Time 0: System.VFS.DownloadFile: Sending response part 0 209 B (1 rows). 3 | 1573198259919312,2019-11-08 07:30:59 +0000 UTC,Uploaded 1 files. 4 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/task.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/task.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/uploads.json: -------------------------------------------------------------------------------- 1 | {"Timestamp":1573198259,"started":"2019-11-08 07:30:59.920512962 +0000 UTC","vfs_path":"C:\\1.zip","_Components":["clients","C.4f5e52adf0a337a9","collections","F.BN2HJCPOF5U7U","uploads","auto","C:","1.zip"],"file_size":1319,"uploaded_size":1319} 2 | {"Timestamp":1573198259,"started":"2019-11-08 07:30:59.920512962 +0000 UTC","vfs_path":"/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/uploads/file/C:/old_style.zip","expected_size":1319} 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/uploads/file/C%3A/1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HJCPOF5U7U/uploads/file/C%3A/1.zip -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HP3OSS3LK6.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HP3OSS3LK6.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HP3OSS3LK6/logs.json: -------------------------------------------------------------------------------- 1 | Timestamp,time,message 2 | 1573198991543000,2019-11-08 07:43:11 +0000 UTC,Time 0: Windows.Applications.ChocolateyPackages: Sending response part 0 385 B (1 rows). 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HP3OSS3LK6/task.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BN2HP3OSS3LK6/task.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BSJMEJIPT6P9I.json.db: -------------------------------------------------------------------------------- 1 | {"clientId":"C.4f5e52adf0a337a9","sessionId":"F.BSJMEJIPT6P9I","request":{"creator":"admin","clientId":"C.622d19ea21109231","artifacts":["Windows.Network.NetstatEnriched"],"specs":[{"artifact":"Windows.Network.NetstatEnriched","parameters":{}}]},"createTime":"1701175416907783","totalRequests":"1","outstandingRequests":"1","state":"RUNNING"} -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BSJMEJIPT6P9I/logs.json: -------------------------------------------------------------------------------- 1 | {"Timestamp":"1596417883121325","time":"2020-08-03 11:24:43 +1000 AEST","message":"vql: Starting query execution.\n"} 2 | {"Timestamp":"1596417903367896","time":"2020-08-03 11:25:03 +1000 AEST","message":"Time 3: Windows.Network.NetstatEnriched/Netstat: Sending response part 0 54 kB (57 rows)."} 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BSJMEJIPT6P9I/stats.json.db: -------------------------------------------------------------------------------- 1 | {"clientId":"C.4f5e52adf0a337a9","sessionId":"F.BSJMEJIPT6P9I","startTime":"1701175416937261","activeTime":"1701175432476534","totalCollectedRows":"71","totalLogs":"15","totalRequests":"1","executionDuration":"15539273000","state":"FINISHED","artifactsWithResults":["Windows.Network.NetstatEnriched/Netstat"],"queryStats":[{"duration":"15539273000","lastActive":"1701175432476534","firstActive":"1701175416937261","namesWithResponse":["Windows.Network.NetstatEnriched/Netstat"],"logRows":"15","resultRows":"71"}]} -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BSJMEJIPT6P9I/task.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.BSJMEJIPT6P9I/task.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.Monitoring.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/collections/F.Monitoring.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/key.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/key.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring/Generic.Client.Stats/2021-12-07.json.tidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring/Generic.Client.Stats/2021-12-07.json.tidx -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring/Windows.Events.ProcessCreation/2019-10-25.json.tidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring/Windows.Events.ProcessCreation/2019-10-25.json.tidx -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring_logs/Generic.Client.Stats/2021-12-07.json.tidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/monitoring_logs/Generic.Client.Stats/2021-12-07.json.tidx -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/ping.json.db: -------------------------------------------------------------------------------- 1 | {"ipAddress":"192.168.1.112:60239","ping":"1638362977493088","pingTime":"2021-12-01 22:49:37.493088 +1000 AEST","lastHuntTimestamp":"1638328729918951","lastEventTableVersion":"1638341638041465436"} -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/file.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/file.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/file/C%3A.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/file/C%3A.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/ntfs.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/ntfs.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/ntfs/C%3A.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs/ntfs/C%3A.db -------------------------------------------------------------------------------- /artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs_files/file/C%3A/1.zip.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/clients/C.4f5e52adf0a337a9/vfs_files/file/C%3A/1.zip.db -------------------------------------------------------------------------------- /artifacts/testdata/server/downloads/.gitignore: -------------------------------------------------------------------------------- 1 | *.zip -------------------------------------------------------------------------------- /artifacts/testdata/server/hunt_index/h.49ba8939/C.4f5e52adf0a337a9.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/hunt_index/h.49ba8939/C.4f5e52adf0a337a9.db -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.19c0c0a2.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/hunts/H.19c0c0a2.db -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.19c0c0a2/notebook/N.H.19c0c0a2/NC.BUURUOMSSMJ5I/query_1.json.index: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/hunts/H.19c0c0a2/notebook/N.H.19c0c0a2/NC.BUURUOMSSMJ5I/query_1.json.index -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.19c0c0a2/stats.db: -------------------------------------------------------------------------------- 1 | Hp -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.49ba8939.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/hunts/H.49ba8939.db -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.49ba8939.json: -------------------------------------------------------------------------------- 1 | {"HuntId":"H.49ba8939","ClientId":"C.4f5e52adf0a337a9","Participate":true,"FlowId":"F.BSJMEJIPT6P9I","Timestamp":1593490966,"_ts":1593490966} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/hunts/H.49ba8939/stats.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/hunts/H.49ba8939/stats.db -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N2HMAK01C/logs.json: -------------------------------------------------------------------------------- 1 | {"Timestamp":1678662970528869,"Level":"DEBUG","message":"Query Stats: {\"RowsScanned\":0,\"PluginsCalled\":0,\"FunctionsCalled\":0,\"ProtocolSearch\":0,\"ScopeCopy\":0}\n"} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N2HMAK01C/logs.json.index: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N5GVJAA2E/logs.json: -------------------------------------------------------------------------------- 1 | {"Timestamp":1678661693887403,"Level":"DEBUG","message":"Query Stats: {\"RowsScanned\":1,\"PluginsCalled\":1,\"FunctionsCalled\":2,\"ProtocolSearch\":0,\"ScopeCopy\":3}\n"} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N5GVJAA2E/logs.json.index: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N5GVJAA2E/query_1.json: -------------------------------------------------------------------------------- 1 | {"Upload":{"Path":"test.txt","Size":11,"sha256":"64ec88ca00b268e5ba1a35678a1b5316d212f4f366b2477232534a8aeca37f3c","md5":"3e25960a79dbc69b674cd4ec67a72c62","StoredName":"test.txt","Components":["notebooks","N.CG74N2JSSV75S","NC.CG74N5GVJAA2E","uploads","test.txt"],"Accessor":"data"}} 2 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N5GVJAA2E/query_1.json.index: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/NC.CG74N5GVJAA2E/uploads/test.txt: -------------------------------------------------------------------------------- 1 | Hello world -------------------------------------------------------------------------------- /artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/files/NA.CG75NPHSURTDQimage.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/notebooks/N.CG74N2JSSV75S/files/NA.CG75NPHSURTDQimage.png -------------------------------------------------------------------------------- /artifacts/testdata/server/server_artifacts/Server.Monitor.Health/Prometheus/2020-11-08.json.index: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/server_artifacts/Server.Monitor.Health/Prometheus/2020-11-08.json.index -------------------------------------------------------------------------------- /artifacts/testdata/server/server_artifacts/Server.Monitor.Health/Prometheus/2023-09-07.json.tidx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/server_artifacts/Server.Monitor.Health/Prometheus/2023-09-07.json.tidx -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/accessors.in.yaml: -------------------------------------------------------------------------------- 1 | Parameters: 2 | FooBar: SomeData 3 | 4 | Queries: 5 | - SELECT read_file(accessor="data", filename=FooBar), 6 | read_file(accessor="scope", filename="FooBar") 7 | FROM scope() 8 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/accessors.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT read_file(accessor="data", filename=FooBar), read_file(accessor="scope", filename="FooBar") FROM scope() 2 | Output: [ 3 | { 4 | "read_file(accessor=\"data\", filename=FooBar)": "SomeData", 5 | "read_file(accessor=\"scope\", filename=\"FooBar\")": "SomeData" 6 | } 7 | ] 8 | 9 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/application.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT StartTime,EndTime,TeamViewerID,SourceHost,User,ConnectionType,ConnectionID 3 | FROM Artifact.Windows.Applications.TeamViewer.Incoming( 4 | FileGlob=srcDir + '/artifacts/testdata/files/Connection_incoming.txt') 5 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/atexit.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * FROM query(query=''' 3 | LET Foo = SELECT log(message="I Ran at the end") FROM scope() 4 | LET _ <= log(message="First!") 5 | LET _ <= atexit(query=Foo, env=dict(X="Me too", Y=2)) 6 | LET _ <= log(message="Second!") 7 | ''') 8 | - SELECT * FROM test_read_logs() 9 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/cobalt2.out.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/artifacts/testdata/server/testcases/cobalt2.out.yaml -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/delay.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * FROM delay(query={ SELECT "Hello" FROM scope() }, delay=1) 3 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/delay.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT * FROM delay(query={ SELECT "Hello" FROM scope() }, delay=1) 2 | Output: [ 3 | { 4 | "\"Hello\"": "Hello" 5 | } 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/doc.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT basename(path=OfficePath) as OfficePath, 3 | OfficeSize, InternalMtime, HexContext 4 | FROM Artifact.Generic.Applications.Office.Keywords( 5 | searchGlob=srcDir + '/artifacts/testdata/files') 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/eval.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET Variable = "Hello" 3 | - | 4 | SELECT eval(func="x=>x.Variable"), eval(func="x=>x + ' world'", args=Variable) 5 | FROM scope() 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/eval.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET Variable = "Hello" 2 | Output: [] 3 | 4 | Query: SELECT eval(func="x=>x.Variable"), eval(func="x=>x + ' world'", args=Variable) 5 | FROM scope() 6 | 7 | Output: [ 8 | { 9 | "eval(func=\"x=\u003ex.Variable\")": "Hello", 10 | "eval(func=\"x=\u003ex + ' world'\", args=Variable)": "Hello world" 11 | } 12 | ] 13 | 14 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ewf.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - | 3 | SELECT OSPath.Path AS OSPath, Size, Mode.String 4 | FROM glob( 5 | globs="*", accessor="raw_ntfs", root=pathspec( 6 | Path="/", 7 | DelegateAccessor="ewf", 8 | DelegatePath=srcDir + "/artifacts/testdata/files/test.ntfs.dd.E01")) 9 | WHERE OSPath =~ ".txt$" 10 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ewf.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT OSPath.Path AS OSPath, Size, Mode.String 2 | FROM glob( 3 | globs="*", accessor="raw_ntfs", root=pathspec( 4 | Path="/", 5 | DelegateAccessor="ewf", 6 | DelegatePath=srcDir + "/artifacts/testdata/files/test.ntfs.dd.E01")) 7 | WHERE OSPath =~ ".txt$" 8 | 9 | Output: [ 10 | { 11 | "OSPath": "another_file.txt", 12 | "Size": 14, 13 | "Mode.String": "-rwxr-xr-x" 14 | }, 15 | { 16 | "OSPath": "just_a_file.txt", 17 | "Size": 12, 18 | "Mode.String": "-rwxr-xr-x" 19 | } 20 | ] 21 | 22 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/fifo.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET X = SELECT * FROM fifo(query={SELECT * FROM range(end=10)}, max_rows=2) 3 | # Start the fifo query 4 | - SELECT * FROM X 5 | 6 | # Wait a bit for events to start flowing into the fifo. 7 | - LET _ <= sleep(ms=100) 8 | 9 | # Should return the last 2 events. 10 | - SELECT * FROM X 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/fifo.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET X = SELECT * FROM fifo(query={SELECT * FROM range(end=10)}, max_rows=2) 2 | Output: [] 3 | 4 | # Start the fifo query 5 | Query: SELECT * FROM X 6 | Output: [] 7 | 8 | # Wait a bit for events to start flowing into the fifo. 9 | Query: LET _ <= sleep(ms=100) 10 | Output: [] 11 | 12 | # Should return the last 2 events. 13 | Query: SELECT * FROM X 14 | Output: [ 15 | { 16 | "_value": 8 17 | }, 18 | { 19 | "_value": 9 20 | } 21 | ] 22 | 23 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/generator.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET Generator = generate(query={ 3 | SELECT * FROM range(start=0, end=10, step=1) 4 | }, delay=1) 5 | 6 | - SELECT * FROM combine( 7 | a={ 8 | SELECT format(format="%v/%s", args=[_value, "A"]) AS Query 9 | FROM Generator 10 | }, b={ 11 | SELECT format(format="%v/%s", args=[_value, "B"]) AS Query 12 | FROM Generator 13 | }) 14 | ORDER BY Query 15 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/hash.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT hash(path=srcDir+"/artifacts/testdata/files/hello.zip") AS AllHashes, 3 | hash(path=srcDir+"/artifacts/testdata/files/hello.zip", 4 | hashselect="md5") AS MD5HashOnly, 5 | hash(path=srcDir+"/artifacts/testdata/files/hello.zip", 6 | hashselect=["md5", "sha256"]) AS MDHashAndSha256 7 | FROM scope() 8 | 9 | - SELECT tlsh_hash(path=srcDir+"/artifacts/testdata/files/hello.zip") FROM scope() 10 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ip.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT ip(parse='0:0:0:0:0:FFFF:129.144.52.38'), 3 | ip(parse='192.168.1.2').IsPrivate 4 | FROM scope() 5 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ip.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT ip(parse='0:0:0:0:0:FFFF:129.144.52.38'), ip(parse='192.168.1.2').IsPrivate FROM scope() 2 | Output: [ 3 | { 4 | "ip(parse='0:0:0:0:0:FFFF:129.144.52.38')": "129.144.52.38", 5 | "ip(parse='192.168.1.2').IsPrivate": true 6 | } 7 | ] 8 | 9 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/kerberoasting.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | 3 | # Kerbroasting VQL test 4 | - SELECT OSPath.Basename AS OSPath, * FROM Artifact.Windows.EventLogs.Kerberoasting( 5 | EvtxGlob=srcDir + '/artifacts/testdata/files/EID4769_Kerberoasting.evtx') 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/linux_last_login.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Make sure we can find the logout time for at least one login 3 | # event. 4 | - SELECT OSPath.Basename AS OSPath, * 5 | FROM Artifact.Linux.Sys.LastUserLogin( 6 | recent_x_days=10000, 7 | wtmpGlobs=srcDir+"/artifacts/testdata/files/wtmp.1") 8 | WHERE logout_time 9 | LIMIT 1 10 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/linux_passwd.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * 3 | FROM Artifact.Linux.Sys.Users( 4 | PasswordFile=srcDir + '/artifacts/testdata/files/linux/passwd' 5 | ) 6 | 7 | - SELECT * 8 | FROM Artifact.Linux.Sys.Groups( 9 | GroupFile=srcDir + '/artifacts/testdata/files/linux/group' 10 | ) 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/loghunter.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT relpath(path=OSPath, base=srcDir, sep="/") as RelativePath, Line 3 | FROM Artifact.Linux.Sys.LogHunter(TargetFiles=srcDir + '/artifacts/testdata/files/access.log',SearchRegex='66.102.6.218',FilterRegex='') 4 | - SELECT relpath(path=OSPath, base=srcDir, sep="/") as RelativePath, Line 5 | FROM Artifact.Linux.Sys.LogHunter(TargetFiles=srcDir + '/artifacts/testdata/files/access.log',SearchRegex='masscan',FilterRegex='170.238.36.21') -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/lru.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET Cache <= lru(size=3) 3 | - SELECT set(item=Cache, field=_value, 4 | value=format(format="Message %d", args=_value)) AS Set 5 | FROM range(start=0, end=10, step=1) 6 | WHERE Set AND FALSE 7 | 8 | # Message 6 is expired but 8 should be in cache. 9 | - SELECT get(item=Cache, field="6"), 10 | get(item=Cache, field="8") 11 | FROM scope() 12 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/lru.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET Cache <= lru(size=3) 2 | Output: [] 3 | 4 | Query: SELECT set(item=Cache, field=_value, value=format(format="Message %d", args=_value)) AS Set FROM range(start=0, end=10, step=1) WHERE Set AND FALSE 5 | Output: [] 6 | 7 | # Message 6 is expired but 8 should be in cache. 8 | Query: SELECT get(item=Cache, field="6"), get(item=Cache, field="8") FROM scope() 9 | Output: [ 10 | { 11 | "get(item=Cache, field=\"6\")": null, 12 | "get(item=Cache, field=\"8\")": "Message 8" 13 | } 14 | ] 15 | 16 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/memoize.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET AllData <= SELECT "A" AS Key, "B" AS Value 3 | FROM scope() 4 | 5 | - LET Mem <= memoize(query={ 6 | SELECT * FROM AllData 7 | }, key="Key") 8 | 9 | - SELECT get(item=Mem, field="A") FROM scope() 10 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/memoize.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET AllData <= SELECT "A" AS Key, "B" AS Value FROM scope() 2 | Output: [] 3 | 4 | Query: LET Mem <= memoize(query={ SELECT * FROM AllData }, key="Key") 5 | Output: [] 6 | 7 | Query: SELECT get(item=Mem, field="A") FROM scope() 8 | Output: [ 9 | { 10 | "get(item=Mem, field=\"A\")": { 11 | "Key": "A", 12 | "Value": "B" 13 | } 14 | } 15 | ] 16 | 17 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/pe_hunter.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Test Windows.Detection.BinaryHunter 3 | - SELECT File.Name, File.Size, Hash.SHA1, PE FROM Artifact.Windows.Detection.BinaryHunter(TargetGlob=srcDir + "/artifacts/**/*.dll",PEInformationRegex='NetUseEnum',SHA1List='8645c878966239afe44df0593288c7c59a7878eb') 4 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/pipe.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET MyPipe = pipe(query={ 3 | SELECT _value FROM range(start=0, end=10, step=1) 4 | }, sep="\n") 5 | 6 | - SELECT read_file(filename="MyPipe", accessor="pipe") 7 | FROM scope() 8 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/pipe.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET MyPipe = pipe(query={ SELECT _value FROM range(start=0, end=10, step=1) }, sep="\n") 2 | Output: [] 3 | 4 | Query: SELECT read_file(filename="MyPipe", accessor="pipe") FROM scope() 5 | Output: [ 6 | { 7 | "read_file(filename=\"MyPipe\", accessor=\"pipe\")": "0\n1\n2\n3\n4\n5\n6\n7\n8\n9\n" 8 | } 9 | ] 10 | 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/plist.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * FROM Artifact.MacOS.System.Users(UserPlistGlob=srcDir + '/artifacts/testdata/files/vagrant.plist') 3 | - SELECT basename(path=ZipFile), 4 | Member, Key, Value 5 | FROM Artifact.MacOS.Forensics.AppleDoubleZip(ZipGlob=srcDir + '/artifacts/testdata/files/logo*.zip') 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/process_tracker.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # A default process tracker always exists and it is equivalent to pslist(). 3 | - | 4 | SELECT process_tracker_get(id=str(str=getpid())).Id = str(str=getpid()) 5 | FROM scope() 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/process_tracker.out.yaml: -------------------------------------------------------------------------------- 1 | # A default process tracker always exists and it is equivalent to pslist(). 2 | Query: SELECT process_tracker_get(id=str(str=getpid())).Id = str(str=getpid()) 3 | FROM scope() 4 | 5 | Output: [ 6 | { 7 | "process_tracker_get(id=str(str=getpid())).Id = str(str=getpid())": true 8 | } 9 | ] 10 | 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/profile.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * FROM profile(metrics=TRUE) 3 | WHERE name =~ "client_comms_current_connections" 4 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/profile.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT * FROM profile(metrics=TRUE) WHERE name =~ "client_comms_current_connections" 2 | Output: [ 3 | { 4 | "name": "client_comms_current_connections", 5 | "help": "Number of currently connected clients.", 6 | "value": 0, 7 | "Profile": "Metrics" 8 | } 9 | ] 10 | 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/protocols.in.yaml: -------------------------------------------------------------------------------- 1 | Parameters: 2 | TestString: This is a test 3 | 4 | Queries: 5 | - SELECT TestString, TestString[0], TestString[-1], 6 | TestString[0:5], TestString[:5], TestString[5:] 7 | FROM scope() 8 | 9 | # Regex on integers and times should convert to string first. 10 | - SELECT 10 =~ "1", timestamp(epoch=1666796776) =~ "2022" FROM scope() 11 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/pst.in.yaml: -------------------------------------------------------------------------------- 1 | Parameters: 2 | YaraRule: | 3 | rule X { 4 | strings: $a = "JPEG" nocase 5 | condition: any of them 6 | } 7 | 8 | Queries: 9 | - SELECT * FROM Artifact.Windows.Forensics.Pst( 10 | PSTGlob=srcDir + "/artifacts/testdata/files/pst/Outlook.pst", 11 | AttachmentYaraRule=YaraRule, 12 | SubjectRegex="Multiple", 13 | PathRegex="Sent") 14 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/regex.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - LET URLEscaped = "my%2Fcool%2Bescaped%2y6string%2Cwith%2cmalform" 3 | 4 | # Test lambda replace target: Unescape the URL string with a simple 5 | # dumb replace (not correct but resilient to malformed strings) 6 | - SELECT regex_replace(source=URLEscaped, 7 | replace_lambda="x=>unhex(string=x[1:]) || x", re="%..") 8 | FROM scope() 9 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/regex.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET URLEscaped = "my%2Fcool%2Bescaped%2y6string%2Cwith%2cmalform" 2 | Output: [] 3 | 4 | # Test lambda replace target: Unescape the URL string with a simple 5 | # dumb replace (not correct but resilient to malformed strings) 6 | Query: SELECT regex_replace(source=URLEscaped, replace_lambda="x=>unhex(string=x[1:]) || x", re="%..") FROM scope() 7 | Output: [ 8 | { 9 | "regex_replace(source=URLEscaped, replace_lambda=\"x=\u003eunhex(string=x[1:]) || x\", re=\"%..\")": "my/cool+escaped%2y6string,with,malform" 10 | } 11 | ] 12 | 13 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/sequence.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT * FROM sequence( a={ SELECT 1 AS A FROM scope() }, b={ SELECT 2 AS A FROM scope() }, c={ SELECT 3 AS A FROM scope() }, query={ SELECT A AS FoundA, { SELECT A FROM SEQUENCE WHERE A = 2 } AS FoundB FROM SEQUENCE WHERE A = 1 AND FoundB }) 2 | Output: [ 3 | { 4 | "FoundA": 1, 5 | "FoundB": 2 6 | } 7 | ] 8 | 9 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/sigma.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT * FROM Artifact.Windows.Sigma.EventLogs( 3 | EventLogDirectory=srcDir + "/artifacts/testdata/files/evtx", 4 | Debug=FALSE, 5 | InlineSigmaRules=read_file(filename=srcDir + "/artifacts/testdata/files/evtx/proc_creation_win_whoami_as_system.yml")) 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ssh.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT OSPath.Basename AS Name, KeyType, Cipher, Header 3 | FROM Artifact.Linux.Ssh.PrivateKeys( 4 | KeyGlobs=srcDir+"/artifacts/testdata/files/**/*.pem") 5 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/ual.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT *, basename(path=_OSPath) AS _OSPath 3 | FROM Artifact.Windows.Forensics.UserAccessLogs( 4 | source="Clients", 5 | SUMGlob=srcDir+"/artifacts/testdata/files/*.mdb") 6 | GROUP BY AuthenticatedUserName 7 | 8 | - SELECT *, basename(path=_OSPath) AS _OSPath 9 | FROM Artifact.Windows.Forensics.UserAccessLogs( 10 | source="SystemIdentity", 11 | SUMGlob=srcDir+"/artifacts/testdata/files/*.mdb") 12 | ORDER BY CreationTime 13 | LIMIT 1 14 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/verify.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT count() AS Count , 3 | verify(artifact=name) AS V 4 | FROM artifact_definitions() 5 | WHERE type=~'client' AND built_in AND V.Warnings 6 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/verify.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT count() AS Count , verify(artifact=name) AS V FROM artifact_definitions() WHERE type=~'client' AND built_in AND V.Warnings 2 | Output: [] 3 | 4 | -------------------------------------------------------------------------------- /artifacts/testdata/server/testcases/yara_lint.out.yaml: -------------------------------------------------------------------------------- 1 | Query: LET Cleaned <= yara_lint(clean=TRUE, rules=YaraRules) 2 | Output: [] 3 | 4 | Query: SELECT Cleaned FROM scope() 5 | Output: [ 6 | { 7 | "Cleaned": "import \"pe\"\n\nrule Hive {\n condition:\n pe.imphash() == \"f34d5f2d4577ed6d9ceec516c1f5a744\"\n}\n" 8 | } 9 | ] 10 | 11 | Query: SELECT * FROM yara(rules=Cleaned, accessor="data", files="Hello") 12 | Output: [] 13 | 14 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/authenticode.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Notepad is signed via catalog, kernel is normally pe signed. 3 | - LET X = SELECT authenticode(filename="C:/Windows/notepad.exe") AS A, 4 | authenticode(filename='c:/Windows/system32/ntoskrnl.exe' ) AS B FROM scope() 5 | 6 | - SELECT A.Filename, A.IssuerName, A.SubjectName, 7 | B.Filename, B.IssuerName, B.SubjectName 8 | FROM X 9 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/file.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT OSPath FROM glob(globs="/*", accessor="file") 3 | WHERE Name =~ "C" 4 | - SELECT OSPath FROM glob(globs="\\*", accessor="file") 5 | WHERE Name =~ "C" 6 | - SELECT OSPath FROM glob(globs="c:\\*", accessor="file") 7 | WHERE Name =~ "Windows" 8 | 9 | # Make sure we **do not** follow symlinks with the default accessors. 10 | - SELECT OSPath FROM glob(globs="c:\\Users\\*link\\notepad.exe", accessor="file_links") 11 | - SELECT OSPath FROM glob(globs="c:\\Users\\*link\\notepad.exe") 12 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/filesystem.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - select Data from read_file(filenames=tempfile(data='hello')) 3 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/filesystem.out.yaml: -------------------------------------------------------------------------------- 1 | Query: select Data from read_file(filenames=tempfile(data='hello')) 2 | Output: [ 3 | { 4 | "Data": "hello" 5 | } 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/processes.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Make sure we can parse the environment strings for the running process 3 | - SELECT Name, Env.ComSpec 4 | FROM Artifact.Windows.Memory.ProcessInfo(ProcessNameRegex='velociraptor') 5 | LIMIT 1 -------------------------------------------------------------------------------- /artifacts/testdata/windows/processes.out.yaml: -------------------------------------------------------------------------------- 1 | # Make sure we can parse the environment strings for the running process 2 | Query: SELECT Name, Env.ComSpec FROM Artifact.Windows.Memory.ProcessInfo(ProcessNameRegex='velociraptor') LIMIT 1 3 | Output: [ 4 | { 5 | "Name": "velociraptor.exe", 6 | "Env.ComSpec": "C:\\Windows\\system32\\cmd.exe" 7 | } 8 | ] 9 | 10 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/startup.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT Name, Details, Enabled 3 | FROM Artifact.Windows.Sys.StartupItems() 4 | WHERE Name =~ 'msht' ORDER BY Name 5 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/startup.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT Name, Details, Enabled FROM Artifact.Windows.Sys.StartupItems() WHERE Name =~ 'msht' ORDER BY Name 2 | Output: [ 3 | { 4 | "Name": "c:\\windows\\system32\\msht.exe", 5 | "Details": "Hello", 6 | "Enabled": "disabled" 7 | } 8 | ] 9 | 10 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/thread.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT thread_info.BasePriority FROM threads(pid=getpid()) WHERE thread_info.BasePriority = 0 LIMIT 1 -------------------------------------------------------------------------------- /artifacts/testdata/windows/thread.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT thread_info.BasePriority FROM threads(pid=getpid()) WHERE thread_info.BasePriority = 0 LIMIT 1 2 | Output: [ 3 | { 4 | "thread_info.BasePriority": 0 5 | } 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/token.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT token(pid=getpid()).Username =~ "runneradmin" As Username from scope() 3 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/token.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT token(pid=getpid()).Username =~ "runneradmin" As Username from scope() 2 | Output: [ 3 | { 4 | "Username": true 5 | } 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/users.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Only show a few accounts. Omit the UUID in case the system 3 | # changes. Note that Guest never logged into the system so should 4 | # not show in output of Windows.Sys.Users. 5 | - Select Name, Uid, Gid, Directory FROM Artifact.Windows.Sys.Users() 6 | WHERE Name in ("Guest", "runneradmin") 7 | ORDER BY Name 8 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/users.out.yaml: -------------------------------------------------------------------------------- 1 | # Only show a few accounts. Omit the UUID in case the system 2 | # changes. Note that Guest never logged into the system so should 3 | # not show in output of Windows.Sys.Users. 4 | Query: Select Name, Uid, Gid, Directory FROM Artifact.Windows.Sys.Users() WHERE Name in ("Guest", "runneradmin") ORDER BY Name 5 | Output: [ 6 | { 7 | "Name": "runneradmin", 8 | "Uid": "500", 9 | "Gid": "", 10 | "Directory": "C:\\Users\\runneradmin" 11 | } 12 | ] 13 | 14 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/wmi.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | - SELECT DNSServerSearchOrder from wmi( 3 | query='select DNSServerSearchOrder FROM win32_networkadapterconfiguration') 4 | WHERE DNSServerSearchOrder 5 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/wmi.out.yaml: -------------------------------------------------------------------------------- 1 | Query: SELECT DNSServerSearchOrder from wmi( query='select DNSServerSearchOrder FROM win32_networkadapterconfiguration') WHERE DNSServerSearchOrder 2 | Output: [ 3 | { 4 | "DNSServerSearchOrder": [ 5 | "168.63.129.16" 6 | ] 7 | } 8 | ] 9 | 10 | -------------------------------------------------------------------------------- /artifacts/testdata/windows/yara.in.yaml: -------------------------------------------------------------------------------- 1 | Queries: 2 | # Make sure we can read the raw device with a yara scan. This has to 3 | # have at least one hit fairly quickly. 4 | - | 5 | SELECT Rule, File.FullPath, String.Name FROM yara(files='C:', accessor='file', rules='rule X { strings: $a=\"FILE\" condition: any of them}') LIMIT 1 6 | 7 | # Support reading raw devices with file and ntfs accessors 8 | - | 9 | SELECT Rule, File.FullPath, String.Name FROM yara(files='C:', accessor='ntfs', rules='rule X { strings: $a=\"FILE\" condition: any of them}') LIMIT 1 10 | -------------------------------------------------------------------------------- /bin/admin_generic.go: -------------------------------------------------------------------------------- 1 | //go:build !windows 2 | // +build !windows 3 | 4 | package main 5 | 6 | import ( 7 | "fmt" 8 | 9 | vql_subsystem "www.velocidex.com/golang/velociraptor/vql" 10 | ) 11 | 12 | func checkAdmin() error { 13 | if !vql_subsystem.IsAdmin() { 14 | return fmt.Errorf("Velociraptor requires administrator level access. Use 'sudo' command shell to launch the binary.") 15 | } 16 | return nil 17 | } 18 | 19 | func checkMutex() error { return nil } 20 | 21 | func logArgv(argv []string) error { 22 | return nil 23 | } 24 | -------------------------------------------------------------------------------- /bin/deprecated.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | errors "github.com/go-errors/errors" 5 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 6 | ) 7 | 8 | func deprecatedOverride(config_obj *config_proto.Config) error { 9 | if *override_flag != "" { 10 | return errors.New("The --config_override flag is deprecated. Please use one of --merge, --merge_path, --patch, --patch_path instead") 11 | } 12 | return nil 13 | } 14 | -------------------------------------------------------------------------------- /bin/fixtures/Serialization.golden: -------------------------------------------------------------------------------- 1 | { 2 | "0: Marshal Starlark function": [ 3 | "{", 4 | " \"type\": \"Scope\",", 5 | " \"data\": {", 6 | " \"vars\": {", 7 | " \"X\": {", 8 | " \"type\": \"StarlModule\",", 9 | " \"data\": {", 10 | " \"Code\": \"def foo(x): return x+1\"", 11 | " }", 12 | " }", 13 | " }", 14 | " }", 15 | "}" 16 | ], 17 | "0: Rows Starlark function": [ 18 | { 19 | "X.foo(x=1)": 2 20 | } 21 | ] 22 | } -------------------------------------------------------------------------------- /bin/metrics.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "time" 5 | 6 | "github.com/prometheus/client_golang/prometheus" 7 | "github.com/prometheus/client_golang/prometheus/promauto" 8 | ) 9 | 10 | var ( 11 | start = time.Now() 12 | 13 | CurrentTime = promauto.NewUntypedFunc( 14 | prometheus.UntypedOpts{ 15 | Name: "uptime", 16 | Help: "Time since process start.", 17 | }, func() float64 { 18 | return float64(time.Now().Unix() - start.Unix()) 19 | }) 20 | ) 21 | -------------------------------------------------------------------------------- /bin/prompt.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/inconshreveable/mousetrap" 7 | ) 8 | 9 | var ( 10 | prompt_flag = app.Flag( 11 | "prompt", "Present a prompt before exit").Bool() 12 | ) 13 | 14 | // Possibly ask for a prompt before exiting. 15 | func doPrompt() { 16 | if *prompt_flag || mousetrap.StartedByExplorer() { 17 | fmt.Println("Press the Enter Key to end") 18 | fmt.Scanln() 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /bin/proxy.go: -------------------------------------------------------------------------------- 1 | package main 2 | -------------------------------------------------------------------------------- /bin/rsrc_windows_386.syso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/bin/rsrc_windows_386.syso -------------------------------------------------------------------------------- /bin/rsrc_windows_amd64.syso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/bin/rsrc_windows_amd64.syso -------------------------------------------------------------------------------- /bin/timezone.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 5 | "www.velocidex.com/golang/velociraptor/utils" 6 | ) 7 | 8 | var ( 9 | timezone_flag = app.Flag( 10 | "timezone", "Default encoding timezone (e.g. Australia/Brisbane). If not set we use UTC").String() 11 | ) 12 | 13 | func initTimezone(config_obj *config_proto.Config) error { 14 | if *timezone_flag != "" { 15 | return utils.SetGlobalTimezone(*timezone_flag) 16 | } 17 | return nil 18 | } 19 | -------------------------------------------------------------------------------- /config/b0x.yaml: -------------------------------------------------------------------------------- 1 | pkg: config 2 | 3 | # We assume we are run from the toplevel directory: 4 | # fileb0x gui/b0x.yaml 5 | dest: "config/" 6 | 7 | fmt: false 8 | compression: 9 | compress: false 10 | 11 | output: "ab0x.go" 12 | custom: 13 | - files: 14 | - "config/default.yaml" 15 | init: Init 16 | -------------------------------------------------------------------------------- /crypto/api.go: -------------------------------------------------------------------------------- 1 | package crypto 2 | 3 | // Our client side handler emulates a direct HTTP connection over 4 | // websockets. Therefore the server needs to embody the same 5 | // parameters that allow the client to recreate the relevant 6 | // http.Response object. 7 | type WSErrorMessage struct { 8 | HTTPCode int `json:"code,omitempty"` 9 | Error string `json:"err,omitempty"` 10 | Data []byte `json:"data,omitempty"` 11 | } 12 | -------------------------------------------------------------------------------- /crypto/b0x.yaml: -------------------------------------------------------------------------------- 1 | pkg: crypto 2 | 3 | dest: "crypto/" 4 | 5 | fmt: false 6 | output: "ab0x.go" 7 | compression: 8 | compress: true 9 | 10 | custom: 11 | - files: 12 | - crypto/ca-certificates.crt 13 | -------------------------------------------------------------------------------- /crypto/client/docs.go: -------------------------------------------------------------------------------- 1 | package client 2 | 3 | /* 4 | 5 | This package contains the CryptoManager for the client. 6 | 7 | */ 8 | -------------------------------------------------------------------------------- /crypto/server/docs.go: -------------------------------------------------------------------------------- 1 | package server 2 | 3 | /* 4 | 5 | This package contains the CryptoManager for the frontend server. 6 | 7 | */ 8 | -------------------------------------------------------------------------------- /crypto/storage/fixtures/.gitignore: -------------------------------------------------------------------------------- 1 | writeback.yaml -------------------------------------------------------------------------------- /crypto/storage/server.go: -------------------------------------------------------------------------------- 1 | package storage 2 | 3 | import "sync" 4 | 5 | var ( 6 | mu sync.Mutex 7 | currentServerPEM []byte 8 | ) 9 | 10 | func SetCurrentServerPem(pem []byte) { 11 | mu.Lock() 12 | defer mu.Unlock() 13 | 14 | currentServerPEM = pem 15 | } 16 | -------------------------------------------------------------------------------- /datastore/filebased_generic.go: -------------------------------------------------------------------------------- 1 | //go:build !linux && !windows 2 | // +build !linux,!windows 3 | 4 | package datastore 5 | 6 | import ( 7 | "context" 8 | "errors" 9 | "sync" 10 | 11 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 12 | ) 13 | 14 | func AvailableDiskSpace( 15 | db DataStore, config_obj *config_proto.Config) (uint64, error) { 16 | return 0, errors.New("Not implemented") 17 | } 18 | 19 | func startFullDiskChecker(ctx context.Context, wg *sync.WaitGroup, 20 | config_obj *config_proto.Config) error { 21 | return nil 22 | } 23 | -------------------------------------------------------------------------------- /datastore/memcache_stats.go: -------------------------------------------------------------------------------- 1 | package datastore 2 | 3 | type MemcacheStats struct { 4 | DataItemCount int 5 | DataItemSize int 6 | DirItemCount int 7 | DirItemSize int 8 | } 9 | 10 | type MemcacheStater interface { 11 | Stats() *MemcacheStats 12 | } 13 | -------------------------------------------------------------------------------- /datastore/test_data/mysql.config.yaml: -------------------------------------------------------------------------------- 1 | Datastore: 2 | implementation: MySQL 3 | mysql_username: root 4 | mysql_password: password 5 | mysql_server: 127.0.0.1 6 | mysql_database: velociraptor_test 7 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | velociraptor (0.2.6-1) unstable; urgency=low 2 | 3 | * Initial release 4 | 5 | -- velociraptor Sat, 17 Dec 2018 09:51:10 +0000 6 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: velociraptor 2 | Section: misc 3 | Priority: extra 4 | Maintainer: Velocidex Innovations 5 | Build-Depends: debhelper (>= 7.0.0) 6 | Standards-Version: 3.9.2 7 | Homepage: https://gitlab.com/velocidex/velociraptor 8 | 9 | Package: velociraptor 10 | Architecture: any 11 | Depends: lsb-base (>= 3.2-14) 12 | Description: Velociraptor Response Client 13 | The Velociraptor Response Client 14 | -------------------------------------------------------------------------------- /debian/velociraptor.config.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/debian/velociraptor.config.yaml -------------------------------------------------------------------------------- /debian/velociraptor.install: -------------------------------------------------------------------------------- 1 | output/velociraptor /usr/sbin/ 2 | debian/velociraptor.nanny /usr/sbin/ 3 | debian/velociraptor.config.yaml /etc/ -------------------------------------------------------------------------------- /debian/velociraptor.nanny: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | MOREARGS=("${@:1}") 4 | 5 | # This nanny will be used by Linux upstart to throttle the respawn rate of the 6 | # client in case the client exists immediately. It will eventually be replaced 7 | # with the full C++ nanny code similar to Windows but for now this is just a 8 | # simple shell script. 9 | while true 10 | do 11 | "${MOREARGS[@]}" 12 | /usr/bin/logger --tag Velociraptor Daemon exited... Waiting 120 seconds before respawn. || true 13 | sleep 120 14 | done 15 | -------------------------------------------------------------------------------- /debian/velociraptor.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Velociraptor linux amd64 3 | After=syslog.target network.target 4 | 5 | [Service] 6 | Type=simple 7 | Restart=always 8 | RestartSec=120 9 | LimitNOFILE=20000 10 | Environment=LANG=en_US.UTF-8 11 | ExecStart=/usr/sbin/velociraptor --config /etc/velociraptor.config.yaml client 12 | 13 | [Install] 14 | WantedBy=multi-user.target 15 | -------------------------------------------------------------------------------- /debian/velociraptor.substvars: -------------------------------------------------------------------------------- 1 | shlibs:Depends=libc6 (>= 2.14) 2 | misc:Depends= 3 | misc:Pre-Depends= 4 | -------------------------------------------------------------------------------- /debian/velociraptor.upstart: -------------------------------------------------------------------------------- 1 | # velociraptor linux amd64 client upstart file 2 | 3 | limit nofile 20000 20000 4 | 5 | kill timeout 300 6 | 7 | start on startup 8 | start on runlevel [2345] 9 | stop on runlevel [016] 10 | 11 | respawn 12 | 13 | env LANG=en_US.UTF-8 14 | 15 | script 16 | DAEMON="/usr/sbin/velociraptor.nanny" 17 | DAEMON_ARGS="/usr/sbin/velociraptor --config /etc/velociraptor.config.yaml client" 18 | 19 | [ -x "${DAEMON}" ] || exit 0 20 | 21 | exec ${DAEMON} ${DAEMON_ARGS} 22 | 23 | end script 24 | -------------------------------------------------------------------------------- /docs/monitoring/prometheus.yaml: -------------------------------------------------------------------------------- 1 | ## This is a sample prometheus config to access the server's 2 | ## monitoring port. 3 | # Run prometheus like this: 4 | 5 | # ./prometheus --config.file velociraptor.yml 6 | 7 | global: 8 | scrape_interval: 5s 9 | 10 | scrape_configs: 11 | - job_name: 'velociraptor' 12 | static_configs: 13 | - targets: ['localhost:8003'] 14 | -------------------------------------------------------------------------------- /docs/references/sample_config/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | go run ./main.go ~/projects/velociraptor/docs/references/server.config.yaml 3 | -------------------------------------------------------------------------------- /docs/references/sample_config/README.md: -------------------------------------------------------------------------------- 1 | A quick script to detect new config fields which are not documented in 2 | the sample server config file. 3 | 4 | Run this periodically to update the reference documentations. 5 | -------------------------------------------------------------------------------- /docs/winres/README.md: -------------------------------------------------------------------------------- 1 | # Building the resources 2 | 3 | The resources are built once using go-winres 4 | https://github.com/tc-hib/go-winres 5 | 6 | The syso files are checked into the repo and reused on each build. 7 | 8 | ``` 9 | cd ./docs/ 10 | go-winres make 11 | mv rsrc_windows_386.syso rsrc_windows_amd64.syso ../bin/ 12 | ``` 13 | -------------------------------------------------------------------------------- /docs/winres/icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/docs/winres/icon.png -------------------------------------------------------------------------------- /docs/wix/build_amd64.bat: -------------------------------------------------------------------------------- 1 | "c:\Program Files (x86)\WiX Toolset v3.14\bin\candle.exe" velociraptor_amd64.xml -arch x64 -ext "c:\Program Files (x86)\WiX Toolset v3.14\bin\WixUtilExtension.dll" 2 | 3 | "c:\Program Files (x86)\WiX Toolset v3.14\bin\light.exe" velociraptor_amd64.wixobj -ext "c:\Program Files (x86)\WiX Toolset v3.14\bin\WixUtilExtension.dll" 4 | -------------------------------------------------------------------------------- /docs/wix/build_x86.bat: -------------------------------------------------------------------------------- 1 | "c:\Program Files (x86)\WiX Toolset v3.14\bin\candle.exe" velociraptor_x86.xml -arch x86 -ext "c:\Program Files (x86)\WiX Toolset v3.14\bin\WixUtilExtension.dll" 2 | 3 | "c:\Program Files (x86)\WiX Toolset v3.14\bin\light.exe" velociraptor_x86.wixobj -ext "c:\Program Files (x86)\WiX Toolset v3.14\bin\WixUtilExtension.dll" 4 | -------------------------------------------------------------------------------- /docs/wix/icon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/docs/wix/icon.ico -------------------------------------------------------------------------------- /executor/tempfile.go: -------------------------------------------------------------------------------- 1 | package executor 2 | -------------------------------------------------------------------------------- /file_store/api/utils.go: -------------------------------------------------------------------------------- 1 | package api 2 | -------------------------------------------------------------------------------- /file_store/csv/options.go: -------------------------------------------------------------------------------- 1 | package csv 2 | 3 | import ( 4 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 5 | "www.velocidex.com/golang/vfilter" 6 | ) 7 | 8 | func SetCSVOptions( 9 | config_obj *config_proto.Config, 10 | scope vfilter.Scope, writer *Writer) { 11 | if config_obj != nil && 12 | config_obj.Defaults != nil && 13 | config_obj.Defaults.CsvDelimiter != "" { 14 | writer.Comma = []rune(config_obj.Defaults.CsvDelimiter)[0] 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /file_store/directory/fixtures/TestListChildrenComplicatedNames.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Components": [ 4 | "subdir", 5 | "Foo/Bar" 6 | ], 7 | "Extension": ".json", 8 | "IsDir": false, 9 | "Type": "PATH_TYPE_FILESTORE_JSON", 10 | "AsJSON": "fs:/subdir/\"Foo/Bar\".json" 11 | } 12 | ] -------------------------------------------------------------------------------- /file_store/memory/fixtures/TestListChildrenComplicatedNames.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "Components": [ 4 | "subdir", 5 | "Foo/Bar" 6 | ], 7 | "Extension": ".json", 8 | "IsDir": false, 9 | "Type": "PATH_TYPE_FILESTORE_JSON", 10 | "AsJSON": "fs:/subdir/\"Foo/Bar\".json" 11 | } 12 | ] -------------------------------------------------------------------------------- /flows/fixtures/TestMonitoringAlerts.golden: -------------------------------------------------------------------------------- 1 | { 2 | "/server_artifacts/Server.Internal.Alerts/2020-10-07.json": [ 3 | "{\"client_id\":\"C.5170dd5921551ec7\",\"name\":\"\",\"timestamp\":\"0001-01-01T00:00:00Z\",\"event_data\":{},\"artifact\":\"Generic.Client.Stats\",\"artifact_type\":\"CLIENT_EVENT\",\"_ts\":1602103388}", 4 | "" 5 | ] 6 | } -------------------------------------------------------------------------------- /flows/fixtures/TestVQLResponseRetransmission.golden: -------------------------------------------------------------------------------- 1 | {"Row": 1} 2 | {"Row": 2} 3 | -------------------------------------------------------------------------------- /gui/assets/.gitignore: -------------------------------------------------------------------------------- 1 | ab0x.go -------------------------------------------------------------------------------- /gui/velociraptor/.env: -------------------------------------------------------------------------------- 1 | GENERATE_SOURCEMAP=false -------------------------------------------------------------------------------- /gui/velociraptor/.env.production: -------------------------------------------------------------------------------- 1 | GENERATE_SOURCEMAP=false -------------------------------------------------------------------------------- /gui/velociraptor/.eslintignore: -------------------------------------------------------------------------------- 1 | node_modules/ 2 | build/ 3 | .eslintrc.cjs 4 | 5 | -------------------------------------------------------------------------------- /gui/velociraptor/.gitattributes: -------------------------------------------------------------------------------- 1 | *.json text -------------------------------------------------------------------------------- /gui/velociraptor/.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | node-modules/ 3 | -------------------------------------------------------------------------------- /gui/velociraptor/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | echo "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.16" > node_modules/go.mod 3 | npm run start 4 | 5 | build: FORCE 6 | echo "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.16" > node_modules/go.mod 7 | npm run build 8 | cd build && mkdir static 9 | echo > build/static/.keep 10 | echo > build/.keep 11 | 12 | lint: 13 | npm run lint 14 | 15 | FORCE: ; 16 | -------------------------------------------------------------------------------- /gui/velociraptor/b0x.yaml: -------------------------------------------------------------------------------- 1 | pkg: velociraptor 2 | 3 | # We assume we are run from the toplevel directory: 4 | # fileb0x gui/velociraptor/b0x.yaml 5 | dest: "gui/velociraptor/" 6 | 7 | fmt: false 8 | compression: 9 | compress: true 10 | 11 | output: "ab0x.go" 12 | custom: 13 | # All the JS code is compiled into a bundle in the build directory already. 14 | - files: 15 | - "gui/velociraptor/build/**" 16 | base: "gui/velociraptor/build/" 17 | exclude: 18 | - "**/*~" 19 | - "**/*.map" 20 | 21 | init: Init 22 | -------------------------------------------------------------------------------- /gui/velociraptor/build/.keep: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /gui/velociraptor/docs.go: -------------------------------------------------------------------------------- 1 | package velociraptor 2 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/artifacts/artifacts-upload.css: -------------------------------------------------------------------------------- 1 | .artifact-import-errors { 2 | height: 200px; 3 | overflow-y: auto; 4 | } 5 | 6 | 7 | #upload { 8 | display: none; 9 | } 10 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/artifacts/line-charts.css: -------------------------------------------------------------------------------- 1 | .velo-line-chart svg { 2 | user-select: none; 3 | border-radius: 0; 4 | border-width: 1px; 5 | border-style: solid; 6 | padding: 10px; 7 | } 8 | 9 | .custom-tooltip { 10 | margin: 0; 11 | padding: 10px; 12 | background-color: white; 13 | border: 1px solid #ccc; 14 | white-space: nowrap; 15 | display: block; 16 | } 17 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/artifacts/sigma-editor.css: -------------------------------------------------------------------------------- 1 | .sigma-editor { 2 | max-height: calc(100vh - 345px); 3 | overflow-y: auto; 4 | } 5 | 6 | .sigma-editor-modal .alert, 7 | .sigma-editor-modal .card { 8 | margin: 20px; 9 | } 10 | 11 | .sigma-editor-modal.modal-body { 12 | overflow-y: auto; 13 | height: 80vh; 14 | } 15 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/clients/client-link.css: -------------------------------------------------------------------------------- 1 | .client-link { 2 | border-style: none; 3 | font-family: source-code-pro, Menlo, Monaco, Consolas, 'Courier New', monospace; 4 | white-space: nowrap; 5 | } 6 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/clients/client-status.css: -------------------------------------------------------------------------------- 1 | .icon-small { 2 | width: 14px; 3 | margin-top: 5px; 4 | margin-bottom: 5px; 5 | margin-right: 5px; 6 | } 7 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/clients/clients-list.css: -------------------------------------------------------------------------------- 1 | .icon-small { 2 | width: 14px; 3 | margin-top: 5px; 4 | margin-bottom: 5px; 5 | } 6 | 7 | button.btn.online-status { 8 | background: none; 9 | } 10 | 11 | .deleted-client-list { 12 | overflow-y: auto; 13 | max-height: 400px; 14 | } 15 | 16 | .selection-cell input { 17 | vertical-align: text-bottom; 18 | padding: 0.3rem; 19 | } 20 | 21 | .online-status { 22 | 23 | } 24 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/clients/label-form.jsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/components/clients/label-form.jsx -------------------------------------------------------------------------------- /gui/velociraptor/src/components/core/ace-config.jsx: -------------------------------------------------------------------------------- 1 | import React from 'react'; 2 | 3 | const ACEConfig = React.createContext('ace-config'); 4 | export default ACEConfig; 5 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/core/ace.css: -------------------------------------------------------------------------------- 1 | .ace-toolbar { 2 | display: block; 3 | box-sizing: content-box; 4 | overflow: visible; 5 | margin-bottom: 5px; 6 | } 7 | 8 | /* Used in new artifact ace editor popout */ 9 | .velo-ace-editor { 10 | border-width: 0; 11 | height: 100%; 12 | overflow-y: auto; 13 | } 14 | 15 | div.ace_editor.ace_autocomplete { 16 | width: 70% 17 | } 18 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/core/snackbar.css: -------------------------------------------------------------------------------- 1 | div[class^="Snackbar_snackbar-wrapper"] { 2 | z-index: 3000; 3 | } 4 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/core/tree-cell.css: -------------------------------------------------------------------------------- 1 | .tree-button { 2 | padding-left: 10px; 3 | } 4 | 5 | .tree-modal-body { 6 | padding: 0; 7 | } 8 | 9 | .tree-data-pane { 10 | height: 100%; 11 | overflow: auto; 12 | } 13 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/events/events.css: -------------------------------------------------------------------------------- 1 | .time-selector { 2 | height: 38px; 3 | } 4 | 5 | .event-report-viewer { 6 | margin-top: 10px; 7 | margin-left: 0; 8 | margin-right: 0; 9 | max-height: calc(100vh - 143px); 10 | max-width: calc(100vw - 45px); 11 | overflow-y: auto; 12 | } 13 | 14 | body { 15 | overflow-y: hidden; 16 | } 17 | 18 | 19 | .dropdown-menu.show.fixed-height { 20 | max-height: 80vh; 21 | overflow: auto; 22 | } 23 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/forms/dict.css: -------------------------------------------------------------------------------- 1 | td.metadata-key { 2 | width: 20em; 3 | } 4 | 5 | .metadata-row { 6 | 7 | } 8 | 9 | td.metadata-value { 10 | padding-top: 0px; 11 | padding-bottom: 0px; 12 | } 13 | 14 | .metadata-control { 15 | width: 30px; 16 | } 17 | 18 | .dict-table { 19 | margin-top: 20px; 20 | } 21 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/forms/forms.css: -------------------------------------------------------------------------------- 1 | .regex_array_item { 2 | display: flex; 3 | } 4 | 5 | .regex_array_item .regex-form { 6 | width: 100%; 7 | } 8 | 9 | 10 | .full-width { 11 | width: 100%; 12 | } 13 | 14 | .velo-form .form-switch { 15 | margin-top: 7px; 16 | margin-left: 20px; 17 | } 18 | 19 | .csv-table tr td, 20 | .csv-table tr th.metadata-control { 21 | padding: 0px; 22 | } 23 | 24 | div.velo__menu { 25 | z-index: 100; 26 | } 27 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/forms/regex.css: -------------------------------------------------------------------------------- 1 | .regex-syntax-error .tooltip-inner { 2 | background: var(--color-proto-error); 3 | } 4 | 5 | .regex-syntax-error .arrow::before { 6 | border-top-color: var(--color-proto-error); 7 | } 8 | 9 | .velo-ace-editor.regex-form { 10 | border-style: solid; 11 | border-width: 1px; 12 | padding: 4px; 13 | border-color: var(--color-btn-default-border); 14 | border-radius: 0.25rem; 15 | resize: vertical; 16 | } 17 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/forms/validated.css: -------------------------------------------------------------------------------- 1 | input.invalid.form-control { 2 | background-color: var(--invalid-form-control-error); 3 | background-image: var(--invalid-form-control-error); 4 | } 5 | 6 | input.invalid.form-control:focus { 7 | background-color: var(--invalid-form-control-error); 8 | background-image: var(--invalid-form-control-error); 9 | } 10 | 11 | textarea.invalid { 12 | background-image: var(--invalid-form-control-error); 13 | } 14 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/hunts/estimate.css: -------------------------------------------------------------------------------- 1 | .estimate.alert-info { 2 | background-image: none; 3 | background-color: var(--color-btn-outline-link); 4 | color: var(--color-foreground); 5 | border-color: var(--color-btn-outline-link); 6 | } 7 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/hunts/hunt.css: -------------------------------------------------------------------------------- 1 | .hunt-toolbar { 2 | display: block; 3 | box-sizing: content-box; 4 | overflow: visible; 5 | margin: 5px; 6 | width: 100%; 7 | margin-bottom: 5px; 8 | margin-right: 20px; 9 | margin-left: 20px; 10 | } 11 | 12 | div .hunt-status-icon { 13 | text-align: center; 14 | } 15 | 16 | .org-selector { 17 | flex: 1 1 auto; 18 | } 19 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/de_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/es_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/fr_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/jp_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/por_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/utils.jsx: -------------------------------------------------------------------------------- 1 | 2 | 3 | export default function hex2a(hexx) { 4 | var hex = hexx.toString(); //force conversion 5 | var str = ''; 6 | for (var i = 0; i < hex.length; i += 2) 7 | str += String.fromCharCode(parseInt(hex.substr(i, 2), 16)); 8 | return str; 9 | } 10 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/i8n/vi_new.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /gui/velociraptor/src/components/notebooks/notebooks-list.css: -------------------------------------------------------------------------------- 1 | .notebook-filter label { 2 | margin-bottom: 0px; 3 | } 4 | 5 | .notebook-filter input { 6 | height: 1.5em; 7 | } 8 | 9 | .notebook-filter td.sort-element { 10 | vertical-align: middle; 11 | } 12 | 13 | .notebook-output { 14 | overflow-x: visible; 15 | } 16 | 17 | .notebook-parameters-form { 18 | margin-top: 1em; 19 | } 20 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/notebooks/timelines.css: -------------------------------------------------------------------------------- 1 | .velo__control .velo__single-value { 2 | color: var(--color-foreground); 3 | } 4 | 5 | div.velo__multi-value__remove { 6 | color: var(--color-form-control-background); 7 | } 8 | 9 | div.velo__multi-value__label { 10 | color: var(--color-foreground); 11 | border: solid; 12 | border-width: 1px; 13 | border-radius: 5px; 14 | border-color: var(--color-advanced-controls-border); 15 | } 16 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/secrets/secrets.css: -------------------------------------------------------------------------------- 1 | .secret-manager { 2 | padding: 10px; 3 | } 4 | 5 | .new-secret-dialog .table td { 6 | white-space: pre; 7 | } 8 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/sidebar/user-dashboard.css: -------------------------------------------------------------------------------- 1 | .dashboard { 2 | margin-bottom: 50px; 3 | max-height: calc(100vh - 145px); 4 | max-width: calc(100vw - 45px); 5 | overflow-y: auto; 6 | padding: 20px; 7 | } 8 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/clock.css: -------------------------------------------------------------------------------- 1 | .clock { 2 | 3 | } 4 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/context.css: -------------------------------------------------------------------------------- 1 | .context-icon { 2 | width: 15px; 3 | height: 15px; 4 | margin-right: 10px; 5 | } 6 | 7 | div.react-contexify { 8 | background-color: var(--color-canvas-background); 9 | z-index: 1000; 10 | } 11 | 12 | div.react-contexify .react-contexify__item__content { 13 | color: var(--color-foreground); 14 | } 15 | 16 | .context-menu-available { 17 | cursor: context-menu; 18 | } 19 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/json_parse.jsx: -------------------------------------------------------------------------------- 1 | import _ from 'lodash'; 2 | 3 | 4 | // JSON.parse is unsafe because it raises an exception - this 5 | // function wraps it with a possible default value but does not raise. 6 | export function JSONparse(x, default_value) { 7 | try { 8 | return JSON.parse(x); 9 | } catch(e) { 10 | if (!_.isUndefined(default_value)) { 11 | return default_value; 12 | } 13 | return x; 14 | }; 15 | } 16 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/log-level.css: -------------------------------------------------------------------------------- 1 | .log-level { 2 | word-break: initial; 3 | } 4 | 5 | .log-level.level-DEFAULT { 6 | display: none; 7 | } 8 | 9 | .log-level.level-ERROR { 10 | color: var(--color-level-error); 11 | } 12 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/number.css: -------------------------------------------------------------------------------- 1 | .numeric { 2 | text-align: right; 3 | } 4 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/spinner.css: -------------------------------------------------------------------------------- 1 | .overlay { 2 | position: absolute; 3 | width: 100%; 4 | z-index: 1000; 5 | opacity: 20%; 6 | } 7 | 8 | .overlay .fa-spinner { 9 | height: 500px; 10 | margin: auto; 11 | width: 500px; 12 | color: var(--color-foreground); 13 | } 14 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/time.css: -------------------------------------------------------------------------------- 1 | .timestamp { 2 | cursor: pointer; 3 | display: inline; 4 | } 5 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/url.css: -------------------------------------------------------------------------------- 1 | .url-link { 2 | border-style: none; 3 | font-family: source-code-pro, Menlo, Monaco, Consolas, 'Courier New', monospace; 4 | overflow: auto; 5 | display: block; 6 | } 7 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/utils/users.css: -------------------------------------------------------------------------------- 1 | .velo__multi-value, .velo__multi-value__label { 2 | color: var(--color-foreground); 3 | background: var(--color-canvas-background); 4 | } 5 | 6 | .velo__option.velo__option--is-focused { 7 | background: var(--color-accent-25); 8 | } 9 | 10 | .velo__option.velo__option--is-selected { 11 | background: var(--accent-color); 12 | color: var(--color-canvas-background); 13 | } 14 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/vfs/utils.jsx: -------------------------------------------------------------------------------- 1 | /* eslint import/no-anonymous-default-export: [2, {"allowObject": true}] */ 2 | export default { 3 | getSelectedRow: (node) => { 4 | if (node && node.selected) { 5 | for(let i=0; i 11 | ); 12 | } 13 | }; 14 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/widgets/logs.css: -------------------------------------------------------------------------------- 1 | .log-green { 2 | background-color: var(--color-accent-25); 3 | } 4 | 5 | .log-red { 6 | background-color: var(--color-level-error); 7 | } 8 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/widgets/search.css: -------------------------------------------------------------------------------- 1 | .search-term-error { 2 | position: absolute; 3 | display: block; 4 | top: -2em; 5 | left: 2em; 6 | z-index: 100; 7 | color: var(--color-level-error); 8 | } 9 | 10 | .hexview-search-input { 11 | max-width: 20em; 12 | } 13 | -------------------------------------------------------------------------------- /gui/velociraptor/src/components/widgets/tooltip.css: -------------------------------------------------------------------------------- 1 | .tooltip-inner { 2 | background-color: var(--color-canvas-background); 3 | color: var(--color-foreground); 4 | } 5 | -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/fixedsysexcelsioriiib-l2-mono-webfont.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/fixedsysexcelsioriiib-l2-mono-webfont.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/iosevka-term-bold-subset.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/iosevka-term-bold-subset.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/iosevka-term-medium-subset.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/iosevka-term-medium-subset.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/iosevka-term-regular-subset.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/iosevka-term-regular-subset.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/noto-sans-v27-latin-ext_latin-600.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/noto-sans-v27-latin-ext_latin-600.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/fonts/noto-sans-v27-latin-ext_latin-regular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/fonts/noto-sans-v27-latin-ext_latin-regular.woff2 -------------------------------------------------------------------------------- /gui/velociraptor/src/public/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/public/favicon.ico -------------------------------------------------------------------------------- /gui/velociraptor/src/public/robots.txt: -------------------------------------------------------------------------------- 1 | # https://www.robotstxt.org/robotstxt.html 2 | User-agent: * 3 | Disallow: 4 | -------------------------------------------------------------------------------- /gui/velociraptor/src/themes/github-light.css: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/gui/velociraptor/src/themes/github-light.css -------------------------------------------------------------------------------- /json/fixtures/TestJsonFormat.golden: -------------------------------------------------------------------------------- 1 | {"a": {"Foo":"Bar"}, "b": {"Foo":"Bar"}, "integer": 1, "string": "hello", "subquery": {"Foo": "Bar"}} -------------------------------------------------------------------------------- /json/fixtures/TestJsonlShortcuts.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple": "{\"foo\":1,\"bar\":2}\n", 3 | "Nested": "{\"foo\":1,\"bar\":{\"F\":1,\"B\":2}}\n", 4 | "Empty String": "", 5 | "Malformed": "}", 6 | "Malformed2": ",\"bar\":2}\n" 7 | } -------------------------------------------------------------------------------- /logging/fixtures/TestAuditLog.golden: -------------------------------------------------------------------------------- 1 | {"level": "info", "msg": "Starting...", "time": "2020-10-07T20:43:08Z"} 2 | {"details":{"SomeField":1,"NestedField":{"Field1":1,"Field2":3},"StructField":{"Int1":54,"Message":"Hello"},"err":401},"level":"info","msg":"SomeOperation","operation":"SomeOperation","principal":"Principal","time":"2020-10-07T20:43:08Z"} 3 | -------------------------------------------------------------------------------- /logging/formatter.go: -------------------------------------------------------------------------------- 1 | package logging 2 | 3 | import ( 4 | "github.com/sirupsen/logrus" 5 | "www.velocidex.com/golang/velociraptor/utils" 6 | ) 7 | 8 | type JSONFormatter struct { 9 | *logrus.JSONFormatter 10 | } 11 | 12 | func (self *JSONFormatter) Format(e *logrus.Entry) ([]byte, error) { 13 | e.Time = utils.GetTime().Now().UTC() 14 | 15 | result, err := self.JSONFormatter.Format(e) 16 | return result, err 17 | } 18 | -------------------------------------------------------------------------------- /logging/levels.go: -------------------------------------------------------------------------------- 1 | package logging 2 | 3 | // Logging levels for responder.Log() 4 | const ( 5 | DEFAULT = "DEFAULT" 6 | ERROR = "ERROR" 7 | INFO = "INFO" 8 | WARNING = "WARN" 9 | DEBUG = "DEBUG" 10 | 11 | // An alert is a special type of log message which is routed by 12 | // the server into the alert queue. 13 | ALERT = "ALERT" 14 | ) 15 | -------------------------------------------------------------------------------- /logging/syslog_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | package logging 5 | 6 | import config_proto "www.velocidex.com/golang/velociraptor/config/proto" 7 | 8 | // Syslog is not supported on Windows. 9 | func maybeAddRemoteSyslog( 10 | config_obj *config_proto.Config, manager *LogManager) error { 11 | return nil 12 | } 13 | -------------------------------------------------------------------------------- /paths/artifacts.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import ( 4 | "strings" 5 | 6 | "www.velocidex.com/golang/velociraptor/file_store/api" 7 | ) 8 | 9 | // Convert an artifact name to a path component to store its definition. 10 | func GetArtifactDefintionPath(name string) api.FSPathSpec { 11 | return ARTIFACT_DEFINITION_PREFIX. 12 | AddUnsafeChild(strings.Split(name, ".")...) 13 | } 14 | -------------------------------------------------------------------------------- /paths/artifacts_test.go: -------------------------------------------------------------------------------- 1 | package paths_test 2 | 3 | import ( 4 | "www.velocidex.com/golang/velociraptor/paths" 5 | "www.velocidex.com/golang/velociraptor/vtesting/assert" 6 | ) 7 | 8 | func (self *PathManagerTestSuite) TestArtifactPathManager() { 9 | assert.Equal(self.T(), 10 | "/fs/artifact_definitions/Windows/Some/Artifact.yaml", 11 | self.getFilestorePath( 12 | paths.GetArtifactDefintionPath("Windows.Some.Artifact"))) 13 | 14 | } 15 | -------------------------------------------------------------------------------- /paths/orgs.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import "www.velocidex.com/golang/velociraptor/file_store/api" 4 | 5 | type OrgPathManager struct { 6 | org_id string 7 | } 8 | 9 | func (self OrgPathManager) Path() api.DSPathSpec { 10 | return ORGS_ROOT.AddChild(self.org_id) 11 | } 12 | 13 | func NewOrgPathManager(org_id string) *OrgPathManager { 14 | return &OrgPathManager{org_id} 15 | } 16 | -------------------------------------------------------------------------------- /paths/repository.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import "www.velocidex.com/golang/velociraptor/file_store/api" 4 | 5 | type RepositoryPathManager struct{} 6 | 7 | func (self RepositoryPathManager) Metadata() api.DSPathSpec { 8 | return CONFIG_ROOT.AddChild("repository_metadata") 9 | } 10 | -------------------------------------------------------------------------------- /paths/secrets.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import "www.velocidex.com/golang/velociraptor/file_store/api" 4 | 5 | type SecretsPathManager struct{} 6 | 7 | func (self SecretsPathManager) SecretsDefinition(type_name string) api.DSPathSpec { 8 | return CONFIG_ROOT.AddUnsafeChild("secrets", type_name) 9 | } 10 | 11 | func (self SecretsPathManager) Secret(type_name, name string) api.DSPathSpec { 12 | return CONFIG_ROOT.AddUnsafeChild("secrets", type_name, name) 13 | } 14 | -------------------------------------------------------------------------------- /paths/server.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import "www.velocidex.com/golang/velociraptor/file_store/api" 4 | 5 | type ServerStatePathManager struct{} 6 | 7 | func (self *ServerStatePathManager) Path() api.DSPathSpec { 8 | return CONFIG_ROOT.AddChild("server_state") 9 | } 10 | 11 | func (self *ServerStatePathManager) Install() api.DSPathSpec { 12 | return CONFIG_ROOT.AddChild("install_time"). 13 | SetTag("ServerState") 14 | } 15 | -------------------------------------------------------------------------------- /paths/temp.go: -------------------------------------------------------------------------------- 1 | package paths 2 | 3 | import ( 4 | "github.com/google/uuid" 5 | "www.velocidex.com/golang/velociraptor/file_store/api" 6 | ) 7 | 8 | type TempPathManager struct { 9 | filename string 10 | } 11 | 12 | func (self TempPathManager) Path() api.FSPathSpec { 13 | return TEMP_ROOT.AddChild(self.filename) 14 | } 15 | 16 | func NewTempPathManager(filename string) *TempPathManager { 17 | if filename == "" { 18 | filename = uuid.New().String() 19 | } 20 | 21 | return &TempPathManager{filename: filename} 22 | } 23 | -------------------------------------------------------------------------------- /proto/flow_metadata.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto3"; 2 | 3 | import "google/protobuf/descriptor.proto"; 4 | 5 | package proto; 6 | 7 | option go_package = "www.velocidex.com/golang/velociraptor/proto"; 8 | 9 | message FlowMetaData { 10 | string category = 1; 11 | } 12 | 13 | // Flows are launched with these Args: 14 | extend google.protobuf.MessageOptions { 15 | FlowMetaData flow_metadata = 65661; 16 | } 17 | -------------------------------------------------------------------------------- /reporting/functions.go: -------------------------------------------------------------------------------- 1 | package reporting 2 | 3 | import ( 4 | "fmt" 5 | ) 6 | 7 | func strval(v interface{}) string { 8 | switch v := v.(type) { 9 | case string: 10 | return v 11 | case []byte: 12 | return string(v) 13 | case error: 14 | return v.Error() 15 | case fmt.Stringer: 16 | return v.String() 17 | default: 18 | return fmt.Sprintf("%v", v) 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /reporting/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Velociraptor Report 5 | 6 | 7 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /reporting/timelines.go: -------------------------------------------------------------------------------- 1 | package reporting 2 | -------------------------------------------------------------------------------- /result_sets/simple/docs.go: -------------------------------------------------------------------------------- 1 | /* 2 | An implementation of the simple result selts. Simple results sets 3 | are written as JSON files with a row index file. There have the 4 | following properties: 5 | 6 | 1. O(1) in access to a specific row - this allows fast paging of the 7 | table. 8 | 2. Files are written in JSONL 9 | 10 | */ 11 | 12 | package simple 13 | -------------------------------------------------------------------------------- /result_sets/timed/docs.go: -------------------------------------------------------------------------------- 1 | /* 2 | An implementation of the simple result selts. Simple results sets 3 | are written as JSON files with a row index file. There have the 4 | following properties: 5 | 6 | 1. O(1) in access to a specific row - this allows fast paging of the 7 | table. 8 | 2. Files are written in JSONL 9 | 10 | */ 11 | 12 | package timed 13 | -------------------------------------------------------------------------------- /security.md: -------------------------------------------------------------------------------- 1 | ``` 2 | Contact: security@rapid7.com 3 | Encryption: https://keys.openpgp.org/search?q=396F6DCA9B60EB1AF2D1621FA885DF1431A0A489 4 | Preferred-Languages: en 5 | Canonical: https://www.rapid7.com/.well-known/security.txt 6 | Policy: https://www.rapid7.com/security/disclosure/ 7 | ``` -------------------------------------------------------------------------------- /server/startup.go: -------------------------------------------------------------------------------- 1 | package server 2 | -------------------------------------------------------------------------------- /services/ddclient/api.go: -------------------------------------------------------------------------------- 1 | package ddclient 2 | 3 | import ( 4 | "context" 5 | 6 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 7 | ) 8 | 9 | type Updater interface { 10 | UpdateDDNSRecord( 11 | ctx context.Context, config_obj *config_proto.Config, 12 | external_ip string) error 13 | } 14 | -------------------------------------------------------------------------------- /services/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Velociraptor has a micro-services architecture, even though it is a 4 | single binary. Within the binary there are multiple services running 5 | that help perform various tasks. 6 | 7 | Some of these services contain internal state, (e.g. caches) and are 8 | used to mediate access to those resources. 9 | 10 | Other services are simply libraries, exporting functions. Being in a 11 | service makes it easy to use these from anywhere without worrying 12 | about circular imports. 13 | */ 14 | 15 | package services 16 | -------------------------------------------------------------------------------- /services/indexing/fixtures/TestWildCardSearch.golden: -------------------------------------------------------------------------------- 1 | { 2 | "client:C.023030003030*2": [ 3 | "C.0230300030303002" 4 | ], 5 | "client:*.023030003030*2": [ 6 | "C.0230300030303002" 7 | ], 8 | "client:*30003030*2": [ 9 | "C.0030300030303002", 10 | "C.0130300030303002", 11 | "C.0230300030303002", 12 | "C.0330300030303002" 13 | ], 14 | "client:C.02303*2": [ 15 | "C.0230300030303002", 16 | "C.0230300130303002", 17 | "C.0230300230303002", 18 | "C.0230300330303002" 19 | ] 20 | } -------------------------------------------------------------------------------- /services/launcher/fixtures/TestParameterTypesDeps.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "IntValue": 9, 4 | "CSVValue": [ 5 | { 6 | "Col1": "Value1", 7 | "Col2": "Value2" 8 | }, 9 | { 10 | "Col1": "Value3", 11 | "Col2": "Value4" 12 | } 13 | ], 14 | "BoolValue": true, 15 | "BoolValue2": true 16 | } 17 | ] -------------------------------------------------------------------------------- /services/launcher/fixtures/TestParameterTypesDepsQuery.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "BoolValue": false 4 | }, 5 | { 6 | "BoolValue": true 7 | }, 8 | { 9 | "BoolValue": false 10 | }, 11 | { 12 | "BoolValue": true 13 | }, 14 | { 15 | "BoolValue": false 16 | }, 17 | { 18 | "BoolValue": true 19 | }, 20 | { 21 | "CSVValue": [ 22 | { 23 | "Foo": 1 24 | }, 25 | { 26 | "Foo": 2 27 | } 28 | ], 29 | "BoolValue": true 30 | }, 31 | { 32 | "IntValue": 5 33 | }, 34 | { 35 | "TimestampValue": "2020-12-23T09:13:27Z" 36 | } 37 | ] -------------------------------------------------------------------------------- /services/repository/fixtures/TestArtifactMetadata.golden: -------------------------------------------------------------------------------- 1 | { 2 | "metadata": { 3 | "Custom.BuiltIn": { 4 | "hidden": true 5 | } 6 | } 7 | } -------------------------------------------------------------------------------- /services/repository/fixtures/TestArtifactPluginWithPrecondition.golden: -------------------------------------------------------------------------------- 1 | { 2 | "SELECT * FROM Artifact.CallArtifactWithFalsePrecondition()": [ 3 | { 4 | "A": 1, 5 | "_Source": "CallArtifactWithFalsePrecondition" 6 | } 7 | ], 8 | "SELECT * FROM Artifact.CallArtifactWithFalsePrecondition(preconditions=TRUE)": [ 9 | { 10 | "A": 1, 11 | "_Source": "CallArtifactWithFalsePrecondition" 12 | } 13 | ] 14 | } -------------------------------------------------------------------------------- /services/repository/fixtures/TestClientPluginMultipleSources.golden: -------------------------------------------------------------------------------- 1 | {"Column":"A","_Source":"ClientWithSources/Source1"} 2 | {"Column":"B","_Source":"ClientWithSources/Source2"} 3 | -------------------------------------------------------------------------------- /services/server_monitoring/fixtures/TestAlertEvent.golden: -------------------------------------------------------------------------------- 1 | { 2 | "/server_artifacts/Server.Internal.Alerts/2020-10-07.json": [ 3 | "{\"client_id\":\"server\",\"name\":\"TestAlert\",\"timestamp\":\"2020-10-07T20:43:08Z\",\"event_data\":{\"field\":\"Field1\"},\"artifact\":\"EventTest.Alert\",\"artifact_type\":\"SERVER_MONITORING\",\"_ts\":1602103388}", 4 | "" 5 | ], 6 | "/server_artifacts/EventTest.Alert/2020-10-07.json": [ 7 | "{\"_ts\":1602103388}", 8 | "" 9 | ] 10 | } -------------------------------------------------------------------------------- /services/users/acls.go: -------------------------------------------------------------------------------- 1 | package users 2 | -------------------------------------------------------------------------------- /services/users/docs.go: -------------------------------------------------------------------------------- 1 | package users 2 | 3 | // This module provides high level user management functions that 4 | // consider the principal's ACLs in performing the various actions. 5 | 6 | // The high level goal is to allow a SERVER_ADMIN as much power over 7 | // users in their own org as possible, but not being able to interfere 8 | // with other orgs. 9 | 10 | // This module essentially sets the rules of interaction between orgs. 11 | -------------------------------------------------------------------------------- /services/users/favorites.go: -------------------------------------------------------------------------------- 1 | package users 2 | 3 | import ( 4 | "context" 5 | 6 | api_proto "www.velocidex.com/golang/velociraptor/api/proto" 7 | config_proto "www.velocidex.com/golang/velociraptor/config/proto" 8 | ) 9 | 10 | func (self UserManager) GetFavorites( 11 | ctx context.Context, 12 | config_obj *config_proto.Config, 13 | principal, fav_type string) (*api_proto.Favorites, error) { 14 | return self.storage.GetFavorites(ctx, config_obj, principal, fav_type) 15 | } 16 | -------------------------------------------------------------------------------- /services/vfs_service/api.go: -------------------------------------------------------------------------------- 1 | package vfs_service 2 | -------------------------------------------------------------------------------- /services/vfs_service/list_files.go: -------------------------------------------------------------------------------- 1 | package vfs_service 2 | -------------------------------------------------------------------------------- /services/writeback/storage_unix.go: -------------------------------------------------------------------------------- 1 | // +build !windows 2 | 3 | package writeback 4 | 5 | import config_proto "www.velocidex.com/golang/velociraptor/config/proto" 6 | 7 | func GetFileWritebackStore(config_obj *config_proto.Config) WritebackStorer { 8 | location, _ := WritebackLocation(config_obj) 9 | 10 | return &FileWritebackStore{ 11 | config_obj: config_obj, 12 | location: location, 13 | l2_location: location + config_obj.Client.Level2WritebackSuffix, 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /staticcheck.conf: -------------------------------------------------------------------------------- 1 | checks = ["all", 2 | # error strings should not be capitalized (ST1005) 3 | "-ST1005", 4 | # receiver name should be a reflection of its identity 5 | "-ST1006", 6 | # should not use underscores in Go names 7 | "-ST1003", 8 | # at least one file in a package should have a package comment 9 | "-ST1000", 10 | # the surrounding loop is unconditionally terminated 11 | "-SA4004", 12 | ] -------------------------------------------------------------------------------- /third_party/zip/README.txt: -------------------------------------------------------------------------------- 1 | This is a fork of archive/zip from the standard library with a number 2 | of bugfixes: 3 | 4 | * Support extra bytes before zip file (see issue https://github.com/golang/go/issues/10464) 5 | 6 | Includes patch by Phil Webb philwebb https://github.com/philwebb/go/commit/b1b65c2b4cd85f1a67c3c5c8cf40254030c7cab4 7 | -------------------------------------------------------------------------------- /third_party/zip/testdata/crc32-not-streamed.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/crc32-not-streamed.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/dd.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/dd.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/go-no-datadesc-sig.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/go-no-datadesc-sig.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/go-with-datadesc-sig.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/go-with-datadesc-sig.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/gophercolor16x16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/gophercolor16x16.png -------------------------------------------------------------------------------- /third_party/zip/testdata/hello-aes.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/hello-aes.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/macbeth-act1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/macbeth-act1.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/readme.notzip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/readme.notzip -------------------------------------------------------------------------------- /third_party/zip/testdata/readme.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/readme.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/symlink.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/symlink.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/test-trailing-junk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/test-trailing-junk.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/test.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/test.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-22738.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-22738.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-7zip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-7zip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-go.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-go.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-infozip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-infozip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-osx.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-osx.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-win7.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-win7.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-winrar.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-winrar.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/time-winzip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/time-winzip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/unix.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/unix.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/utf8-7zip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/utf8-7zip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/utf8-infozip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/utf8-infozip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/utf8-osx.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/utf8-osx.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/utf8-winrar.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/utf8-winrar.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/utf8-winzip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/utf8-winzip.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/winxp.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/winxp.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/world-aes.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/world-aes.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/zip64-2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/zip64-2.zip -------------------------------------------------------------------------------- /third_party/zip/testdata/zip64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/third_party/zip/testdata/zip64.zip -------------------------------------------------------------------------------- /timelines/timelines.go: -------------------------------------------------------------------------------- 1 | package timelines 2 | -------------------------------------------------------------------------------- /tools/grpc-gateway.go: -------------------------------------------------------------------------------- 1 | // +build tools 2 | 3 | package tools 4 | 5 | // Imports necessary packages for generating the .pb.go files. Only used 6 | // to have `go mod tidy' resolve these packages consistently. 7 | import ( 8 | _ "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway" 9 | _ "google.golang.org/grpc/cmd/protoc-gen-go-grpc" 10 | _ "google.golang.org/protobuf/cmd/protoc-gen-go" 11 | ) 12 | -------------------------------------------------------------------------------- /tools/survey/autocert.go: -------------------------------------------------------------------------------- 1 | package survey 2 | 3 | import ( 4 | "github.com/charmbracelet/huh" 5 | ) 6 | 7 | func getAutoCertConfig(config *ConfigSurvey) error { 8 | config.FrontendBindPort = "443" 9 | config.GUIBindPort = "443" 10 | 11 | form := huh.NewForm( 12 | huh.NewGroup( 13 | huh.NewNote(). 14 | Description("Configuring Server certificates using Let's Encrypt."), 15 | ), 16 | ).WithTheme(getTheme()) 17 | 18 | return form.Run() 19 | } 20 | -------------------------------------------------------------------------------- /tools/survey/self_signed.go: -------------------------------------------------------------------------------- 1 | package survey 2 | 3 | import ( 4 | "github.com/charmbracelet/huh" 5 | ) 6 | 7 | func getSelfSignedConfig(config *ConfigSurvey) error { 8 | config.FrontendBindPort = "8000" 9 | config.GUIBindPort = "8889" 10 | 11 | form := huh.NewForm( 12 | huh.NewGroup( 13 | huh.NewNote(). 14 | Description("Configuring a Self Signed Server"), 15 | ), 16 | ).WithTheme(getTheme()) 17 | 18 | return form.Run() 19 | 20 | } 21 | -------------------------------------------------------------------------------- /uploads/file_based_nonwindows.go: -------------------------------------------------------------------------------- 1 | // +build !windows 2 | 3 | package uploads 4 | 5 | import ( 6 | "os" 7 | "time" 8 | ) 9 | 10 | func setFileTimestamps(file_path string, 11 | mtime, atime, ctime time.Time) error { 12 | return os.Chtimes(file_path, atime, mtime) 13 | } 14 | -------------------------------------------------------------------------------- /utils/alloc.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "unsafe" 4 | 5 | // Allocates memory with 8 byte alignment 6 | func AllocateBuff(length int) []byte { 7 | buffer := make([]byte, length+8) 8 | offset := int(uintptr(unsafe.Pointer(&buffer[0])) & uintptr(0xF)) 9 | 10 | return buffer[offset:] 11 | } 12 | -------------------------------------------------------------------------------- /utils/compat.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "context" 5 | "time" 6 | ) 7 | 8 | // Redirector for new context functions. May be replaced for building 9 | // with old Golang. 10 | func WithTimeoutCause(ctx context.Context, duration time.Duration, err error) ( 11 | context.Context, func()) { 12 | return context.WithTimeoutCause(ctx, duration, err) 13 | } 14 | -------------------------------------------------------------------------------- /utils/endian.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "runtime" 5 | ) 6 | 7 | var isBigEndian bool 8 | 9 | func init() { 10 | switch runtime.GOARCH { 11 | case "386", "amd64", "arm", "arm64", "ppc64le", "mips64le", "mipsle", "riscv64", "wasm": 12 | isBigEndian = false 13 | case "ppc64", "s390x", "mips", "mips64": 14 | isBigEndian = true 15 | default: 16 | // nop 17 | } 18 | } -------------------------------------------------------------------------------- /utils/file_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | package utils 5 | 6 | import ( 7 | "io/ioutil" 8 | "os" 9 | ) 10 | 11 | func ReadDir(dirname string) ([]os.FileInfo, error) { 12 | return ioutil.ReadDir(dirname) 13 | } 14 | 15 | func ReadDirUnsorted(dirname string) ([]os.FileInfo, error) { 16 | return ioutil.ReadDir(dirname) 17 | } 18 | -------------------------------------------------------------------------------- /utils/fixtures/TestDictUtils.golden: -------------------------------------------------------------------------------- 1 | NotExist -> '' 2 | Inner.X -> '' 3 | Inner2 -> 'String' 4 | Inner.Y -> 'String' 5 | Inner3 -> '' 6 | Inner3.0 -> 'Foo' 7 | Inner3.Foo -> '' 8 | NilInner.X -> '' 9 | Inner4.NotExist -> '' 10 | Inner4.0 -> '' 11 | Inner4.1 -> 'X' 12 | Inner4.2 -> '' 13 | Inner4.10 -> '' 14 | Inner4.-10 -> '' 15 | -------------------------------------------------------------------------------- /utils/fixtures/TestSanitize.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple string": "Simple string", 3 | "你好": "%E4%BD%A0%E5%A5%BD", 4 | "Word \"With\" quotes": "Word %22With%22 quotes", 5 | "../../../": "%2E%2E%2F..%2F..%2F", 6 | "foo.db": "foo.db_", 7 | "bar.json.db": "bar.json.db_", 8 | "filename:with:col.db": "filename%3Awith%3Acol.db_", 9 | "\u0000\u0001\ufffd\ufffd\ufffd\ufffd(": "%00%01%F0%F2%FF%C3%28", 10 | "\\\\.\\C:\\你好世界\\\"你好/世界.db\"": "%5C%5C.%5CC%3A%5C%E4%BD%A0%E5%A5%BD%E4%B8%96%E7%95%8C%5C%22%E4%BD%A0%E5%A5%BD%2F%E4%B8%96%E7%95%8C.db%22", 11 | "foo.": "foo%2E" 12 | } -------------------------------------------------------------------------------- /utils/fixtures/TestSanitizeForZip.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple string": "Simple string", 3 | "你好": "你好", 4 | "Word \"With\" quotes": "Word %22With%22 quotes", 5 | "../../../": "%2E.%2F..%2F..%2F", 6 | "foo.db": "foo.db", 7 | "bar.json.db": "bar.json.db", 8 | "filename:with:col.db": "filename%3Awith%3Acol.db", 9 | "\u0000\u0001\ufffd\ufffd\ufffd\ufffd(": "\u0000\u0001%F0%F2%FF%C3(", 10 | "\\\\.\\C:\\你好世界\\\"你好/世界.db\"": "%5C%5C.%5CC%3A%5C你好世界%5C%22你好%2F世界.db%22", 11 | "foo.": "foo%2E" 12 | } -------------------------------------------------------------------------------- /utils/http/logging.go: -------------------------------------------------------------------------------- 1 | package http 2 | 3 | import "net/http" 4 | 5 | // Record the status of the request so we can log it. 6 | type StatusRecorder struct { 7 | http.ResponseWriter 8 | http.Flusher 9 | Status int 10 | Error []byte 11 | } 12 | 13 | func (self *StatusRecorder) WriteHeader(code int) { 14 | self.Status = code 15 | self.ResponseWriter.WriteHeader(code) 16 | } 17 | 18 | func (self *StatusRecorder) Write(buf []byte) (int, error) { 19 | if self.Status == 500 { 20 | self.Error = buf 21 | } 22 | 23 | return self.ResponseWriter.Write(buf) 24 | } 25 | -------------------------------------------------------------------------------- /utils/hunts.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "strings" 4 | 5 | func ExtractHuntId(flow_id string) (string, bool) { 6 | parts := strings.Split(flow_id, ".") 7 | if len(parts) < 3 || parts[2] != "H" { 8 | return "", false 9 | } 10 | 11 | return "H." + parts[1], true 12 | } 13 | 14 | func CreateFlowIdFromHuntId(hunt_id string) string { 15 | parts := strings.SplitN(hunt_id, ".", 2) 16 | if len(parts) != 2 { 17 | return "F." + hunt_id 18 | } 19 | return "F." + parts[1] + ".H" 20 | 21 | } 22 | -------------------------------------------------------------------------------- /utils/hunts_test.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "testing" 5 | 6 | "www.velocidex.com/golang/velociraptor/vtesting/assert" 7 | ) 8 | 9 | func TestExtractHuntId(t *testing.T) { 10 | hunt_id := "H.123" 11 | flow_id := CreateFlowIdFromHuntId(hunt_id) 12 | assert.Equal(t, "F.123.H", flow_id) 13 | 14 | extracted_hunt_id, ok := ExtractHuntId(flow_id) 15 | assert.True(t, ok) 16 | assert.Equal(t, extracted_hunt_id, hunt_id) 17 | 18 | // Regular flow 19 | extracted_hunt_id, ok = ExtractHuntId("F.1234") 20 | assert.True(t, !ok) 21 | } 22 | -------------------------------------------------------------------------------- /utils/proxy.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "net/http" 5 | ) 6 | 7 | // Retrieve the Remote Address from a request in a reverse-proxy compatible way. 8 | func RemoteAddr(req *http.Request, header string) string { 9 | if len(header) > 0 { 10 | if addr := req.Header.Get(header); len(addr) > 0 { 11 | return addr 12 | } 13 | } 14 | return req.RemoteAddr 15 | } 16 | -------------------------------------------------------------------------------- /utils/queries.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import actions_proto "www.velocidex.com/golang/velociraptor/actions/proto" 4 | 5 | func GetQueryName(args []*actions_proto.VQLRequest) string { 6 | for _, query := range args { 7 | if query.Name != "" { 8 | return query.Name 9 | } 10 | } 11 | return "" 12 | } 13 | -------------------------------------------------------------------------------- /utils/quotes.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "strconv" 4 | 5 | func Quote(in string) string { 6 | return strconv.QuoteToASCII(in) 7 | } 8 | 9 | func UnQuote(in string) string { 10 | res, err := strconv.Unquote(in) 11 | if err != nil { 12 | return in 13 | } 14 | return res 15 | } 16 | -------------------------------------------------------------------------------- /utils/reflect.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "github.com/Velocidex/yaml/v2" 5 | api_proto "www.velocidex.com/golang/velociraptor/api/proto" 6 | "www.velocidex.com/golang/velociraptor/artifacts/assets" 7 | ) 8 | 9 | // Loads the api description from the embedded asset 10 | func LoadApiDescription() ([]*api_proto.Completion, error) { 11 | data, err := assets.ReadFile("/docs/references/vql.yaml") 12 | if err != nil { 13 | return nil, err 14 | } 15 | 16 | result := []*api_proto.Completion{} 17 | err = yaml.Unmarshal(data, &result) 18 | return result, err 19 | } 20 | -------------------------------------------------------------------------------- /utils/regexp.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import "regexp" 4 | 5 | func ReplaceAllStringSubmatchFunc(re *regexp.Regexp, str string, repl func([]string) string) string { 6 | result := "" 7 | lastIndex := 0 8 | 9 | for _, v := range re.FindAllSubmatchIndex([]byte(str), -1) { 10 | groups := []string{} 11 | for i := 0; i < len(v); i += 2 { 12 | groups = append(groups, str[v[i]:v[i+1]]) 13 | } 14 | 15 | result += str[lastIndex:v[0]] + repl(groups) 16 | lastIndex = v[1] 17 | } 18 | 19 | return result + str[lastIndex:] 20 | } 21 | -------------------------------------------------------------------------------- /utils/retry.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "context" 5 | "time" 6 | 7 | errors "github.com/go-errors/errors" 8 | ) 9 | 10 | var ( 11 | timeoutError = errors.New("Timeout") 12 | ) 13 | 14 | func Retry(ctx context.Context, cb func() error, 15 | number int, sleep time.Duration) error { 16 | var err error 17 | for i := 0; i < number; i++ { 18 | err = cb() 19 | if err == nil { 20 | return err 21 | } 22 | select { 23 | case <-ctx.Done(): 24 | return timeoutError 25 | case <-time.After(sleep): 26 | } 27 | } 28 | return err 29 | } 30 | -------------------------------------------------------------------------------- /utils/sleep.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "context" 5 | "time" 6 | ) 7 | 8 | func SleepWithCtx(ctx context.Context, 9 | duration time.Duration) { 10 | select { 11 | case <-ctx.Done(): 12 | case <-time.After(duration): 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /utils/stub.go: -------------------------------------------------------------------------------- 1 | // +build !linux,!darwin,!freebsd 2 | 3 | package utils 4 | 5 | func CheckDirWritable(dirname string) error { 6 | return nil 7 | } 8 | -------------------------------------------------------------------------------- /utils/urls.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "net/url" 5 | "strings" 6 | ) 7 | 8 | // Work around issues with https://github.com/golang/go/issues/4013 9 | // and space encoding. This QueryEscape has to be the exact mirror of 10 | // Javascript's decodeURIComponent 11 | func QueryEscape(in string) string { 12 | res := url.QueryEscape(in) 13 | return strings.Replace(res, "+", "%20", -1) 14 | } 15 | -------------------------------------------------------------------------------- /utils/yaml.go: -------------------------------------------------------------------------------- 1 | package utils 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/Velocidex/yaml/v2" 7 | ) 8 | 9 | // The yaml library is flakey and can sometimes crash on invalid 10 | // input. This wrapper makes sure we dont lose it if the input is not 11 | // valid. 12 | func YamlUnmarshalStrict(data []byte, target interface{}) (err error) { 13 | defer func() { 14 | r := recover() 15 | if r != nil { 16 | err = fmt.Errorf("Invalid YAML file.") 17 | } 18 | }() 19 | 20 | return yaml.UnmarshalStrict(data, target) 21 | } 22 | -------------------------------------------------------------------------------- /vql/common/fixtures/TestDefaultPipeReader.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Buffer with no sep lines": [ 3 | "Buffer with no sep Lines" 4 | ], 5 | "Buffer with no sep lines no seps": [ 6 | "Buffer with no sep Lines" 7 | ], 8 | "Buffer with line split": [ 9 | "a", 10 | "buffer", 11 | "With", 12 | "Some", 13 | "More", 14 | "Lines" 15 | ], 16 | "Buffer with fixed size": [ 17 | "This ", 18 | "is a ", 19 | "long ", 20 | "buffe", 21 | "r wit", 22 | "h ext", 23 | "ra da", 24 | "ta" 25 | ] 26 | } -------------------------------------------------------------------------------- /vql/constants/ntfs.go: -------------------------------------------------------------------------------- 1 | package constants 2 | 3 | import ( 4 | "context" 5 | "time" 6 | 7 | "www.velocidex.com/golang/velociraptor/constants" 8 | vql_subsystem "www.velocidex.com/golang/velociraptor/vql" 9 | "www.velocidex.com/golang/vfilter" 10 | ) 11 | 12 | func GetNTFSCacheTime(ctx context.Context, scope vfilter.Scope) time.Duration { 13 | cache_life := vql_subsystem.GetIntFromRow( 14 | scope, scope, constants.NTFS_CACHE_TIME) 15 | if cache_life == 0 { 16 | cache_life = 600 17 | } 18 | 19 | res := time.Duration(cache_life) * time.Second 20 | return res 21 | } 22 | -------------------------------------------------------------------------------- /vql/darwin/fixtures/TestXAttr.golden: -------------------------------------------------------------------------------- 1 | { 2 | "List All attributes": { 3 | "vr.test": "test.value", 4 | "vr.test2": "test.value" 5 | }, 6 | "Get one specific attribute": { 7 | "vr.test": "test.value" 8 | }, 9 | "Get both attributes by name": { 10 | "vr.test": "test.value", 11 | "vr.test2": "test.value" 12 | }, 13 | "Get one attribute present and one not available.": { 14 | "vr.test": "test.value" 15 | }, 16 | "Get only unavailable attribute": {} 17 | } -------------------------------------------------------------------------------- /vql/darwin/xattr_darwin.go: -------------------------------------------------------------------------------- 1 | package darwin 2 | 3 | const ( 4 | prefix = "" 5 | ) 6 | 7 | // No-op on Darwin (Mac). 8 | func stripPrefix(s []string) []string { 9 | return s 10 | } 11 | -------------------------------------------------------------------------------- /vql/darwin/xattr_linux.go: -------------------------------------------------------------------------------- 1 | package darwin 2 | 3 | import "strings" 4 | 5 | const prefix = "user." 6 | 7 | // Strip "user." prefix on Linux. 8 | func stripPrefix(s []string) []string { 9 | for i, a := range s { 10 | if strings.HasPrefix(a, prefix) { 11 | s[i] = a[5:] 12 | } 13 | } 14 | return s 15 | } 16 | -------------------------------------------------------------------------------- /vql/efi/efivariables_not_impl.go: -------------------------------------------------------------------------------- 1 | // +build darwin freebsd 2 | 3 | package efi 4 | 5 | import "errors" 6 | 7 | func GetEfiVariables() ([]EfiVariable, error) { 8 | return nil, errors.New("Not implemented") 9 | } 10 | 11 | func GetEfiVariableValue(namespace string, name string) ([]byte, error) { 12 | return nil, errors.New("Not implemented") 13 | } 14 | -------------------------------------------------------------------------------- /vql/is_admin.go: -------------------------------------------------------------------------------- 1 | // +build !windows 2 | 3 | package vql 4 | 5 | import "syscall" 6 | 7 | func IsAdmin() bool { 8 | return syscall.Geteuid() == 0 9 | } 10 | -------------------------------------------------------------------------------- /vql/linux/ebpf/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | This is the ebpf plugin. It uses a modified version of tracee. 3 | */ 4 | 5 | package ebpf 6 | -------------------------------------------------------------------------------- /vql/networking/netstat_common.go: -------------------------------------------------------------------------------- 1 | package networking 2 | 3 | import ( 4 | "time" 5 | ) 6 | 7 | // Addr is implemented compatibility to psutil 8 | type Addr struct { 9 | IP string 10 | Port uint32 11 | } 12 | 13 | type ConnectionStat struct { 14 | Fd uint32 15 | Family uint32 16 | Type uint32 17 | Laddr Addr 18 | Raddr Addr 19 | Status string 20 | Pid int32 21 | timestamp time.Time 22 | } 23 | 24 | type NetstatArgs struct{} 25 | -------------------------------------------------------------------------------- /vql/parsers/authenticode/doc.go: -------------------------------------------------------------------------------- 1 | package authenticode 2 | -------------------------------------------------------------------------------- /vql/parsers/ese/conversion.spec.yaml: -------------------------------------------------------------------------------- 1 | Module: ese 2 | Profile: MiscProfile 3 | Filename: vtype_profile.json 4 | GenerateDebugString: false 5 | Structs: 6 | - SID 7 | - Misc 8 | -------------------------------------------------------------------------------- /vql/parsers/ese/sid_test.go: -------------------------------------------------------------------------------- 1 | package ese 2 | 3 | import ( 4 | "testing" 5 | 6 | "www.velocidex.com/golang/velociraptor/vtesting/assert" 7 | ) 8 | 9 | // https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253 10 | func TestSID(t *testing.T) { 11 | hexsid := "010500000000000515000000A065CF7E784B9B5FE77C8770091C0100" 12 | sid := formatGUID(hexsid) 13 | assert.Equal(t, "S-1-5-21-2127521184-1604012920-1887927527-72713", sid) 14 | } 15 | -------------------------------------------------------------------------------- /vql/parsers/ese/vtype_profile.json: -------------------------------------------------------------------------------- 1 | { 2 | "SID": [16, { 3 | "Revision": [0, ["unsigned char"]], 4 | "SubAuthCount": [1, ["unsigned char"]], 5 | "Authority": [2, ["unsigned short"]], 6 | "Authority2": [4, ["unsigned long"]], 7 | "Subauthority": [8, ["Array", { 8 | "target": "unsigned long", 9 | "count": 100 10 | }]] 11 | }], 12 | 13 | "Misc": [0, { 14 | "Misc": [0, ["UnicodeString"]] 15 | }] 16 | } 17 | -------------------------------------------------------------------------------- /vql/parsers/fixtures/TestGrokParser.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Multiple Keywords": { 3 | "message": "Ubuntu-22 gdm-autologin]: gkr-pam: no password is available for user", 4 | "timestamp": "Mar 27 10:49:14" 5 | } 6 | } -------------------------------------------------------------------------------- /vql/parsers/fixtures/TestParseFileWithRegex.golden: -------------------------------------------------------------------------------- 1 | { 2 | "2: Different types of records mixed in": [ 3 | { 4 | "FullPath": "Record 1 ... Delimiter Special Delimiter Record 2 ... Delimiter Some padding that should be ignored", 5 | "SpecialRecord": "", 6 | "Record": "Record 1 ... " 7 | }, 8 | { 9 | "FullPath": "Record 1 ... Delimiter Special Delimiter Record 2 ... Delimiter Some padding that should be ignored", 10 | "Record": "", 11 | "SpecialRecord": " Record 2 ... " 12 | } 13 | ] 14 | } -------------------------------------------------------------------------------- /vql/parsers/fixtures/TestYamlParser.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Case 0": { 3 | "Name": "myname", 4 | "Value": [ 5 | "list1", 6 | "list2" 7 | ] 8 | }, 9 | "Case 1": { 10 | "Name": "myname1", 11 | "B": 1, 12 | "A": 2, 13 | "c": { 14 | "Field1": "X", 15 | "Field2": true, 16 | "Field0": "Z" 17 | } 18 | }, 19 | "Case 2": null 20 | } -------------------------------------------------------------------------------- /vql/parsers/recyclebin/conversion.spec.yaml: -------------------------------------------------------------------------------- 1 | Module: recyclebin 2 | Profile: RecycleBinIndex 3 | Filename: vtype_profile.json 4 | GenerateDebugString: false 5 | Structs: 6 | - Metadata -------------------------------------------------------------------------------- /vql/parsers/recyclebin/vtype_profile.json: -------------------------------------------------------------------------------- 1 | { 2 | "Metadata": [0, { 3 | "Header": [0, ["unsigned long long"]], 4 | "FileSize": [8, ["unsigned long long"]], 5 | "DeletedTime": [16, ["unsigned long long"]], 6 | "FileNameLength": [24, ["unsigned long"]], 7 | "FilePath": [28, ["UnicodeString"]] 8 | }] 9 | } 10 | -------------------------------------------------------------------------------- /vql/parsers/sql/fixtures/TestSQLite.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Simple SELECT": [ 3 | { 4 | "column1": 1, 5 | "column2": "first" 6 | } 7 | ], 8 | "Simple SELECT with args": [ 9 | { 10 | "column1": 1, 11 | "column1 + ?": 2 12 | } 13 | ] 14 | } -------------------------------------------------------------------------------- /vql/parsers/sql/sqlite_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows && amd64 && cgo 2 | // +build windows,amd64,cgo 3 | 4 | package sql 5 | 6 | import ( 7 | _ "www.velocidex.com/golang/velociraptor/vql/windows/filesystems" 8 | ) 9 | -------------------------------------------------------------------------------- /vql/psutils/common.go: -------------------------------------------------------------------------------- 1 | package psutils 2 | -------------------------------------------------------------------------------- /vql/psutils/connections.go: -------------------------------------------------------------------------------- 1 | package psutils 2 | -------------------------------------------------------------------------------- /vql/psutils/host_freebsd.go: -------------------------------------------------------------------------------- 1 | //go:build freebsd 2 | // +build freebsd 3 | 4 | package psutils 5 | 6 | import ( 7 | "context" 8 | 9 | "github.com/shirou/gopsutil/v4/host" 10 | ) 11 | 12 | func PlatformInformationWithContext(ctx context.Context) (string, string, string, error) { 13 | return host.PlatformInformationWithContext(ctx) 14 | } 15 | -------------------------------------------------------------------------------- /vql/psutils/host_linux.go: -------------------------------------------------------------------------------- 1 | //go:build linux 2 | // +build linux 3 | 4 | package psutils 5 | 6 | import ( 7 | "context" 8 | 9 | "github.com/shirou/gopsutil/v4/host" 10 | ) 11 | 12 | func PlatformInformationWithContext(ctx context.Context) (string, string, string, error) { 13 | return host.PlatformInformationWithContext(ctx) 14 | } 15 | -------------------------------------------------------------------------------- /vql/psutils/host_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | package psutils 5 | 6 | import ( 7 | "context" 8 | 9 | "github.com/shirou/gopsutil/v4/host" 10 | ) 11 | 12 | func PlatformInformationWithContext(ctx context.Context) (platform string, family string, version string, err error) { 13 | return host.PlatformInformationWithContext(ctx) 14 | } 15 | -------------------------------------------------------------------------------- /vql/server/downloads/fixtures/export.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/server/downloads/fixtures/export.zip -------------------------------------------------------------------------------- /vql/server/downloads/fixtures/export_server_artifact.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/server/downloads/fixtures/export_server_artifact.zip -------------------------------------------------------------------------------- /vql/server/monitoring/fixtures/TestAddServerMonitoring.golden: -------------------------------------------------------------------------------- 1 | { 2 | "Add artifact": { 3 | "artifacts": [ 4 | "Server.Monitor.Health", 5 | "System.Hunt.Creation" 6 | ], 7 | "specs": [ 8 | { 9 | "artifact": "System.Hunt.Creation", 10 | "parameters": { 11 | "env": [ 12 | { 13 | "key": "syslogAuthLogPath", 14 | "value": "AppliesToAll" 15 | } 16 | ] 17 | } 18 | } 19 | ] 20 | }, 21 | "Removing artifact from label": { 22 | "artifacts": [ 23 | "Server.Monitor.Health" 24 | ] 25 | } 26 | } -------------------------------------------------------------------------------- /vql/sigma/evaluator/modifiers/re.go: -------------------------------------------------------------------------------- 1 | package modifiers 2 | 3 | import ( 4 | "context" 5 | 6 | "www.velocidex.com/golang/vfilter/types" 7 | ) 8 | 9 | type re struct{} 10 | 11 | func (re) Matches( 12 | ctx context.Context, scope types.Scope, 13 | actual any, expected any) (bool, error) { 14 | 15 | // Delegate actual comparisons to the scope. 16 | return scope.Match(expected, actual), nil 17 | } 18 | -------------------------------------------------------------------------------- /vql/sorter/fixtures/TestMergeSorter.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "X": 1 4 | }, 5 | { 6 | "X": 2 7 | }, 8 | { 9 | "X": 3 10 | }, 11 | { 12 | "X": 4 13 | }, 14 | { 15 | "X": 7 16 | }, 17 | { 18 | "X": 8 19 | }, 20 | { 21 | "X": 9 22 | }, 23 | { 24 | "X": 12 25 | } 26 | ] -------------------------------------------------------------------------------- /vql/sorter/fixtures/TestMergeSorterDesc.golden: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "X": 12 4 | }, 5 | { 6 | "X": 9 7 | }, 8 | { 9 | "X": 8 10 | }, 11 | { 12 | "X": 7 13 | }, 14 | { 15 | "X": 4 16 | }, 17 | { 18 | "X": 3 19 | }, 20 | { 21 | "X": 2 22 | }, 23 | { 24 | "X": 1 25 | } 26 | ] -------------------------------------------------------------------------------- /vql/sorter/fixtures/newDataFile.golden: -------------------------------------------------------------------------------- 1 | {"X":1} 2 | {"X":8} 3 | {"X":2} 4 | -------------------------------------------------------------------------------- /vql/tools/artifacts.go: -------------------------------------------------------------------------------- 1 | package tools 2 | -------------------------------------------------------------------------------- /vql/tools/collector/fixtures/TestImportCollectionFromFixture.golden: -------------------------------------------------------------------------------- 1 | { 2 | "UploadMetadata": "{\"Timestamp\":\"2022-10-16T16:20:30.199781115Z\",\"started\":\"2022-10-16 16:20:30.199783036 +0000 UTC\",\"vfs_path\":\"/tmp/\\\"ls\\\\with\\\\back:slash\\\"\",\"_Components\":[\"clients\",\"\u003cclient_id\u003e\",\"collections\",\"F.1234\",\"uploads\",\"file\",\"tmp\",\"ls\\\\with\\\\back:slash\"],\"file_size\":12,\"uploaded_size\":12}\n", 3 | "ls\\with\\back\\slash:": "hello world\n" 4 | } -------------------------------------------------------------------------------- /vql/tools/collector/fixtures/import.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/tools/collector/fixtures/import.zip -------------------------------------------------------------------------------- /vql/tools/collector/fixtures/import_hunt.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/tools/collector/fixtures/import_hunt.zip -------------------------------------------------------------------------------- /vql/tools/collector/fixtures/invalid_dir.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/tools/collector/fixtures/invalid_dir.zip -------------------------------------------------------------------------------- /vql/tools/collector/fixtures/offline_encrypted.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Velocidex/velociraptor/c76339537fed518a481f6458ec83fcbf2d673c76/vql/tools/collector/fixtures/offline_encrypted.zip -------------------------------------------------------------------------------- /vql/tools/process/utils.go: -------------------------------------------------------------------------------- 1 | package process 2 | 3 | func reverse(l []*ProcessEntry) []*ProcessEntry { 4 | res := make([]*ProcessEntry, 0, len(l)) 5 | for i := len(l) - 1; i >= 0; i-- { 6 | res = append(res, l[i]) 7 | } 8 | 9 | return res 10 | } 11 | 12 | func id_seen(id string, l []*ProcessEntry) bool { 13 | for _, i := range l { 14 | if i.Id == id { 15 | return true 16 | } 17 | } 18 | 19 | return false 20 | } 21 | -------------------------------------------------------------------------------- /vql/unimplemented_cgo.go: -------------------------------------------------------------------------------- 1 | //go:build cgo 2 | 3 | package vql 4 | 5 | func GetMyPlatform() string { 6 | return _GetMyPlatform() + "_cgo" 7 | } 8 | -------------------------------------------------------------------------------- /vql/unimplemented_nocgo.go: -------------------------------------------------------------------------------- 1 | //go:build !cgo 2 | 3 | package vql 4 | 5 | func GetMyPlatform() string { 6 | return _GetMyPlatform() + "_nocgo" 7 | } 8 | -------------------------------------------------------------------------------- /vql/windows/aliases.go: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package windows 4 | 5 | import ( 6 | "golang.org/x/sys/windows" 7 | ) 8 | 9 | type GUID windows.GUID 10 | 11 | func (self GUID) String() string { 12 | return windows.GUID(self).String() 13 | } 14 | 15 | func UTF16ToString(in []uint16) string { 16 | return windows.UTF16ToString(in) 17 | } 18 | 19 | func UTF16FromString(in string) ([]uint16, error) { 20 | return windows.UTF16FromString(in) 21 | } 22 | 23 | func UTF16PtrFromString(in string) (*uint16, error) { 24 | return windows.UTF16PtrFromString(in) 25 | } 26 | -------------------------------------------------------------------------------- /vql/windows/etw/doc.go: -------------------------------------------------------------------------------- 1 | package etw 2 | -------------------------------------------------------------------------------- /vql/windows/etw/stats.go: -------------------------------------------------------------------------------- 1 | //go:build windows && cgo && amd64 2 | // +build windows,cgo,amd64 3 | 4 | package etw 5 | 6 | import ( 7 | "time" 8 | 9 | "github.com/Velocidex/ordereddict" 10 | ) 11 | 12 | type ProviderStat struct { 13 | SessionName string 14 | GUID string 15 | Description string 16 | EventCount int 17 | Watchers int 18 | Started time.Time 19 | Stats *ordereddict.Dict 20 | } 21 | -------------------------------------------------------------------------------- /vql/windows/filesystems/doc.go: -------------------------------------------------------------------------------- 1 | // Windows filesystem specific plugins. 2 | package filesystems 3 | -------------------------------------------------------------------------------- /vql/windows/filesystems/utils.go: -------------------------------------------------------------------------------- 1 | package filesystems 2 | 3 | import "strings" 4 | 5 | // We want to show the entire device as one name so we need to escape 6 | // \\ characters so they are not interpreted as a path separator. 7 | func escape(path string) string { 8 | result := strings.Replace(path, "\\", "%5c", -1) 9 | return strings.Replace(result, "/", "%2f", -1) 10 | } 11 | 12 | func unescape(path string) string { 13 | result := strings.Replace(path, "%5c", "\\", -1) 14 | return strings.Replace(result, "%2f", "/", -1) 15 | } 16 | -------------------------------------------------------------------------------- /vql/windows/gen.go: -------------------------------------------------------------------------------- 1 | package windows 2 | 3 | //go:generate go run ../../tools/mkwinsyscall.go -output zwin32_windows_amd64.go win32_windows.go 4 | //go:generate go run ../../tools/mkwinsyscall.go -output zwin32_windows_arm64.go win32_windows.go 5 | //go:generate go run ../../tools/mkwinsyscall.go -output zwin32_windows_386.go win32_windows_32.go 6 | -------------------------------------------------------------------------------- /vql/windows/process/common.go: -------------------------------------------------------------------------------- 1 | // +build windows,cgo 2 | 3 | package process 4 | 5 | type PidArgs struct { 6 | Pid int64 `vfilter:"required,field=pid,doc=The PID to dump out."` 7 | } 8 | -------------------------------------------------------------------------------- /vql_plugins/result_sets.go: -------------------------------------------------------------------------------- 1 | package plugins 2 | 3 | import ( 4 | _ "www.velocidex.com/golang/velociraptor/result_sets/simple" 5 | _ "www.velocidex.com/golang/velociraptor/result_sets/timed" 6 | ) 7 | -------------------------------------------------------------------------------- /vtesting/assert/retry_test.go: -------------------------------------------------------------------------------- 1 | package assert 2 | 3 | import ( 4 | "testing" 5 | "time" 6 | ) 7 | 8 | func TestRetry(t *testing.T) { 9 | i := 0 10 | tests := []bool{false, false, true} 11 | 12 | True(t, Retry(t, 4, time.Millisecond, func(r *R) { 13 | True(r, tests[i]) 14 | i++ 15 | })) 16 | } 17 | -------------------------------------------------------------------------------- /vtesting/config.go: -------------------------------------------------------------------------------- 1 | package vtesting 2 | -------------------------------------------------------------------------------- /vtesting/ports.go: -------------------------------------------------------------------------------- 1 | package vtesting 2 | 3 | import "net" 4 | 5 | func GetFreePort() (int, error) { 6 | addr, err := net.ResolveTCPAddr("tcp", "localhost:0") 7 | if err != nil { 8 | return 0, err 9 | } 10 | 11 | l, err := net.ListenTCP("tcp", addr) 12 | if err != nil { 13 | return 0, err 14 | } 15 | defer l.Close() 16 | return l.Addr().(*net.TCPAddr).Port, nil 17 | } 18 | --------------------------------------------------------------------------------