Release v0.6.3

[scudette]

This is the next point release for Velociraptor - Digging deeper!

For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-01-05-release-notes-0.6.3/

This release adds more support for the multi-frontend configuration - if you would like to try this new deployment method, read more about it here https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/

Notable features

• Search index is now stored in memory at runtime - this makes searching much faster and allows us to search for things like IP address.
• New artifact parameter types for regex and yara have specialised UI elements for users to enter yara and regex expressions.
• It is now possible to override Generic.Client.Info artifact for a custom interrogation process.
• Hunt wizard can estimate the total number of clients that may be affected by a label/OS condition
• New Upload File Form element - Users can upload a file to an artifact parameter on an adhoc basis (similar but more light weight than an artifact tool)
• Root certs can now be specified in the config file. This allows use of self signed servers (e.g MITM proxies). Root certs are now bundled in Velociraptor and we do not use the OS root store.
• Search index is now recalculated periodically and snapshotted into the filestore. There is no need to rebuild the index any more.

VQL Functions and plugins

• Added Windows.Forensics.SAM artifact for parsing the SAM
• Improvement to SRUM artifact
• The parse_csv() plugin is now more robust and can accept columns not from the header
• The parse_pe() function now contains full PE resource information
• VQL accessors that used URLs to denote delegated accessors now support a dedicated pathspec() object. This is more reliable than a URL if a bit more verbose.
• Improve Windows.Forensics.Lnk parser to include addtional fields like the name, WorkingDir, RelativePath, Arguments
• The Windows.Detection.Yara.PhysicalMemory artifact allows a yara scan of physical memory accessed via the winpmem driver.
• Added recursion_callback option to the glob plugin - this allows more fine grained control of the glob() plugin recursing into directories, for both better efficiency and safer access.
• Introduced the Server.Utils.DeleteManyFlows and Server.Utils.DeleteMonitoringData artifacts to help manage server disk space by remove old data.

Upgrade notes

• The Windows.Collectors.File artifact was renamed to Generic.Collectors.File - custom artifacts may need to be updated, or simply add a redirection artifact (e.g. re-introduce Windows.Collectors.File with deprecation note #1516)

---

This discussion was created from the release Release v0.6.3.