Velociraptor: Digging Deeper
## What is Velociraptor? ### Mike Cohen, Digital Paleontologist ### Rapid 7 Inc
--- ## What is Velociraptor? Velociraptor is the premier endpoint visibility tool. * Driven by Velociraptor Query Language artifacts. * Primarily a DFIR tool. * Compliance/Vulnerability management. * Endpoint monitoring. * Open source with a strong community --- ## Architecture  --- ## Scalable, fast, accurate * Support Linux, Windows, MacOS, FreeBSD … * Server simply collects the results of queries - clients do all the heavy lifting. * Client memory and CPU usage is controlled via throttling and active cancellations. * Server is optimized for speed and scalability * Concurrency control ensures stability * Bandwidth limits ensure network stability * Single or multi-server modes (20k EP/server). --- ## Interactively investigate clients Digital forensic plugins turn VQL into a high quality DFIR tool  --- ## Velociraptor Artifacts Artifacts encode VQL into user sharable code snippets  --- ## Hunts - Collecting at scale Collecting artifacts at scale from multiple endpoints  --- ## Postprocessing using Notebooks Notebooks are collaborative shared VQL execution environments  --- ## Offline collector Pre-programmed binary collecting, packaging and uploading collection  --- ## Acquired file is encrypted  --- ## Tracking processes on endpoint * One of the critical questions we ask is `Where did this process come from?` * Context of where the process came from is important in establishing initial access vector! * Velociraptor can track processes locally on the endpoint at runtime. * If the need arises, we can enrich with process execution information. * This can be done **EVEN IF THE PROCESS EXITED** --- ## View process tree  --- ## Inspect the process call chain Process tracker maintains historical view so we can see exited processes.  --- ## Triaging Using Sigma * Endpoint tools can directly evaluate Sigma rules on the event logs
--- ## Collecting the sigma artifact  --- ## Triaging an endpoint  --- ## Stacking rules by title  --- ## Viewing the stacking stats  --- ## Viewing common rows  --- ## Detection vs. Forensics * VQL Sigma rules bridge detection with forensics. * Forensics: `What happened here?` * Recover all the information - relevant or not * Get a full picture. * Detection: `What bad things happened here?` * Take the forensic information and rapidly zero in on obvious bad signals. * Not designed to be exhaustive! Triage oriented * Complimentary capabilities --- ## Real Time Sigma alerting * VQL is fully asynchronous - real time queries.
--- ## Real Time Sigma alerting ### Configuring Velociraptor's client monitoring  --- ## Real Time Sigma alerting ### Configuring Velociraptor's client monitoring  --- ## Live detection with Sigma  --- ## Administration through VQL * All server administration tasks can be automated with VQL artifacts * API access available for external automation * Automatic upload of data to Elastic/Slack/Discord * Open ended architecture enables novel use cases. --- ## Conclusions We only scratched the surface of what Velociraptor can do! Check out the following links and join our community…
Docs
https://docs.velociraptor.app/
Github
https://github.com/Velocidex/velociraptor
Discord
https://docs.velociraptor.app/discord/
Mailing list
velociraptor-discuss@googlegroups.com