Introduction to Velociraptor

If such concepts as DFIR, Threat Hunting, Security Monitoring are not an empty phrase for you, then this article will be of interest to you. I’ll tell you about the utility Velociraptorwhich often helps me in my work. To my surprise, there is not even a mention of it on Habr, I’ll try to fix it.

Velociraptor(github, docs) – according to the official documentation, this is a utility for performing Digital Forensics and Incident Response (DFIR) tasks. But from practice, we can say that this is a real Swiss knife for collecting and analyzing information from end devices (servers and workstations).

Technical features

Before demonstrating the possibilities of this program, I think it would be right to mention the main technical features so that you have a general idea.

  • Velociraptor is typically used in a client-server architecture, but can also be used as an offline collector with a predefined task to collect data from the device.

  • The program is written in Golang and runs on all platforms supported by Go. On github, releases are for Windows, Linux, Darwin(MacOS), FreeBSD.

  • The client and server parts are the same binary file no external dependencies. Running a binary with different configuration files makes it either a server or a client. The current size of the binary is ~ 50 MB.

  • The key element around which the whole utility is built is the built-in query language. VQL(Velociraptor Query Language). Yes, yes, another query language, but do not rush to close this article, you will probably have enough functionality that is already networked in Velociraptor and there will be no need to create something manually, at least at first.

  • In a client-server architecture, the server sends jobs to clients. That is, clients perform calculations and return results. Thus, the calculations occur in a distributed manner.

  • The use of CPU and RAM when performing tasks by the client can be controlled from the server. This approach helps to avoid excessive load on clients.

Practical acquaintance

You will need a minimum of effort to repeat the next practical part. But with its help you will taste Velociraptor 😉.

You can find the latest releases at GitHub(0.6.7 at the time of writing). Download the appropriate one for your operating system (Windows will be used in the article). Now you have everything to run Velociraptor, it has command (CLI) and web interfaces. Run Velociraptor on the command line(with Administrator rights) with the following parameters:

.\velociraptor.exe gui --datastore temp

gui the command will make the necessary configuration of the program and will give you the opportunity to work without configuring the client and server parts. Such a demo mode, where both the server and the client are your workstation.

--datastore temp I recommend using this option, after creating the temp folder, which will store all the configuration files and system files necessary for work.

If everything started successfully, then on the command line you will see real-time logs, and at the address https://127.0.0.1:8889/app/index.html#/ web interface will be available.

welcome window
welcome window

I mentioned earlier that the built-in query language VQL is a key element and it is used to describe commands that are executed on clients. This means that if you want to create something custom, you will need to use VQL. But fortunately, the community has already done a good job in this direction and has created a large library of such instructions / commands, called artifacts / Artifacts.

Go to the “View Artifacts” menu, in the right sidebar you can see all the artifacts that come with the executable. Use the filter to see for example those related to Windows.

Artifacts
Artifacts

I don’t know about you, but I was impressed by the variety of artifacts already created and the possibilities at the first meeting.

Now let’s try to run one of the artifacts. I chose Windows.Network.Netstat for demonstration purposes. To run this artifact on a specific client, it must be selected as active. To do this, click on the search icon in the upper left corner, then click on the Client ID of your client.

Now your client is the main client you will work with.

Go to the Collected Artifacts section, click the + icon in the upper left corner of the window.

In the view that appears, find the artifact you need, in my case it will be Windows.Network.Netstat.

Windows.Network.Netstat Artifact
Windows.Network.Netstat Artifact

Next tab Configure Parameters here you can usually set the dynamic parameters of the artifact, but in my case there are no such parameters.

Next in Specify Resources you can fine-tune the resources that your artifact will consume. These settings really help to minimize client load and prevent any workflows from being impacted.

Specify Resources Tab
Specify Resources Tab

In my case, the default parameters are enough, I click Launch.

A few seconds of waiting and the information is collected. Tab at the bottom of the window Results provides information on all network connections on my client. I suggest that you independently view and run a few more interesting artifacts for you. Here you can see what artifacts are built into the default executable.

Offline collector

The next interesting example that I would like to cover in this article is the creation of an offline collector. Velociraptor’s executable file can be configured in such a way that when it is launched, it will collect and send the necessary information and then exit. When might it be needed? Often there are cases in the work when there are suspicions of a compromise of a laptop, access to which is limited or non-existent. In such cases, it is good to have a file that is easy for the user to run and that collects all the necessary information.

Such a file is quite simple to create in Velociraptor. Go to Server Artefacts and click on the airplane icon in the top left menu.

As an artifact for the collector, I propose to consider Windows.KapeFiles.Targets. If you are not familiar with KapeFiles, you can read more in project repositories. In a nutshell, KapeFiles is structured information about the location of many files on a Windows system that can be useful when conducting an investigation. Initially, KapeFiles were created for use in the program Kapebut as you can see, they can be transformed for other utilities.

After choosing an artifact, let’s move on to the parameters. This time, the number of parameters that can be specified is huge. You can explore them in more detail, but for the purpose of demonstration, I will point out one – collecting Windows Event logs

Next tab Configure Collection configures the necessary actions to complete the work of the artifact. Here you can encrypt and send files to network storages and simply create a zip archive.

tab Specify Resources like last time will help you avoid excessive consumption of resources on the client machine, if necessary.

Click Launch and after a few seconds the creation of the Offline Collector will be completed. You can find the executable file at the bottom of the window in the tab Uploaded Files. Now all you have to do is download the file and give it to the user to run on the laptop. It is important to note that it is better to start the Offline Collector with administrator rights, otherwise access to not all system files will be possible.

Instead of a conclusion

I will add a few more facts that will probably be able to answer some of the questions that have arisen.

Velociraptor is distributed under the AGPLv3 license and in accordance with the spirit FOSS. In other words, you can do everything with the program, except for selling it. I think you are not interested.

Not so long ago, Rapid7 took this project under its wing. This is good news because the project remains open source and AGPLv3 licensed, and Rapid7 has a budget to support development and build a community while promoting itself along the way.

For inquiries and technical support, please visit Discord server. This channel is more than alive. Mike Cohen – the author and inspirer of the project, answers questions very quickly, often within a few minutes.

I am planning to do a series of articles like this one with examples of how to use Velociraptor. I hope after reading this you will find this utility useful and maybe it will take its place among other tools in your SOC.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *