Velociraptor: Digging Deeper
Welcome to the Velociraptor: Digging Deeper Presentation Site.
Toggle All
Light
Dark
Velocon 2022: Cloud Velociraptor by Mike Cohen
A new Velociraptor using Cloud technologies!
Cloud Native Velociraptor
Overview
Velociraptor's design goals
New use cases!
Take a trip down memory lane...
History of Velociraptor
GRR Overview
Velociraptor was born!
Going small to go big!!
But we want to go bigger!
Multi Frontend Velociraptor
Multi-frontend Architecture
Velociraptor in the cloud
Organization of codebase
Velociraptor Services
Cloud Velociraptor
Cloud Architecture
Current limitations
Future improvements
Conclusions
Velocon 2022: Year In Review by Mike Cohen
An exciting year of Velociraptor!
Velociraptor - Year In Review
The year was a productive year!
Glob plugin has recursion_callback
Purpose built notebooks
Defining a notebook cell inside the artifact
Cell is available as a suggestion
Instant post processing
Built in binary parser
Profile based binary parser
The Lnk parser artifact
Parsing Cobalt Strike config
In-memory search index
Estimating hunt impact
Parse PE and Authenticode
Many artifact parameter types
Artifact parameters have different types
Multiple Oauth2 Providers
Supporting multiple Identity providers
The Velociraptor Knowledge base and Artifact Exchange
The artifact Exchange
The Knowledge Base
More accurate path handling in VQL
OSPath supports inherent path manipulations
Dead disk analysis
The process tracker
Accurate process call chains
GUI improvements
Multi-Org support
Multi Org feature
Resource controls on endpoint
Fine grained control over endpoint impact
Performance and scalability
Multi Frontend design
Example of a large deployment
The Future awaits!
We need your help!
Conclusions
DFRWS Apac 2022: Velociraptor Workshop by Mike Cohen
Introduction to Velociraptor...
Velociraptor: Digging Deeper…
Overview
Prerequisites
Additional tools
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Introduction to Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
Introduction to VQL
VQL - Velociraptor's magic sauce
Velociraptor Artifacts
Velociraptor Query Language
The Artifact Exchange
Automatically import Exchange
Manually importing artifact packs
Finding files
Windows.Search.FileFinder
Exercise
Hunt: Disabling Event Logs
Querying the registry
The Windows Registry
Example: Disable event logs
What is BITS? Why should we care?
What is BITS?
Disable event logs
Query the registry for event log config
We can get a snapshot of all event logs
Being more targeted in collection
More targeted in collection
Post processing with notebooks
Hunting at scale
Hunting - mass collections
Exercise - baseline event logs
Pool clients
Create a hunt
Select hunt artifacts
Collect results
Exercise - Stacking
Stacking can reveal results that stand out
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
MSBuild based attacks
MSBuild based attacks
Microsoft Build Engine
MSBuild: Cobalt Strike teamserver
MSBuild: Detection ideas
MSBuild: Disk - template file
MSBuild: Disk - template
Detection ideas
MSBuild: Exercise description
MSBuild exercise
MSBuild Exercise
MSBuild: Evidence of execution - prefetch
Windows.Detection. PrefetchHunter
Memory artifacts
Detect Cobalt Strike Beacon
Inject beacon into process
Search for beacon in memory
Detecting Cobalt Strike in memory
Decoding Cobalt Strike Config
Extract configuration data from memory
Event Monitoring
Monitoring events from endpoints
What are event artifacts?
Client event tables
Enable sysmon collection
Viewing Sysmon events relayed to the server
Turning artifacts into a detection
Windows.Events.EventLogModifications
System changes relayed to server
USN Journal monitoring
USN Journal
Windows.Detection.USN
Inspect streaming results
Tracking Processes
The process tracker
What is the point of Forensics?
Tracking processes
The process tracker
Exercise: Enable the process tracker
Emulate a typical attack
Inspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
Event Tracing For Windows: Process Spoofing
Event Tracing For Windows
Event Tracing for Windows (ETW)
How does ETW work ?
ETW Providers
View ETW providers registered
Monitoring the ETW stream
WEP Explorer shows the different events available
Monitoring for DNS sources
Collecting DNS lookup from the entire fleet
Unique ETW sources: Process parent spoofing
Process Spoofing
SelectMyParent.exe
Can sysmon detect it?
Cobalt Strike process parent spoof
Microsoft-Windows-Kernel-Process provider
Windows.ETW.DetectProcessSpoofing
Installing parent spoofing detection in Velociraptor
False positives - UAC elevation
Conclusions
What did we not cover?
Conclusions
SANS DFIR Summit 2022: Digging Deeper... by Mike Cohen
Incident Response On Linux
Digging Deeper...
What is Velociraptor?
Deployment overview
Traditional DFIR
The Velociraptor way
VQL - Query Language
Incident Response on Linux
Traditional approach
Parsing SSH login events
Grok for parsing syslogs
Let's use VQL to parse ssh events
Filter lines and apply Grok
Artifacts: Encapsulating VQL
Linux.Syslog.SSHLogin artifact
Collecting the artifact
The Velociraptor Community
Automatically Import Exchange Artifacts
Hunt and Post Process
Post process using VQL in Notebook
Example 2
Traditional approach
How can I tell if a file is protected?
Parsing files with VQL
Parsing binary data
Binary parser built in VQL
Hunting for unprotected keys
Hunt all systems…
Enriching information
PSExec attack
Suspicious Notepad?
Velociraptor's PSTree
What lead to this process?
The process tracker...
Traditional approach
Conclusions
Conclusions
Introduction to Velociraptor by Mike Cohen
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Introduction To Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
Exercise: Mounting ISOs in Windowns
Artifacts Of Autumn #37
Mounting ISO files in Windows
Exercise - Atomic Red Team
Detecting the attack
The offline collector
Offline collection
Why Offline collection?
Create an offline collector
Selecting the Windows.KapeFiles.Targets artifact
Configuring the collector to encrypt output
Downloading the prepared binary
Offline collector binaries
Acquire data!
Acquired file is encrypted
Importing into Velociraptor
Import the collection into the Velociraptor server
Inspect the import process
Inspect the collected data
Exercise: Bitsadmin Service
Artifacts Of Autumn #38
Bitsadmin service
Exercise - Atomic Red Team
Detecting the attack
Detecting EventLogs Disabling
Querying the registry
The Windows Registry
Example: Disable event logs
What is BITS? Why should we care?
What is BITS?
Disable event logs
Query the registry for event log config
We can get a snapshot of all event logs
Being more targeted in collection
More targeted in collection
Post processing with notebooks
Hunting at scale
Hunting - mass collections
Exercise - baseline event logs
Pool clients
Create a hunt
Select hunt artifacts
Collect results
Exercise - Stacking
Stacking can reveal results that stand out
Conclusions
What did we not cover?
Conclusions
Everything Open 2023: Incident Response with Velociraptor by Mike Cohen
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Introduction To Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
Secure Shell
Secure Shell
Typical SSH based attacks
Typical SSH escalation path
Investigative steps
Investigative steps - Hunt
Investigative steps
Investigative steps - Hunt
Web Shells
Web shell
Detection
Custom Detection
What are we looking for?
Writing custom artifacts
Exercise: Hunting for PAM backdoors
Artifact of Autumn 77
The artifact exchange
Collecting the artifact
Hunting
Exercise
Identifying anomalies.
Stacking
Conclusions
What did we not cover?
Conclusions
What is Velociraptor: Digging Deeper!
Velociraptor in 20 Minutes!
What is Velociraptor?
Architecture
Scalable, fast, accurate
Interactively investigate clients
Velociraptor Artifacts
Hunts - Collecting at scale
Postprocessing using Notebooks
Offline collector
Acquired file is encrypted
Tracking processes on endpoint
View process tree
Inspect the process call chain
Triaging Using Sigma
Collecting the sigma artifact
Triaging an endpoint
Stacking rules by title
Viewing the stacking stats
Viewing common rows
Detection vs. Forensics
Real Time Sigma alerting
Live detection with Sigma
Administration through VQL
Conclusions
Auscert 2023: Velociraptor: Digging Deeper!
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Multi-Tenancy and ACLs
Multi-Tenancy and RBAC
Supporting Multiple Orgs
Switching to different orgs
Creating a new org
Users and orgs
Adding a new user
Assign user to org
Adjust User permissions
Preparing a deployment for the new org
Fetching the prepared MSI for deployment
Auditing user action
Inspecting the audit timeline
Introduction To Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
VQL: Our super power
VQL - Velociraptor's magic sauce
Velociraptor Artifacts
Velociraptor Query Language
The Artifact Exchange
Automatically import Exchange
Manually importing artifact packs
Finding files
Windows.Search.FileFinder
Exercise
Detecting EventLogs Disabling
Querying the registry
The Windows Registry
Example: Disable event logs
What is BITS? Why should we care?
What is BITS?
Disable event logs
Query the registry for event log config
We can get a snapshot of all event logs
Being more targeted in collection
More targeted in collection
Post processing with notebooks
Hunting at scale
Hunting - mass collections
Exercise - baseline event logs
Pool clients
Create a hunt
Select hunt artifacts
Collect results
Exercise - Stacking
Stacking can reveal results that stand out
The offline collector
Offline collection
Why Offline collection?
Create an offline collector
Selecting the Windows.KapeFiles.Targets artifact
Configuring the collector to encrypt output
Downloading the prepared binary
Offline collector binaries
Acquire data!
Acquired file is encrypted
Importing into Velociraptor
Import the collection into the Velociraptor server
Inspect the import process
Inspect the collected data
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
Tracking Processes
The process tracker
What is the point of Forensics?
Tracking processes
The process tracker
Exercise: Enable the process tracker
Emulate a typical attack
Inspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
Conclusions
What did we not cover?
Conclusions
SANS APAC Summit 2023: The evolving frontier of DFIR readiness
Forensic Readiness: Preparing for the unknown
Forensic Readiness
What is Digital Forensics anyway?
Enhancing the efficacy of Forensics
Why do we need Digital Forensics?
What if we could prepare for forensics?
Levels of preparedness
What types of interventions can we employ?
Reimagine the forensic process
Windows Event Logs
DFIR Mind map
Event logs
Setting event log size
Clearing the event logs
Forwarding event logs off the system
Example: Forwarding Sysmon logs
Disabling of event logs
What can we do with an agent?
Filesystem Forensics
File based forensic artifacts
Prefetch files
Filesystem artifacts: USN
Using the USN journal in IR
Querying the USN journal
Attackers may clear the USN journal
What can we do with an agent?
Forwarding USN logs off the system
Process based forensics
Leveraging ETW for visibility
Process execution
Preparing for Process Execution
Tracking processes
Where did notepad process come from?
Using Generic.System.Pstree
View process tree
Inspect the process call chain
Enhancing Visibility
Windows Crash Dumps
Powershell script logging
Sysmon: Enhancing Forensics
What is Sysmon?
Evidence of Download
Evidence of Download: Sysmon
Where did this Executable come from?
Conclusions
Conclusions
Velocon 2023: Year In Review by Mike Cohen
An exciting year of Velociraptor!
Velociraptor - Year In Review
The year was a productive year!
NTFS Parser
The offline collector: Encryption
Importing/Exporting collections
Performance improvements
The Virtual File System
VQL improvements
GUI Improvements
Locking down the server
New Accessors
The Velociraptor Community
The Velociraptor Community survey
Looking into the future
Velociraptor as a platform!
Auditing and Compliance
SQLite Hunting
We need your help!
Conclusions
WSC Workshop: Introduction to Velociraptor
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Introduction To Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
VQL: Our super power
VQL - Velociraptor's magic sauce
Velociraptor Artifacts
Velociraptor Query Language
The Artifact Exchange
Automatically import Exchange
Manually importing artifact packs
Finding files
Windows.Search.FileFinder
Exercise
Detecting EventLogs Disabling
Querying the registry
The Windows Registry
Example: Disable event logs
What is BITS? Why should we care?
What is BITS?
Disable event logs
Query the registry for event log config
We can get a snapshot of all event logs
Being more targeted in collection
More targeted in collection
Post processing with notebooks
Hunting at scale
Hunting - mass collections
Exercise - baseline event logs
Pool clients
Create a hunt
Select hunt artifacts
Collect results
Exercise - Stacking
Stacking can reveal results that stand out
Tracking Processes
The process tracker
What is the point of Forensics?
Tracking processes
The process tracker
Exercise: Enable the process tracker
Emulate a typical attack
Inspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
Conclusions
What did we not cover?
Conclusions
Thursday Defensive: Sigma Discussions
Auscert 2024 Workshop: Introduction to Velociraptor
Overview
What is Velociraptor?
Deployment overview
Typical deployments
GUI Tour
Velociraptor Installation and GUI tour
Create a local server
Your Velociraptor is ready to use!
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Introduction To Artifacts
Velociraptor Artifacts
Why a query language?
What is VQL?
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge
Anatomy of an artifact
Collecting new artifacts
Configuring the artifact collection
Configuring collection resource limits
What do artifacts return?
Uploaded files
Artifact query logs
Artifacts return multiple tables (sources)
Exporting artifact collections
VQL: Our super power
VQL - Velociraptor's magic sauce
Velociraptor Artifacts
Velociraptor Query Language
The Artifact Exchange
Automatically import Exchange
Manually importing artifact packs
Finding files
Windows.Search.FileFinder
Exercise
Notebook Processing
Velociraptor Notebooks
What are Velociraptor Notbooks?
Creating a notebook
Creating a custom template
Exercise - Add notebook template
Exercise - Workshop template
Types of notebook
Exercise: Copy cell from collection
Global notebooks
Triaging at scale
Triaging at scale
SQLite Hunter
Registry Hunter
Evtx Hunter
Sigma Hayabusa
What is a Sigma Rule?
Triaging Using Sigma
Collecting the sigma artifact
Triaging an endpoint
Stacking rules by title
Viewing the stacking stats
Viewing common rows
Tracking Processes
The process tracker
What is the point of Forensics?
Tracking processes
The process tracker
Exercise: Enable the process tracker
Emulate a typical attack
Inspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
Conclusions
What did we not cover?
Conclusions
Auscert 2024: Advances in detection engineering
DFRWS APAC 2024: Digital Forensics is dead! Long live Digital Forensics!
A trip down memory lane...
A trip down memory lane...
A hacking case...
Large scale operation! 🚨
How do you execute 400 search warrants simultaneously?
Key takeaways...
This was 20 years ago!
Is Digital Forensics Dead?
Is Digital Forensics Dead?
Triage is useful!
Wider application of Digital Forensics
Priority of DFIR
Is Digital Forensics Good enough?
Is Digital Forensics Good enough?
Other challenges
Sometimes Digital Forensics is unsatisfying!
If we rely on Digital Forensics, we have already lost!
What if we could prepare for forensics?
Forensic Readiness
Levels of preparedness
What types of interventions can we employ?
Reimagine the forensic process
Windows Event Logs
DFIR Mind map
Event logs
Setting event log size
Clearing the event logs
Forwarding event logs off the system
Example: Forwarding Sysmon logs
Disabling of event logs
What can we do with an agent?
Filesystem Forensics
File based forensic artifacts
Prefetch files
Filesystem artifacts: USN
Using the USN journal in IR
Querying the USN journal
Attackers may clear the USN journal
What can we do with an agent?
Forwarding USN logs off the system
Conclusions
Conclusions