Denote clients where Velociraptor has been manually uninstalled

[H2Cyber]

A manually uninstalled Velociraptor client is usually an interesting red flag to watch for. Could there be a mechanism to notify Velociraptor admins (via the UI) about systems where the client has been manually uninstalled ? For example an extra colour (different than the green / yellow / red) to denote such systems ?

[scudette]

How can we detect this condition? If the service is stopped then the process is killed and we can not communicate to the server any more.

You can tell outside of velociraptor for example by sccm or group policy or maybe it's possible to run a scheduled task to check. I even saw a Canary token technique recently https://twitter.com/malmoeb/status/1567612799605424129?t=tBFRn-noiMHmTL12WkrnZg&s=19 that looked really clever.

It's a great idea but ultimately ends up being a game of cat and mouse. Currently we don't have kernel anti tampering and that is really the best solution here. We just rely on system level access controls to protect the service