-
|
Hello team, I have a question about the hunt. Whenever we run a client artifacts using the hun, does it upload the collected results to the velociraptor server? While I was looking I saw a file with the name of the hunt ID on the server. Is that the file that contains the results? For how long does that file stay on the server? A second part of this question is that, If I stop the hunt and run it again, the hunt ID remains the same, so what happens on the server side, will it delete the existing collected run and create the newly collected, or it will collect the difference only? Sorry if my question is not much clear. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 3 replies
-
|
A hunt is just a logical grouping of collections. The data is upload to individual collections in the server for each client. That file you saw contains metadata about the hunt like what artifacts to collect etc. If you stop and start a hunt it just stops new clients from being scheduled. A client can not automatically run the collection for the hunt again so it will just resume what it was doing. You can manually redo a hunt or add collections to a hunt with the GUI or hunt_add() vql |
Beta Was this translation helpful? Give feedback.
-
|
Hi team, Following the same question, If I need to perform acquisition/artifacts collection using "Kapre Target Collection" or any other artifacts, for the post-processing, is it necessary to Download the results? |
Beta Was this translation helpful? Give feedback.
-
|
No you can do the post processing on the server itself. If all you are going to do is to run the usual artifacts on the collected data. You normally only need to download the data to use some other tool with it Here is an article that explains the process https://docs.velociraptor.app/blog/2022/2022-08-04-post-processing/ but ideally it is but really necessary as you would already collect the data you need in the first place. Ie instead of collecting .pf files and then parsing them on the server, just parse the prefetch directly on the endpoint and receive the parsed and targeted output (eg time boxed etc) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, Mike. It seems I figured out what I was looking for. Whenever we run a hun it will collect the requested files and upload them to each client opt/velociraptor/clients/ClientID/collections/FlowID/uploads directory. and when then we click on download from the GUI, it will create a package in the download directory (/opt/velociraptor/downloads/hunts) containing all the files related to that hunt from all the clients. For post-processing, we can then use either option. Downloaded artifacts or the upload for each client in the clientID directory. I hope my understanding is correct. |
Beta Was this translation helpful? Give feedback.
-
|
Yep this is correct. In velociraptor everything is just a file so you can access it directly if you want or copy it automatically somewhere |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, Mike. Much appreciated your quick response. |
Beta Was this translation helpful? Give feedback.
A hunt is just a logical grouping of collections. The data is upload to individual collections in the server for each client.
That file you saw contains metadata about the hunt like what artifacts to collect etc.
If you stop and start a hunt it just stops new clients from being scheduled. A client can not automatically run the collection for the hunt again so it will just resume what it was doing.
You can manually redo a hunt or add collections to a hunt with the GUI or hunt_add() vql