------------------------------------------------------------------- Thu Nov 10 15:22:27 UTC 2022 - jeffm@suse.com - Update to version 0.6.4.2~git70.b7df8172: * file_store: handle watching artifacts with named sources ------------------------------------------------------------------- Thu Sep 29 14:16:05 UTC 2022 - jeffm@suse.com - Update to version 0.6.4.2~git68.5226b23b: * api/authenticators/basic: fix logoff endpoint * clients/host-info.js: add MAC addresses to client dashboard * linux: Add ability to interrogate system and network configuration * SUSE: Add docker-compose environment * SUSE: add Docker files * Add Linux.Sys.Bash to Server.Monitor.Shell artifact ------------------------------------------------------------------- Fri Aug 19 21:07:15 UTC 2022 - Jeff Mahoney - Updated vendoring. - Fixed update-vendoring script to use an independent go module cache. ------------------------------------------------------------------- Fri Aug 19 01:59:35 UTC 2022 - jeffm@suse.com - Update to version 0.6.4.2~git59.5ebb49db: * api/authenticators: fix handling of missing oauthstate cookie for OAUTH2 ------------------------------------------------------------------- Thu Aug 11 19:40:21 UTC 2022 - jeffm@suse.com - Update to version 0.6.4.2~git57.fcb11adf: * kafka-humio-gateway: add sample config file ------------------------------------------------------------------- Fri Jul 15 14:30:49 UTC 2022 - Jeff Mahoney - Updated BuildRequires to use go 1.17 after updating vendoring ------------------------------------------------------------------- Fri Jul 15 02:24:03 UTC 2022 - Jeff Mahoney - Add vmlinux.h from 5.18.9-2-default to provide type information (x86_64 only) ------------------------------------------------------------------- Fri Jul 15 00:00:39 UTC 2022 - jeffm@suse.com - Update to version 0.6.4.2~git56.47b4adb4: * Updating the NewFiles and ProcessStatuses Artifacts * cronsnoop: Add plugin which is able to snoop removal/addition of cron… (#37) * third_party/go-libaudit: don't directly use unix.* * Add Linux.Remediation.Quarantine artifact * Extend audit artifacts to use new interface * audit: rearchitect plugin to scale better with multiple invocations * third_party/go-libaudit: move handling of receive buffer to caller * third_party/go-libaudit: move buffer handling from netlink to audit * third_party/go-libaudit: allow audit fd to be pollable * third_party/go-libaudit: Add support for removing individual rules * third_party/go-libaudit: rule.Rule.Build: Don't assume that no syscalls means all syscalls * third_party/go-libaudit: Report missing rules during deletion * import go-libaudit as a third-party module * quarantine: actually call the OS-specific artifact * artifactset: add ability to select named sources * GUI: Artifact selector (#1790) * host-info: make quarantine UI more robust with non-Windows client hosts * shell-viewer: default to Bash on non-Windows clients ------------------------------------------------------------------- Thu May 12 20:15:26 UTC 2022 - jeffm@suse.com - Update to upstream 0.6.4-2: * Reset nanny when client connection failed. (#1780) * Fix artifacts that use yara parameters to specify yara type (#1779) * Update release for bugfixes 0.6.4-2 * Add update to ADSHunter for better output on complete system hunts (#28) (#1765) * SysmonInstall artifact now skips install if not needed (#1777) * Initial implementation of client side process tracker. (#1768) * Invalidate transformed cache when the base table changes. (#1742) * GUI Table widgets now can apply transformations on the table. (#1740) * Suppress warning message for offline collector (#1776) * Bug fix (#1774) * Avoid bash process lingering around while server is running (#1775) * oidc: Fix typo: Genric -> Generic (#1773) * Make MaxWait for event table settable. (#1772) * Fixed bug in Windows.Detection.Yara.Process (#1771) * fix: upgrade react-scripts from 5.0.0 to 5.0.1 (#1770) * Bugfix: Client did not update list of query columns (#1767) * Merge bugfixes from master branch. (#1769) - Revendored dependencies. ------------------------------------------------------------------- Thu May 12 17:54:31 UTC 2022 - jeffm@suse.com - Update to version 0.6.4~git31.4298eab0: * Elastic.Events.Client: Update to use new artifactset type * Kafka.Events.Client: Update to use new artifactset type * artifacts: add artifactset parameter type * api: add type and description fields to v1/GetArtifacts endpoint ------------------------------------------------------------------- Thu May 12 13:30:42 UTC 2022 - jeffm@suse.com - Update to version 0.6.4~git26.4407b9b7: * Add artifact for chattrsnoop plugin * bpflib: ensure it's built only on linux and when requesting bpf * Add chattrsnoop plugin * tcpsnoop: Properly close module in case of attach error * Add artifacts for dns/tcp snoop plugins * tcpsnoop: Add timestamp to generated events * dnssnoop: Add timestamp to generated events ------------------------------------------------------------------- Tue May 3 20:35:57 UTC 2022 - Jeff Mahoney - Fix error handling in tcpsnoop and dnssnoop. * If BTF information is unavailable, there is no indication that the query has failed. ------------------------------------------------------------------- Tue May 3 13:45:09 UTC 2022 - Jeff Mahoney - Rebase on 0.6.4: * Updated dependencies * Bugfix: startup bugs (#1680) * bugfix: Server event notebook not correctly created (#1737) * Bugfix: Start a dummy indexing service (#1736) * Add bugfix which would return no rows if the user removed whitelist (#1735) * Fixed bug in read_reg_key (#1734) * BUGFIX: Do not include config flag when darwin installer is repacked (#1733) * Refactored index into its own service. (#1730) * Bugfix: Write one index item per JSONL record. (#1727) * Bugfix: Estimating client impact should consider last active status (#1726) * Add complete ntfs metadata option to MFT output (#1725) * Various bugfixes. (#1724) * Update Usn.yaml (#1723) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed a bug in hunt download preparation. (#1722) * Add Windows.Forensics.Usn filter and presentation updates (#1720) * Optimize writing event monitoring records (#1721) * Add Generic.Detection.Yara.Zip (#1718) * Fixed crash on master-pong response. (#1719) * Remove _type option from elastic. (#1715) * Opportunistically update directly connected client's ping times (#1713) * Fixed bug in VQL cell splitting. (#1712) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * artifact for parsing macos packages (#1706) * Bugfix: Create a cell for each collected source (#1710) * Added Server.Utils.CollectClient to simplify direct collections (#1708) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1705) * Fix build on Go 1.18 (#1704) * build(deps): bump minimist from 1.2.5 to 1.2.6 in /gui/velociraptor (#1703) * Mft update - add uSecZeros (#1701) * Server monitoring service will reload if an artifact is modified (#1702) * Refactor client info manager (#1700) * A number of bugfixes (#1699) * Update Windows.NTFS.MFT (#1698) * Actually export HumanString attribute on OSPath (#1689) * RHEL/CentOS/Fedora dnf packages (#1684) * Implemented Human Readable OSPath method. (#1688) * Added lazy MFT attributes (#1685) * Maintain OSPath in mft artifacts (#1683) * Fix bug in deaddisk remapping of directories. (#1682) * Bugfix: startup bugs (#1680) * Updated SQLECmd artifacts (#1677) * Artifact repository needs to watch for changes across nodes. (#1676) * Update auto accessor to re-open file with ntfs if read failed (#1674) * Fix MacOS.System.Plist artifact (#1673) * Error collection based on VQL logs (#1672) * Add memory limiting to offline collector (#1666) * Allow mount overlays (#1664) * build(deps): bump node-forge from 1.2.1 to 1.3.0 in /gui/velociraptor (#1661) * Fixed bugs in remapping logic. (#1660) * Fixed bug in the windows auto accessor. (#1658) * Elastic.Events.Clients: synchronize parameters with Elastic.Flows.Upload (#1657) * Add initial commit for Windows.NTFS.ExtendedAttributes (#1656) * Added a shadow remapping type (#1655) * Implemented an event notebook (#1654) * Add Windows.System.WMIQuery (#1651) * Fixed data race in progress throttler. (#1653) * Implemented timeout and cpu limits on offline collector. (#1650) * Added an rpm server command. (#1647) * Artifacts can now define suggestions for notebook cells. (#1646) * Allow multiple OIDC authenticators to be specified. (#1645) * Added a multi authenticator. (#1644) * Add HashHunter hash() update for performance (#1643) * Change the DNSCache Artifact to WMI (#1640) * Added an uploader for notebooks. (#1639) * Added hashselect arg option to hash() (#1637) * Add Generic.Detection.HashHunter and tests (#1638) * Added Generic.Collectors.SQLECmd (#1635) * Add BinaryHunter (#1634) * String artifact parameters can now have validator regex (#1628) * Implemented CPU rate limited for better control (#1622) * Added a client nanny to detect deadlocks (#1621) * Linux.Sys.Services artifact, parse services from systemctl (#1619) * Collect MAC addresses during interrogation and index them (#1611) * Allow parse_ntfs() to operate on an image file. (#1610) * Fix regression in VFSGetBuffer (#1605) * Added rekey() VQL function (#1604) * switch to uninstall string (#1603) * freebsd /etc/rc.d/velociraptor service script (#1602) * Add Windows.Registry.BackupRestore (#1601) * Optimized NTFS code for better speed and added more fields to parse_mft (#1599) * Update BinaryRename.yaml (#1598) * Added LinuxM1 (#1597) * Add explicit check of sticky keys (#1592) * Remote data store should identify retryable errors (#1590) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1588) * Add test improvement clear system log (#18) (#1586) * Modified Windows.Forensics.Prefetch to use VQL binary parser (#1585) * add Windows.NTFS.ADSHunter first commit (#17) (#1583) * Resolves Velocidex/velociraptor#1543 Create new VQL entropy() function (#1574) * Remove C time and updating naming (#1546) * fix: gui/velociraptor/package.json & gui/velociraptor/package-lock.json to reduce vulnerabilities (#1568) * Update OSPath protocols to support slices. (#1575) * Implement array slice notation in VQL and Server.Import.PreviousReleases (#1573) * add rtf TemplateInjection to Windows.Detection.TemplateInjection (#1572) * Change accessors API to deal with OSPath objects directly. (#1570) * Bump follow-redirects from 1.14.4 to 1.14.8 in /gui/velociraptor (#1567) * Added a deaddisk command to generate config (#1564) * Fix bug in Windows.System.Services (#1565) * Fixed glob expand braces order of operations. (#1560) * Added an offset and raw_file accessors (#1559) * Update CertUtil.yaml (#1558) * remove users to include the system path (#1536) * Implement remap() VQL function and remapping config (#1555) * Make GitHub actions more flexible on Windows (#1549) * Bump normalize-url from 4.5.0 to 4.5.1 in /gui/velociraptor (#1548) * Fix typo (#1547) * Refractor of accessors and path manipulations (#1545) * Dns etw update (#1544) * add PowershellProfile (#1542) * Added dynamic pubsub attributes (#1540) * Fix Windows.Applications.Chrome.History (#1539) * windows.application to windows.applications merge. New firefox history artefact (#1534) * Fixed race condition in zip accessor reference counting. (#1531) * Added Windows.Persistence.SilentProcessExit (#1530) * Add limitations section and lastwrite timestamp (#1529) * Offline collector FetchBinary should respect the IsExecutable flag (#1528) * update description, order by, and hidden keypath (#1527) * add limitations section (#1520) * Avoid holding index lock for too long. (#1519) * re-introduce Windows.Collectors.File with deprecation note (#1516) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable (#1474) * Bugfix: Setting notebook index did not escape username (#1471) * Flush index from memory to disk (#1470) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * fix APIConfigLoader not applying command line args (#1463) ------------------------------------------------------------------- Mon May 02 14:55:07 UTC 2022 - jeffm@suse.com - Resync with git repository: * Add artifact to monitor user group updates (#24) * Add dnssnoop plugin (#15) * Log Sudo/root command by auditd * Add custom artifacts for login and logout attempts recorded by auditd ------------------------------------------------------------------- Fri Mar 18 14:12:59 UTC 2022 - jeffm@suse.com - Update to version 0.6.3~git19.640f7a1c: * Add tcpsnoop plugin ------------------------------------------------------------------- Tue Mar 15 13:31:21 UTC 2022 - jeffm@suse.com - Update to version 0.6.3~git17.741ebb59: * kafka-humio-gateway: update README.md * kafka-humio-gateway: Fix missing variable rename * Add Kafka-Humio Gateway [Depends on PR#10] (#8) ------------------------------------------------------------------- Tue Mar 15 01:04:29 UTC 2022 - jeffm@suse.com - Update to version 0.6.3~git13.af7fdb00: * SUSE: Add SSHLogin artifacts * Add a Kafka export plugin * SUSE: Do build tests on every pull request * Add systemd-dev as build dependency for github workflow ------------------------------------------------------------------- Fri Feb 18 00:52:01 UTC 2022 - jeffm@suse.com - Update to version 0.6.3~git6.d95ed32e: * Update the Linux.Events.SSHLogin artifact to scan the systemd journal * Update the Linux.Syslog.SSHLogin artifact to scan the systemd journal * Add parser to read systemd journal on Linux * Add an artifact to enumerate immutable files under a path * Add chattr function support for linux * Make GitHub actions more flexible on Windows ------------------------------------------------------------------- Thu Feb 10 02:12:54 UTC 2022 - Jeff Mahoney - Add simple default configs and provide dirs in /var/lib for client and server. ------------------------------------------------------------------- Mon Feb 7 14:40:47 UTC 2022 - Jeff Mahoney - Temporarily re-enable Windows artifacts (LSS#4). ------------------------------------------------------------------- Wed Feb 2 18:10:19 UTC 2022 - Jeff Mahoney - Added systemd unit file and placeholder config file. ------------------------------------------------------------------- Thu Jan 27 17:33:45 UTC 2022 - jeffm@suse.com - Update to version 0.6.3~git0.69e0fffa: * Prepare for 0.6.3 release (#1515) * add limitations to description and key path to query (#1514) * Retry remote datastore connections (#1513) * Write minion log files and autocert in its own dir. (#1512) * Synced KapeFiles artifacts (#1511) * Added data retention server artifacts (#1510) * Set an upper limit for ttl in memcache (#1508) * Add updates to Windows.System.Services (#15) (#1509) * Ensure collector container is properly closed when interrupted. (#1507) * Continually rebuild the index at runtime. (#1506) * Harder vacuum - directly move client task directories to the attic. (#1505) * add limitation disclaimer (#1504) * Reduce critial section to avoid deadlock in repository manager (#1503) * Implemented a vacuum command to remove old tasks from client queues. (#1501) * Better format profile metrics output. (#1495) * Cap size of directories and report large directories. (#1493) * Set ACE completers per editor to avoid global state. (#1492) * Add HttpOnly flag to all cookies. (#1491) * Refactor completion routine calls (#1490) * fix: upgrade react-bootstrap from 1.3.0 to 1.6.4 (#1486) * fix: upgrade http-proxy-middleware from 1.0.5 to 1.3.1 (#1485) * fix: upgrade react-ace from 9.1.3 to 9.5.0 (#1487) * fix: upgrade recharts from 2.0.9 to 2.1.8 (#1488) * fix: upgrade react-datetime-picker from 3.0.4 to 3.4.3 (#1489) * Limit size of cached directories. (#1483) * Add more instrumentation to memory caches. (#1482) * Fixed chart resizing bug (#1481) * Removed the old queries: list from artifacts. (#1480) * [Snyk] Fix for 9 vulnerabilities (#1479) * Remove lock around critical section. (#1478) * Added MacOS.Forensics.AppleDoubleZip (#1476) * Update Windows.Persistence.PermanentWMIEvents to add blind custom namespace detection (#13) (#1475) * Make index snapshot frequency configurable * fix APIConfigLoader not applying command line args (#1463) * Flush index from memory to disk (#1470) * Prepare RC2 (#1473) * Bugfix: Setting notebook index did not escape username (#1471) * Fixed 2 bugs with the memcache file store (#1469) * Update flow active time when the result set is completed (#1468) * Tag artifacts as built ins (#1467) * Fixed bug in the pathspec() VQL function. (#1465) * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) * Update Info.yaml (#1427) * Improved Lnk parser to include additional fields. (#1449) * Added a Yara GUI element editor. (#1447) * Added patch and merge to `config show` and `config generate` (#1445) * Remove usage of FatalIfError from main module (#1443) * Introduced a dedicated pathspec object (#1440) * Bump is-svg from 4.2.2 to 4.3.0 in /gui/velociraptor (#1437) * Only pass client config in the client VQL scope. (#1436) * rework protobuf message generator (#1435) * Update Autoruns.yaml * Added test for filefinder (#1431) * fix filters in filefinder artifact (#1430) * Add Artifact to collect KapeFile targets on Linux (#1426) * Enabled lazy quotes on csv parser (#1424) * Fixed bug in client comms. (#1423) * Add document filter for better usability (#1421) * Added resource information to the output of parse_pe() (#1420) * Low latency client connectivity discovery (#1419) * Add RecentDocs collection (#1416) * Update Amcache artifact for clarity (#1415) * Added extra parameters to parse_csv() (#1413) * Added netcat plugin to read from socket (#1412) * Updated SRUM with Network Usage and Upload option (#1408) * Synced darwin and freebsd file accessor with the linux one. (#1409) * Added Windows.Forensics.SAM artifact (#1404) * Initial artifacts can be specified in config (#1403) * Add conhost.exe to binary rename (#1402) * Add update Prefetch Btime execution fix (#1398) * Update Prefetch timeline (#1397) * Cleanup search API (#1396) * Update protobuf dependencies. (#1394) * More multi-frontend optimizations (#1393) * Client info manager now keeps track of scheduled tasks. (#1392) * add sid and lookupsid plugin (#1388) * Add Mutant whitelist (#1387) * Notify currently connected clients on new hunts (#1386) * Index rebuild command loads new index service. (#1385) * Changes to support distributed architecture. (#1384) * Added procdump and procdump64 (#1382) * Fixed heavy mutex contention in the labeler. (#1375) * Add shellcode to CobaltStrike carver (#10) (#1373) * Added an index rebuild command. (#1369) * GUI artifact form was ignoring the friendly name attribute (#1368) * Added a specialized form element for regex parameters. (#1367) * Added a gRPC based remote datastore (#1366) * Display all subauthorities for GUID in SRUM (#1365) * Verify all gRPC peer certificates were signed by the Velociraptor CA (#1362) * Implemented MemcacheFileDatastore - memory caching with file backend (#1361) * Added new plugins to manipulate event tables easier. (#1355) * Refactored in memory datastore to be more efficient. (#1353) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) * Cobalt parser update (#1345) * Allow listener to not use file buffer. (#1344) * Fix Deployment documentation link in README (#1343) * Preserve uint64 types across Listener (#1341) * Fix spelling (#1339) * Refactored queue listener to preserve order. (#1340) * Added a magic() VQL function (#1338) * Fixed bug in CSS (#1337) ------------------------------------------------------------------- Thu Jan 27 17:27:42 UTC 2022 - jeffm@suse.com - Update to version 0.6.2~git0.8dd598b2: * Update ese parser to fix timestamp bug * Prepare final 0.6.2 release (#1363) * Verify all gRPC peer certificates were signed by the Velociraptor CA * Removed search index parallelism (#1358) * Added new plugins to manipulate event tables easier. (#1355) * Sync vfilter (#1351) * Add both fqdn and hostname to the client search table (#1350) * BUGFIX: Datastore on windows is unable to represent files with . (#1348) * Added buffer_size parameter to parse_records_with_regex() (#1347) * Propagate column types from artifact to flow notebook. (#1346) ------------------------------------------------------------------- Thu Jan 06 20:14:39 UTC 2022 - jeffm@suse.com - Update to version 0.6.2~git73.dc02b45e: * Update PrivateKeys.yaml (#1459) * Added recursion_callback option to the glob plugin (#1461) * Added config wizard for multi-frontend configuration (#1460) * Calculate the sha256 hash of the offline container. (#1458) * Artifact inspection GUI now allows pivot. (#1457) * Client certs can now be specified in the config file. (#1456) * New Upload File Form element (#1455) * Added a sparse accessor (#1453) * Hunt wizard estimates clients affected (#1452) * Make the interrogation process customizable. (#1451) ------------------------------------------------------------------- Tue Dec 21 20:25:43 UTC 2021 - Jeff Mahoney - Disable Windows artifacts. We don't target Windows endpoints and the queries clutter the GUI. ------------------------------------------------------------------- Thu Dec 16 14:12:05 UTC 2021 - Jeff Mahoney - Switch to using master branch via service files. - Added update-vendoring.sh to update the nodejs and go dependencies after version update. - Patch the version string to reflect the package version instead of an indistinguishable -dev. ------------------------------------------------------------------- Thu Dec 2 01:46:34 UTC 2021 - Jeff Mahoney - Initial packaging.