Custom Artifacts
This is a collection of custom artifacts donated by the community. They are not as well tested as the officially maintained artifacts but might be useful.
Be sure to test these thoroughly prior to using them in real life.
Process Creation Tracking EventID 4688
JumpLists - via Eric Zimmerman's JLECmd
Windows.Services.Hashes - Hash binaries of installed services
Query the available Volume Shadows
Query and then Upload a file from a Volume Shadow
Yara scan for relevant event logs
In this configuration, Velociraptor can be made to automatically run and collect all needed files when double clicked.
Uploader with memory acquisition
Label clients containing a username
Send a Slack message when a username appears
Create an alert in TheHive when an artifact returns a result
Auto-load updated artifacts from disk
These artifacts can be run from the "Server Artifacts" screen. Collecting them performs some kind of management task on the server itself.
Server.Hunts.CancelAndDelete - Cancel an inflight hunt and maybe delete all collected files