This artifact forces the client to regenerate its client id.
This is normally not needed! You will only need to use this artifact in very specific situations, such as when the Velociraptor client was accidentally incorporated into a VM image with an existing writeback file. This will cause multiple cloned systems to connect with the same client id, and the server will then reject those clients with a HTTP “409 Rejected” message.
If this happens, you can use the Server.Monitor.ClientConflict artifact to
schedule collection of this artifact against rejected clients automatically.
The Wait parameter controls how long we wait before restarting the client.
Reduce this number if you need to rekey a lot of clients quickly.
name: Generic.Client.Rekey
description: |
This artifact forces the client to regenerate its client id.
This is normally not needed! You will only need to use this artifact in very
specific situations, such as when the Velociraptor client was accidentally
incorporated into a VM image with an existing writeback file. This will cause
multiple cloned systems to connect with the same client id, and the server
will then reject those clients with a HTTP "409 Rejected" message.
If this happens, you can use the `Server.Monitor.ClientConflict` artifact to
schedule collection of this artifact against rejected clients automatically.
The `Wait` parameter controls how long we wait before restarting the client.
Reduce this number if you need to rekey a lot of clients quickly.
required_permissions:
- EXECVE
parameters:
- name: Wait
description: Wait this long before restarting the client.
type: int
default: '10'
sources:
- query:
SELECT rekey(wait=Wait) FROM scope()