Skip to content
Mike Cohen edited this page May 29, 2021 · 5 revisions

Getting the latest release version

Releases are tagged using a consistent naming scheme but there may be deviations (for example if a bugfix is released). The best way to automatically get the latest binary is using the GitHub APIs. For example the latest windows amd64 binary can be downloaded from:

curl https://api.github.com/repos/velocidex/velociraptor/releases/latest | jq 'limit(1 ; ( .assets[].browser_download_url | select ( contains("windows-amd64.exe") )))' 

Debugging the configuration

Inspecting certificates

Sometimes it is useful to inspect the certificates embedded in the config file using e.g. openssl. Since the certificates are in the yaml file you can just copy them out and using an editor un-indent them but this is somewhat quicker:

velociraptor --config ~/client.config.yaml  config show --json | jq -r ".Client.ca_certificate" | openssl x509 -text

It relies on exporting the config to json and then using jq to extract the right field into stdout.

Using Stand-alone Collectors with CrowdStrike RTR

I haven't tested completely why this isn't working, but if you attempt to execute a Stand-alone Collector via CrowdStrike RTR nothing happens. As an example, let's assume you created a collector for a Mini Timeline (ex. vr_mini_timeline.exe) and upload it to CrowdStrikes cloud, calling it via PUT files it executes successfully, but no output is generated.

A quick work around is simply calling it via PowerShell, another quick example, if you use PUT files and drop the collector in the C:\CrowdStrike\Files directory, you can use RUNSCRIPT to execute the collector.

The below will execute the collector defined in the previous example just fine and produce an output:

Start-Process -FilePath "C:\CrowdStrike\Files\vr_mini_timeline.exe"

You can simply grab the file and go, or upload to a cloud resource as the Velocidex team have included it into their Stand-alone Collector build tool.