Velociraptor: Digging Deeper
Welcome to the Velociraptor: Digging Deeper Course.
Toggle All
Light
Dark
Module 1: Deployment
Overview
What is Velociraptor?
Deployment overview
Typical deployments
Network Communications
Network Communications
Network Communications overview
Velociraptor’s internal PKI
TLS verification - Self Signed Mode
TLS verification - PKI/Lets Encrypt Mode
Adding Proxy and MITM settings
Configuration reference
Deploying Servers
Deploying The Server
Run Velociraptor on your machine
Self Signed SSL mode
Steps to deploy Velociraptor
Setting Dynamic DNS with Google Domains
Configuring Google OAuth2
Generate OAuth client credentials.
Installing a new server
Automating config generation
Building a server deb package
Deploying the server
Your Velociraptor is ready to use!
Troubleshooting
Troubleshooting
Server fails to start
Starting the server manually
Debugging client communications
Network Connectivity problems
More Deployment Scenarios
Additional deployment scenarios
Using multiple OAuth providers
The multi Authenticator
MultiAuthenticator log in screen.
Client certificate based authentication.
Import certificate into personal store (Manage User Certificates)
Multi-Frontend deployments
Multi frontend deployment overview
Exercise: Create a Master/Minion deployment
Exercise: Customizing the dashboard
Server Lockdown Mode
Orgs and ACLs
Multi-Tenancy and RBAC
Supporting Multiple Orgs
Switching to different orgs
Creating a new org
Users and orgs
Adding a new user
Assign user to org
Adjust User permissions
Preparing a deployment for the new org
Fetching the prepared MSI for deployment
Auditing user action
Inspecting the audit timeline
Deploying Clients
Configuring Clients
Deploying clients - Windows
Domain deployment
Domain deployment: Scheduled Task
Domain deployment: Assigned Software
GUI Tour
A Velociraptor GUI tour
The Dashboard
User Preferences
Interactively investigate individual clients
Searching for a client
Search for clients
Client Overview
Shell commands
Running Shell Commands
Interactively fetching files from the endpoint
The VFS View
Navigating the interface
The VFS interface
Previewing files
Velociraptor artifacts
What does the VFS view do under the cover?
Velociraptor uses expert knowledge to find the evidence
Review and Summary
Review And Summary
Module 2: VQL Fundamentals
The VQL Language
Why a query language?
VQL - Velociraptor's magic sauce
The notebook - an interactive document
Add VQL Cell to a new Notebook
The notebook - an interactive document
Completes plugin names
Suggests plugin args
Create a local server
What is VQL?
Plugins
Life of a query
Explaining a query
Exercise: List running processes
Inspect the data with the table widget
Exercise: Hash notepad.exe
Lazy Evaluators
Exercise: Evalution and Side effects with log()
Checking the log function output
What is a Scope?
Nested Scopes
Scope exercise
Typo Example
Unknown column types
VQL Syntax
The foreach plugin
Foreach on steroids!
Exercise: Hash all files
Faster hashing!
Solution
The foreach() column parameter
Exercise: Filter columns by name
Filtering columns and dicts
LET expressions
LET expressions are lazy
Materialized LET expressions
Materialized LET expressions - fastest
Local VQL functions
Protocols - VQL operators
Plugin reference
Plugin reference site
Writing VQL for fun and profit!
Start small - list processes
View raw JSON data
Refine - Filter by name
Subquery - find parent process
Detection: Processes spawned by WMI
Exercise: Enrich netstat
Step 1: Identify listening processes
Step 2: Lookup the process from Pid
Step 3: Lookup binary information
Complete solution
Column formatting
Example: Display hex data in the GUI
Artifacts
VQL Artifacts
Artifacts: VQL modules
Velociraptor Artifacts
Velociraptor Query Language
The Artifact Exchange
Automatically import Exchange
Exercise: Manually import Exchange artifacts
Manually importing artifact packs
Main parts of an artifact
The Artifact Repository
Main parts of an artifact
Parameters
Parameter types
Exercise: Create an artifact
Make a WMI Subprocess artifact
Final artifact
Collect artifact from endpoint
Your artifact is ready to hunt!
Artifact writing tips
Calling artifacts from VQL
VQL and times
Exercise: Identify recent accounts
Format time
Scope lifetime and tempfile()
VQL control structures
Looping over arrays
Conditional: if plugin and function
Conditional: switch plugin
Conditional: chain plugin
Aggregate functions
Example: Count
GROUP BY clause
Example: Count all rows
Stacking
Review and Summary
Review
Module 3: Filesystem Forensics
Searching for files
Searching for files - glob()
Exercise: Search for exe
Filesystem accessors
The registry accessor
Exercise - RunOnce artifact
Exercise: Hash all files provided in the globs
Searching data
YARA - The swiss army knife
YARA rules
Exercise: drive by download
Step 1: Figure out where to look
Step 2: Recover URLs
Step 3: Let’s do this!
YARA best practice
Uploading files
Exercise: Upload Recent executables
NTFS Forensics
NTFS Overview
New Technology File System
MFT entries contain attributes
NTFS Analysis
Finding suspicious files
Windows.Forensics. FilenameSearch
Windows.NTFS.MFT
Exercise - Generate test data
More setup
Exercise
The USN journal
USN Journal
Exercise - Windows.Forensics.Usn
Exercise - UsnJ solution
Advanced NTFS: Alternate Data Stream
Advanced NTFS Forensics
Volume Shadow Copies
NTFS accessor and VSS
Velociraptor shows VSS at the top level of the filesystem
Exercise: Find all VSS copies of the event logs
Carving The USN Journal
Carving USN Journal can recover events in the distant past
Accessors
More about Accessors
What is an accessor?
The OSPath object
Parsing a string into an OSPath
Exercise: Parsing paths
Parsing paths
Life of a Path
Exercise: OSPath operations
OSPath operations
Basic accessors: file, auto
The data and scope accessors
The ZIP accessor
Exercise: Search a word document for a keyword
Solution: Search a word document for a keyword
Exercise: Identify vulnerable Java programs
Solution: Identify vulnerable Java programs
Raw registry parsing
Exercise: Repeat the Run/RunOnce example with raw registry.
The process accessor: accessing process memory
Exercise: Write an artifact that uploads process memory
The sparse accessor
Exercise: Upload only first 10k of each file.
The smb accessor
Exercise: Configuring an SMB share
Parsing
Parsing
Parsing evidence on the endpoint
Built in parsers - SQLite
Exercise: Parse the chrome Top Sites file
Sqlite analysis
Complex RegEx parsing
Parsing with Regular Expressions
Exercise: MPLogs
Steps for solution
Possible solution
The Binary Parser
Parsing binary data
What is binary data?
Parsing a struct
Parsing Structs
Calculating fields
Unsecured SSH keys
Traditional approach
How can I tell if a file is protected?
Exercise: Parse SSH Private keys
Step 1: read the file.
Step 2: Extract the base64 encoded part
Step 3: Binary parser built in VQL
Step 4: Parse the header and find if the key is encrypted.
Exercise: Parsing root certificates in the registry
Solution
Parsing the trusted certificates from the registry
Timelines
Timelines
What is a timeline?
Timeline workflow
Example: Correlating execution with files
Review and Summary
Review And Summary
Module 4: Event Logs
Windows Event Logs
Windows Event Logs
Parsing EVTX
Event Messages - Where are they?
Internationalization of the log message
The Event description is missing from the evtx file.
Event message search
Deriving event messages
Resolving a message from an event
Resolving Messages
What could go wrong?
Event Message databases
References
Disabling event logs
What is BITS? Why should we care?
What is BITS?
Exercise - How can we detect this?
Solution: What is the setting?
Exercise: Detect disabled logs
Solution
Exercise: Convert to an artifact
Detection Engineering
Detection engineering
Velociraptor vs. SIEM
Event Log based detection
Sigma - a rule language for logs
Some Sigma examples
Sigma limitations
Sigma rule tips
Using Sigma With Velociraptor
Exercise: Hayabusa
The EVTX Hunter
Portable Executables
PE Files
PE File structure
Authenticode - signing PE files
Authenticode - signing via Catalogue
Parsing PE Files
Exercise: Manipulating Driver hashes
Hashes and PE files
Weak Hash based detection rule
Stronger detection rule
Linux Syslog
Syslog logs
Line based logging
Parsing SSH login events
Grok for parsing syslogs
Let's use VQL to parse ssh events
Filter lines and apply Grok
Parsing log lines with Grok
Carving SSH auth logs
Exercise: Carving SSH auth logs
Linux Journal Logs
The Linux Journal Logs
Exercise: Parsing Journal Logs: Execve
Exercise: Parsing Journal Logs: Natively
Exercise: Parsing Journal Logs
Review and Summary
Review And Summary
Module 5: Triage and Acquisition
Collection for Triage
Collecting files
Windows.KapeFiles.Targets
Exercise: Use Windows.KapeFiles.Targets
Exporting collections from GUI
Resource control
Velociraptor has your back!
Offline Collections
Offline collections
Why Offline collection?
Velociraptor Artifacts
Why Offline collection?
Create an offline collector
Selecting the Windows.KapeFiles.Targets artifact
Configuring the collector to encrypt output
Downloading the prepared binary
Offline collector binaries
Acquire data!
Acquired file is encrypted
Importing into Velociraptor
Import the collection into the Velociraptor server
Inspect the import process
Inspect the collected data
Protecting the collection file: Encryption
Including third party binaries
Take a memory image with winpmem
Importing collections into the GUI
Local collection considerations
Automated Offline uploads
Uploading offline collections automatically
Configure SMB upload
Exercise: Preparing an SMB dropbox
Step 1: Creating service account
Step 2: Share directory to new user
Step 3: Adjust ACLs
Step 4: Test ACLs using VQL
Step 5: Creating the SMB collector
Collecting to AWS Buckets
Bucket credentials
Creating a bucket
Creating a User
Creating security credentials
Creating a policy
Testing the upload credentials
Viewing the contents of the bucket
Full access policy
Testing Full access policy
Review and Summary
Review And Summary
Local collection considerations
Module 6: Volatile Artifacts and Memory Analysis
Processes and Memory analysis
Processes and Memory analysis
What is a process?
Process Information
Exercise - Find elevated command shell
Mapped Memory
Process memory view
The VAD plugin
Exercise - look into powershell
Exercise: Dump mapped objects
Dumping process memory
Parsing PE files from memory
Exercise: Find Powershell Module that provides WinHTTP
Exercise: Find Powershell Module that provides WinHTTP API
Searching memory
Exercise: Scan memory for keyword
Mutants
Exercise - Mutants
Enumerate the mutants
Event Tracing for Windows
Event Tracing for Windows
What is ETW
ETW Providers
ETW for event driven logs
Exercise - Monitor DNS queries
Windows Management Instrumentation
WMI Explorer
MSBuild based attacks
MSBuild based attacks
Microsoft Build Engine
MSBuild: Cobalt Strike teamserver
MSBuild: Detection ideas
MSBuild: Disk - template file
MSBuild: Disk - template
Detection ideas
MSBuild: Exercise description
MSBuild exercise
MSBuild Exercise
MSBuild: Evidence of execution - prefetch
Windows.Detection. PrefetchHunter
Memory artifacts
Detect Cobalt Strike Beacon
Inject beacon into process
Search for beacon in memory
Detecting Cobalt Strike in memory
Decoding Cobalt Strike Config
Extract configuration data from memory
Review and Summary
Review And Summary
Module 7: Hunting
Hunting at scale
Typical hunting workflow
Mitre Att&ck framework
Atomic Red Team
Exercise: Detect Att&ck Techniques
First plant a signal on your machine
Windows.Persistence.Debug
Hunting - mass collections
Exercise - baseline event logs
Pool clients
Create a hunt
Select hunt artifacts
Collect results
Exercise - Stacking
Stacking can reveal results that stand out
Exercise: Labeling suspicious hits
Exercise: Post processing a large hunt
Create a malicious service
Optimizing filtering
Recollecting failed hunts
Review and Summary
Review And Summary
Module 8: Event Monitoring
Event Queries
Event queries and asynchronous VQL
VQL: Event Queries
Playing with event queries
Client monitoring architecture
Example event query
The Process Tracker
The process tracker
What is the point of Forensics?
Tracking processes
The process tracker
Exercise: Enable the process tracker
Emulate a typical attack
Inspect the notepad process
Using Generic.System.Pstree
View process tree
Inspect the process call chain
Integration With External Systems
Interfacing with Elastic/Kibana
What is Elastic/Opensearch
Connection to Elastic or Opensearch
Installing ELK
Interacting with Opensearch
Installing the uploader
Verifying the Uploader works
Check for new indexes
Verify that indexes are populated
You can clear indices when you want
Exercise: Create and maintain Elastic index
Alerting and Escalation
Alerting and Escalation
Integration with Slack/Discord
Sending a message to a discord channel
Exercise: Alert discord when a new hunt is created
The Alerting framework
Exercise: Forwarding alerts to Discord
Other integrations
Server automation with event queries
Server Automation With Event Queries
Exercise: Automatically archive Windows.KapeFiles.Targets
Exercise: Import offline collections
Review and Summary
Review And Summary
Module 9: Server Automation
Extending VQL With Powershell
Extending VQL - Artifacts
Extending artifacts - PowerShell
Exercise: PowerShell based pslist
Alternative - encode scripts
Alternative - tempfile scripts
Dealing with output
Parsing JSON output
Encoding powershell into JSON
Reusing powershell artifacts
Using External Tools
Using external tools
Why use external tools?
Velociraptor Tools
Autoruns
Let's add a persistence
Launching the Autoruns artifact
Configuring the Autoruns tool
Detect the malicious scheduled task
Artifact encapsulation
Exercise - Use Sysinternal DU
Third party binaries summary
Server Automation
Automating the Velociraptor Server
Server artifacts
Example: Client version distribution
Server concepts
Exercise - label clients
Exercise - label clients with event query
Exercise: Server management with VQL
Exercise: Automating hunting
Event Queries and Server Monitoring
Exercise - Watch for flow completions
Server Event Artifacts
Exercise: Powershell encoded cmdline
Alerting and escalation.
Exercise: Escalate alerts to slack/discord.
The Velociraptor API
The Velociraptor API
Why an API?
Velociraptor API Server overview
The Velociraptor API
Create a client API certificate
Grant access to API key
Export access to your API
Using the API to connect to the server.
Schedule an artifact collection
Waiting for the results
Reading the results
Exercise: Put it all together
Review and Summary
Review And Summary
Module 10: Capture The Flag
Capture The Flag
Capture the Flag
Rules of engagements
Possible attacks
References and Links
YouTube Videos
Youtube Videos
Blog Posts
Blog posts
Links
Links
