Velociraptor Deployment

# Querying the registry

## Detecting event log modifications

---

## The Windows Registry

* Windows uses the registry to store configuration data.
* Many attackers modify system configuration to achieve persistence
* It is very useful to be able to query the registry!
* Velociraptor has two types of registry accessors:
    * "registry" uses the APIs
    * "raw_reg" parses the registry hives themselves

---

## Example: Disable event logs

* Windows event logs are crucial for detection
* Many detection solutions rely on forwarding event logs to a backend
* It is trivial to enable/disable event log collection
* Let's look at disabling the BITS client events

---

## What is BITS? Why should we care?

![](bits-mitre.png)

---

## What is BITS?

BITS activity is visible in the logs

```text
bitsadmin.exe /transfer
  /download /priority
  foreground https://www.google.com
  c:\Users\test\test.ps1
```

</div>
<div class="col">
<img src="bits-log.png" style="width: 50%" class="title-inset">
</div>
</div>

---

## Disable event logs

![](disable-bits-log.png)

Note:
It is easy to disable log collections - from the GUI or programmatically
Try this yourself - disable the Bits-Client logs, clear the logs and repeat the previous step

---

## Query the registry for event log config

* Disabling the event logs actually results in a configuration change in the registry.
    * The relevant keys are discussed in [Disabled Event Log Files](https://docs.velociraptor.app/blog/2021/2021-01-29-disabled-event-log-files-a3529a08adbe/)
    * We can use `Windows.EventLogs.Modifications` to query log state

---

## We can get a snapshot of all event logs

![](log-enable-snapshot.png)

---

## Being more targeted in collection

* Most artifacts have parameters that allow us to be more targeted in
  collection
* Being targeted is good because it reduces the amount of data we
  collect!

</div>
<div class="col">
<img src="bits-targeted-collection.png" class="title-inset">
</div>
</div>

---

## More targeted in collection
* Treat the endpoint as the ultimate source of truth - need more
  data? go back and re-fetch it from the endpoint.

![](Windows.EventLogs.Modifications.png)

---

## Post processing with notebooks

* Another alternative is to collect all the data and then post-process using the GUI
    * Helps us drill into the data and understand what is going on.

![](bits-post-process.png)

---

# Hunting at scale

---

## Hunting - mass collections

Hunting is Velociraptor's strength - collect the same artifact from thousands of endpoints in minutes!

* Two types of hunts:
   * Detection hunts are very targeted aimed at yes/no answer
   * Collection hunts collect a lot more data and can be used to
     build a baseline.

---

## Exercise - baseline event logs

For this exercise we start a few more clients.

```text
c:\Users\test>cd c:\Users\test\AppData\Local\Temp\

c:\Users\test\AppData\Local\Temp>Velociraptor.exe
   --config client.config.yaml pool_client --number 100
```

This starts 100 virtual clients so we can hunt them
* We use pool clients to simulate load on the server

---

## Pool clients
Simply multiple instances of the same client

![](pool_clients.png)

---

## Create a hunt

![](create-hunt_2.png)

---

## Select hunt artifacts

![](create-hunt_3.png)
---

## Collect results

![](create-hunt.png)

---

## Exercise - Stacking

* The previous collection may be considered the baseline
* For this exercise we want to create a few different clients.
    * Stop the pool client
    * Disable a log channel
    * Start the pool client with an additional number of clients

```
Velociraptor.exe --config client.config.yaml pool_client --number 110
```

---

## Stacking can reveal results that stand out

![](stacking-a-hunt.png)