Velociraptor https://docs.velociraptor.velocidex.com/blog/html/ Hunting for evil - what Velociraptors do best! en-us Tue, 13 Nov 2018 00:00:00 +1000 https://docs.velociraptor.velocidex.com/blog/html/2018/11/13/velociraptor_training_at_nzitf.html https://docs.velociraptor.velocidex.com/blog/html/2018/11/13/velociraptor_training_at_nzitf.html <![CDATA[Velociraptor training at NZITF]]> Velociraptor training at NZITF

We are very excited to run this full day training workshop at the New Zealand Internet Engineering Task Force (NZITF) conference.

Read more...

]]>
Tue, 13 Nov 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/11/09/event_queries_and_endpoint_monitoring.html https://docs.velociraptor.velocidex.com/blog/html/2018/11/09/event_queries_and_endpoint_monitoring.html <![CDATA[Event Queries and Endpoint Monitoring]]> Event Queries and Endpoint Monitoring

In previous posts we have seen how Velociraptor can run artifacts to collect information from hosts. For example, we can collect WMI queries, user accounts and files.

However it would be super awesome to be able to do this collection in real time, as soon as an event of interest appears on the host, we would like to have that collected on the server. This post describes the new event monitoring framework and shows how Velociraptor can collect things such as event logs, process execution and more in real time.

Read more...

]]>
Fri, 09 Nov 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/09/29/detecting_powershell_persistence_with_velociraptor_and_yara.html https://docs.velociraptor.velocidex.com/blog/html/2018/09/29/detecting_powershell_persistence_with_velociraptor_and_yara.html <![CDATA[Detecting powershell persistence with Velociraptor and Yara]]> Detecting powershell persistence with Velociraptor and Yara

I was watching the SANS DFIR Summit 2018 videos on youtube and came across Mari DeGrazia’s talk titled “Finding and Decoding Malicious Powershell Scripts”. This is an excellent talk and it really contains a wealth of information. It seems that Powershell is really popular these days, allowing attacker to “live off the land” by installing fully functional reverse shells and backdoors, in a few lines of obfuscated scripts.

Read more...

]]>
Sat, 29 Sep 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/09/30/velorciraptor_s_filesystem_s_accessors.html https://docs.velociraptor.velocidex.com/blog/html/2018/09/30/velorciraptor_s_filesystem_s_accessors.html <![CDATA[Velorciraptor’s filesystem’s accessors]]> Velorciraptor’s filesystem’s accessors

The latest release of Velociraptor introduces the ability to access raw NTFS volumes, allowing users to read files which are normally locked by the operating system such as registry hives, pagefile and other locked files. In addition, Velociraptor can now also read Volume Shadow Copy snapshots. The gives a kind of time-machine ability to allow the investigator to look through the drive content at a previous point in the past.

This blog post introduces the new features and describe how Velociraptor’s filesystem accessors work to provide data from multiple sources to VQL queries.

Read more...

]]>
Sun, 30 Sep 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/09/03/velociraptor_walk_through_and_demo.html https://docs.velociraptor.velocidex.com/blog/html/2018/09/03/velociraptor_walk_through_and_demo.html <![CDATA[Velociraptor walk through and demo]]> Velociraptor walk through and demo

I just uploaded a screencast of the latest Velociraptor - check it out and play with it, and please provide feedback at velociraptor-discuss@googlegroups.com

Read more...

]]>
Mon, 03 Sep 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/09/03/velociraptor_s_client_communications.html https://docs.velociraptor.velocidex.com/blog/html/2018/09/03/velociraptor_s_client_communications.html <![CDATA[Velociraptor’s client communications]]> Velociraptor’s client communications

In the latest point release of the Velociraptor IR tool (0.2.3) we have improved upon GRR’s client communications protocol to deliver a fast and efficient, yet extremely responsive client communication. This post explains the design of the client communication and how it solves the problems with the old GRR’s client communication.

Read more...

]]>
Mon, 03 Sep 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/20/velociraptor_artifacts.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/20/velociraptor_artifacts.html <![CDATA[Velociraptor Artifacts]]> Velociraptor Artifacts

We are super excited to introduce this point release of Velociraptor (0.2.2) which introduces the concept of Velociraptor Artifacts for the first time. This post is about what artifacts are, what they do and how can you use them.

Read more...

]]>
Mon, 20 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/files_files_everything_is_just_a_file.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/files_files_everything_is_just_a_file.html <![CDATA[Files, files everything is just a file!]]> Files, files everything is just a file!

GRR’s original design abstracted the data storage to a simple key/value store originally based around Bigtable. For open source deployments various key value stores were used starting from MongoDB, to SQLite and finally MySQL. Although the original idea was to use a simple key/value implementation, due to locking requirements the data store implementation became very complex.

As Velociraptor introduced a major redesign of the underlying data store architecture, we are now able to relax our demands of the datastore and use a true key/value model (since we have no requirements for locking and synchronization). The default data store is now the FileBasedDataStore which stores all data in flat files.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/browsing_around_the_filesystem.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/browsing_around_the_filesystem.html <![CDATA[Browsing around the filesystem.]]> Browsing around the filesystem.

Browsing the client’s filesystem is probably the first thing responders do. Both GRR and Velociraptor have a nice VFS abstraction that allows users to browse files interactively. However, in order to make Velociraptor much faster we made some tradeoffs and improved the way that the VFS is stored in the datastore.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/hunting_what_velociraptors_do_best.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/hunting_what_velociraptors_do_best.html <![CDATA[Hunting - What Velociraptors do best!]]> Hunting - What Velociraptors do best!

A hunt is a feature where a single flow may be run on multiple clients at the same time. Typically a hunt looks for a particular indicator of compromise across the entire deployment, or maybe collect the same files from every deployed agent. By their nature, hunts cause multiple flows to run simultaneously and so this creates a large contention of shared state.

Velociraptor has completely redesigned the way that hunts are implemented in order to avoid database locking and increase hunt processing efficiency.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/interrogation_make_the_endpoint_tell_us_what_it_knows.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/interrogation_make_the_endpoint_tell_us_what_it_knows.html <![CDATA[Interrogation - Make the endpoint tell us what it knows!]]> Interrogation - Make the endpoint tell us what it knows!

Interrogation is the process of learning general information about the endpoint we are monitoring. Each endpoint is automatically interrogated when it first joins the Velociraptor server, and the GUI shows this general information about each client.

When writing Velociraptor we decided to keep things very simple - we did away with a lot of the information gathered during interrogate in favor of a much simpler data model.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/design_differences_between_velociraptor_and_grr.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/design_differences_between_velociraptor_and_grr.html <![CDATA[Design differences between Velociraptor and GRR]]> Design differences between Velociraptor and GRR

One of the main motivators for developing Velociraptor is the opportunity to try different approaches than GRR. Velociraptor has a number of fundamental design differences in contrast with the GRR design which improve overall performance and scalability. We tried to keep it light weight cutting out the features we think we did not need and leaving behind a fast, lean and mean raptor!

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/the_velocidex_query_language.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/the_velocidex_query_language.html <![CDATA[Velocidex Query Language (VQL)]]> Velocidex Query Language (VQL)

Velociraptor is powered by VQL and VQL is the killer feature which makes it so powerful. But what exactly is VQL? This section is a quick overview of VQL.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000
https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/introducing_velociraptor.html https://docs.velociraptor.velocidex.com/blog/html/2018/08/10/introducing_velociraptor.html <![CDATA[Introducing Velociraptor]]> Introducing Velociraptor

Hunting and responding like a raptor!

At Velocidex we have been running open source endpoint monitoring tools for our clients in order to detect and respond to incidents. One of our favorite tools is GRR, developed by Google internally and then released as open source. GRR is a very powerful tool, with a polished UI and good documentation.

Unfortunately the open source version released by Google suffers from some shortcomings and so we have decided to develop a new project, built on the shoulders of giants called Velociraptor.

Read more...

]]>
Fri, 10 Aug 2018 00:00:00 +1000