SlideShare a Scribd company logo

Velociraptor - SANS Summit 2019

Velocidex Enterprises
Velocidex Enterprises

Velociraptor is a tool for deep visibility into endpoint data. It allows users to build queries using the Velociraptor Query Language (VQL) to collect, analyze and monitor endpoint data across entire networks. Velociraptor provides a single client that can run on Windows, Linux, and Mac operating systems which collects artifacts from endpoints and stores them in a centralized data store. The tool allows security teams to hunt for threats and artifacts of interest across all endpoints using VQL queries.

1 of 124
Download to read offline
Velociraptor Dig deeper. www.velocidex.com Nick Klein Director, Velocidex Enterprises nick@velocidex.com Director, Klein & Co. nick@kleinco.com.au SANS DFIR Certified Instructor Mike Cohen Director, Velocidex Enterprises mike@velocidex.com
© Velocidex Enterprises 2019 / www.velocidex.com Who are we? Dr Michael Cohen (scudette) • Digital forensic software developer • Developer of Volatility and Rekall • Former lead developer of Grr at Google Nick Klein • Director of Klein & Co. DFIR team • SANS DFIR Certified Instructor 2
© Velocidex Enterprises 2019 / www.velocidex.com What’s the need? • Deep visibility of endpoints is a game changer for: • digital forensic investigations • threat hunting • cyber breach response • operational security monitoring. • Few current tools offer network-wide deep forensic analysis • We’re building (and using) Velociraptor to address this 3
© Velocidex Enterprises 2019 / www.velocidex.com Technical overview
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture 5
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Encrypted comms Velociraptor users connect to GUI frontend Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Encrypted comms Velociraptor users connect to GUI frontend Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
© Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture • A single executable (OS specific) which can be a server or a client • No libraries, no external dependencies • Server and client config files are plain text • No database – data stores and file stores are just files on disk • Velociraptor can process data on the clients and the server • You can customise many elements: • Communication ports • Executable names and locations • Data locations • Service name and descriptions 6
© Velocidex Enterprises 2019 / www.velocidex.com Key principles • The core feature of Velociraptor is the Velociraptor Query Language (VQL) which is an expressive language providing power and flexibility • We use VQL to construct Velociraptor artefacts • Velociraptor artefacts encapsulate DFIR knowledge, so users don’t need to be DFIR experts 7 VQL queries VQL queries VQL queries VQL queries Velociraptor Artefacts Functions Plugins Used to build Used to enhance Parameter s Collect Analyse Monitor Respond Actions on endpoints
© Velocidex Enterprises 2019 / www.velocidex.com Key principles 8 We have questions to answer
 e.g. What programs were executed? We know where to look
 e.g. shimcache, prefetch, exe’s on disk We use VQL to build Velociraptor artefacts that encapsulate this knowledge We use these same artefacts everywhere to collect, analyse and monitor endpoints We have these We need these
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
Comparison between osquery and VQL for checking child-parent process relationships. … this goes for a while
Comparison between osquery and VQL for checking child-parent process relationships. … this goes for a while
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
© Velocidex Enterprises 2019 / www.velocidex.com Setup
Server setup
Server setup Start the config generator
Server setup Start the config generator
Server setup Start the config generator
Server setup Start the config generator Answer the questions
Server setup Start the config generator Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions Start the server
Server setup Start the config generator Server and client config files are created Answer the questions Start the server
Server setup Start the config generator Server and client config files are created Answer the questions Start the server
Server setup Start the config generator Server and client config files are created Answer the questions
Server setup Start the config generator Server and client config files are created Answer the questions
Use your deployment method of choice. Recommend a signed MSI for Windows. Client deployment 14
Clients have a persistent connection to the server. They’re awaiting your commands. You’re ready to go 15
© Velocidex Enterprises 2019 / www.velocidex.com Scenerio: Data collection
• File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
• File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
• File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
• File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
18 We can collect all user hives from a single computer with a VQL artefact. This simple VQL artefact enumerates all users, then collects all their user hives. Collecting evidence from a single endpoint
18 We can collect all user hives from a single computer with a VQL artefact. This simple VQL artefact enumerates all users, then collects all their user hives. Collecting evidence from a single endpoint
Focussing on a known compromised account Customise a collection artefact
Focussing on a known compromised account Customise a collection artefact
Collecting all OS and user Registry hives
Collecting all OS and user Registry hives
Collecting all OS and user Registry hives
Any artifact that can be collected on a single computer, can be hunted across the network
Extending collection across the network 22 • A hunt can cover a group of clients, or the whole network • A hunt will continue running until it expires, or is stopped • As new machines appear, they automatically join the hunt
Extending collection across the network 22 • A hunt can cover a group of clients, or the whole network • A hunt will continue running until it expires, or is stopped • As new machines appear, they automatically join the hunt
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Finding files
The file finder artefact • Use raw NTFS access to bypass file system locks • Use wildcards to ‘glob’ over directories • Use Yara to search the contents of files • Filter by modified or created dates • Upload matching files to the server for further analysis. • A great starting point for making your own collection artefacts.
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for forensic evidence
© Velocidex Enterprises 2019 / www.velocidex.com Hunt for use of SysInternals tools • Some attackers use SysInternals tools • These require accepting a EULA on first use • This modifies a key in the user’s Registry • This Registry key can be a great malicious indicator
© Velocidex Enterprises 2019 / www.velocidex.com This dodgy user has run PsExec and SDelete
© Velocidex Enterprises 2019 / www.velocidex.com This dodgy user has run PsExec and SDelete
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
© Velocidex Enterprises 2019 / www.velocidex.com We have an artefact for that too UserAssist Timeline RecentApps AppCompatCach e * artefacts build upon each
 other
Velociraptor - SANS Summit 2019
Lateral movement - WMI
Lateral movement - WMI On source computer On destination computer
Velociraptor - SANS Summit 2019
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for specific IOCs
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for shadow IT
Hunting for Dropbox usage
Hunting for Dropbox usage
Hunting for Dropbox usage
Turn hunting into monitoring
© Velocidex Enterprises 2019 / www.velocidex.com Event artifacts are never-ending VQL queries that watch for events on clients and stream those events to the server when they occur
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitor DNS on the endpoints
© Velocidex Enterprises 2019 / www.velocidex.com Monitor DNS on the endpoints • DNS is an excellent network indicator ☺ • But many organisations still don’t log DNS ☹ • Logging on internal DNS or network gateway is limited ☹ • Velociraptor can monitor DNS at the endpoint ☺
Monitoring DNS
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitoring USB devices
© Velocidex Enterprises 2019 / www.velocidex.com Monitoring USB devices • USB drives are a constant threat: • Can introduce malware • Commonly used to exfiltrate confidential documents • Forensic analysis of USB usage has blind spots • Velociraptor provides artefacts that can watch for USB drive insertion and take various actions
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
© Velocidex Enterprises 2019 / www.velocidex.com Server event artefacts
© Velocidex Enterprises 2019 / www.velocidex.com Server event artifacts are similar to the client event artifacts, except they run on the server
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitoring for encoded PowerShell
© Velocidex Enterprises 2019 / www.velocidex.com Monitor for encoded PowerShell • PowerShell encoded commands are easy to decode individually, but harder at scale • By default, Velociraptor watches all endpoint process execution and sends logs to the server • When the server sees PowerShell, it can check for encoded commands and decodes them automatically
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Introduce automation through the API
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitor for service creation and automatically sandbox the executable
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Function to submit file to online sandbox
Function to submit file to online sandbox Connect to Velociraptor API
Function to submit file to online sandbox Connect to Velociraptor API Monitors files uploaded to server
Function to submit file to online sandbox Connect to Velociraptor API Monitors files uploaded to server Submit each uploaded file to online sandbbox
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
Event triggers the action
Event triggers the action Which submits the executable
Turn monitoring into responding
© Velocidex Enterprises 2019 / www.velocidex.com Scenario: Block PsExec remoting
© Velocidex Enterprises 2019 / www.velocidex.com
© Velocidex Enterprises 2019 / www.velocidex.com
© Velocidex Enterprises 2019 / www.velocidex.com
© Velocidex Enterprises 2019 / www.velocidex.com Note: this is a race condition
© Velocidex Enterprises 2019 / www.velocidex.com So, what do you want to find?
© Velocidex Enterprises 2019 / www.velocidex.com Where to from here? Velociraptor is a work in progress – please be patient • Our development roadmap includes: • Sysmon integration • Better presentation of results • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows
© Velocidex Enterprises 2019 / www.velocidex.com Where to from here? Velociraptor is a work in progress – please be patient • Our development roadmap includes: • Sysmon integration • Better presentation of results • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows
© Velocidex Enterprises 2019 / www.velocidex.com Where can you start? • Visit www.velocidex.com for links to docs and downloads • Download the latest release • RTFM ☺ • Setup a test deployment • Send us your ideas and input • Contribute back to the project
www.velocidex.com Thanks Nick Klein Director, Velocidex Enterprises nick@velocidex.com Director, Klein & Co. nick@kleinco.com.au SANS DFIR Certified Instructor Mike Cohen Director, Velocidex Enterprises mike@velocidex.com

More Related Content

Velociraptor - SANS Summit 2019

  • 1. Velociraptor Dig deeper. www.velocidex.com Nick Klein Director, Velocidex Enterprises nick@velocidex.com Director, Klein & Co. nick@kleinco.com.au SANS DFIR Certified Instructor Mike Cohen Director, Velocidex Enterprises mike@velocidex.com
  • 2. © Velocidex Enterprises 2019 / www.velocidex.com Who are we? Dr Michael Cohen (scudette) • Digital forensic software developer • Developer of Volatility and Rekall • Former lead developer of Grr at Google Nick Klein • Director of Klein & Co. DFIR team • SANS DFIR Certified Instructor 2
  • 3. © Velocidex Enterprises 2019 / www.velocidex.com What’s the need? • Deep visibility of endpoints is a game changer for: • digital forensic investigations • threat hunting • cyber breach response • operational security monitoring. • Few current tools offer network-wide deep forensic analysis • We’re building (and using) Velociraptor to address this 3
  • 4. © Velocidex Enterprises 2019 / www.velocidex.com Technical overview
  • 5. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture 5
  • 6. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 7. © Velocidex Enterprises 2019 / www.velocidex.com Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 8. © Velocidex Enterprises 2019 / www.velocidex.com Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 9. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 10. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 11. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 12. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 13. © Velocidex Enterprises 2019 / www.velocidex.com Encrypted comms Velociraptor users connect to GUI frontend Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 14. © Velocidex Enterprises 2019 / www.velocidex.com Encrypted comms Velociraptor users connect to GUI frontend Velociraptor Mac client Velociraptor Linux client Velociraptor Windows client Encrypted comms Data store File store Velociraptor architecture 5 Velociraptor server and GUI frontend
  • 15. © Velocidex Enterprises 2019 / www.velocidex.com Velociraptor architecture • A single executable (OS specific) which can be a server or a client • No libraries, no external dependencies • Server and client config files are plain text • No database – data stores and file stores are just files on disk • Velociraptor can process data on the clients and the server • You can customise many elements: • Communication ports • Executable names and locations • Data locations • Service name and descriptions 6
  • 16. © Velocidex Enterprises 2019 / www.velocidex.com Key principles • The core feature of Velociraptor is the Velociraptor Query Language (VQL) which is an expressive language providing power and flexibility • We use VQL to construct Velociraptor artefacts • Velociraptor artefacts encapsulate DFIR knowledge, so users don’t need to be DFIR experts 7 VQL queries VQL queries VQL queries VQL queries Velociraptor Artefacts Functions Plugins Used to build Used to enhance Parameter s Collect Analyse Monitor Respond Actions on endpoints
  • 17. © Velocidex Enterprises 2019 / www.velocidex.com Key principles 8 We have questions to answer
 e.g. What programs were executed? We know where to look
 e.g. shimcache, prefetch, exe’s on disk We use VQL to build Velociraptor artefacts that encapsulate this knowledge We use these same artefacts everywhere to collect, analyse and monitor endpoints We have these We need these
  • 18. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 19. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 20. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 21. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 22. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 23. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 24. Metadata for understanding purpose, functions, resources and contributors Queries can be split into sub- queries for easy understanding and modification Parameters provide easy customisation of things to look for VQL functions and plugins provide capabilities Metadata Parameters Queries
  • 29. © Velocidex Enterprises 2019 / www.velocidex.com Setup
  • 31. Server setup Start the config generator
  • 32. Server setup Start the config generator
  • 33. Server setup Start the config generator
  • 34. Server setup Start the config generator Answer the questions
  • 35. Server setup Start the config generator Answer the questions
  • 36. Server setup Start the config generator Server and client config files are created Answer the questions
  • 37. Server setup Start the config generator Server and client config files are created Answer the questions
  • 38. Server setup Start the config generator Server and client config files are created Answer the questions
  • 39. Server setup Start the config generator Server and client config files are created Answer the questions
  • 40. Server setup Start the config generator Server and client config files are created Answer the questions Start the server
  • 41. Server setup Start the config generator Server and client config files are created Answer the questions Start the server
  • 42. Server setup Start the config generator Server and client config files are created Answer the questions Start the server
  • 43. Server setup Start the config generator Server and client config files are created Answer the questions
  • 44. Server setup Start the config generator Server and client config files are created Answer the questions
  • 45. Use your deployment method of choice. Recommend a signed MSI for Windows. Client deployment 14
  • 46. Clients have a persistent connection to the server. They’re awaiting your commands. You’re ready to go 15
  • 47. © Velocidex Enterprises 2019 / www.velocidex.com Scenerio: Data collection
  • 48. • File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
  • 49. • File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
  • 50. • File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
  • 51. • File system via OS • File system via raw access • Windows Registry • Collected artefacts Browse remote computers 17
  • 52. 18 We can collect all user hives from a single computer with a VQL artefact. This simple VQL artefact enumerates all users, then collects all their user hives. Collecting evidence from a single endpoint
  • 53. 18 We can collect all user hives from a single computer with a VQL artefact. This simple VQL artefact enumerates all users, then collects all their user hives. Collecting evidence from a single endpoint
  • 59. Any artifact that can be collected on a single computer, can be hunted across the network
  • 60. Extending collection across the network 22 • A hunt can cover a group of clients, or the whole network • A hunt will continue running until it expires, or is stopped • As new machines appear, they automatically join the hunt
  • 61. Extending collection across the network 22 • A hunt can cover a group of clients, or the whole network • A hunt will continue running until it expires, or is stopped • As new machines appear, they automatically join the hunt
  • 62. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Finding files
  • 63. The file finder artefact • Use raw NTFS access to bypass file system locks • Use wildcards to ‘glob’ over directories • Use Yara to search the contents of files • Filter by modified or created dates • Upload matching files to the server for further analysis. • A great starting point for making your own collection artefacts.
  • 64. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for forensic evidence
  • 65. © Velocidex Enterprises 2019 / www.velocidex.com Hunt for use of SysInternals tools • Some attackers use SysInternals tools • These require accepting a EULA on first use • This modifies a key in the user’s Registry • This Registry key can be a great malicious indicator
  • 66. © Velocidex Enterprises 2019 / www.velocidex.com This dodgy user has run PsExec and SDelete
  • 67. © Velocidex Enterprises 2019 / www.velocidex.com This dodgy user has run PsExec and SDelete
  • 70. © Velocidex Enterprises 2019 / www.velocidex.com We have an artefact for that too UserAssist Timeline RecentApps AppCompatCach e * artefacts build upon each
 other
  • 73. Lateral movement - WMI On source computer On destination computer
  • 75. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for specific IOCs
  • 78. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Hunt for shadow IT
  • 82. Turn hunting into monitoring
  • 83. © Velocidex Enterprises 2019 / www.velocidex.com Event artifacts are never-ending VQL queries that watch for events on clients and stream those events to the server when they occur
  • 84. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitor DNS on the endpoints
  • 85. © Velocidex Enterprises 2019 / www.velocidex.com Monitor DNS on the endpoints • DNS is an excellent network indicator ☺ • But many organisations still don’t log DNS ☹ • Logging on internal DNS or network gateway is limited ☹ • Velociraptor can monitor DNS at the endpoint ☺
  • 87. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitoring USB devices
  • 88. © Velocidex Enterprises 2019 / www.velocidex.com Monitoring USB devices • USB drives are a constant threat: • Can introduce malware • Commonly used to exfiltrate confidential documents • Forensic analysis of USB usage has blind spots • Velociraptor provides artefacts that can watch for USB drive insertion and take various actions
  • 92. © Velocidex Enterprises 2019 / www.velocidex.com Server event artefacts
  • 93. © Velocidex Enterprises 2019 / www.velocidex.com Server event artifacts are similar to the client event artifacts, except they run on the server
  • 94. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitoring for encoded PowerShell
  • 95. © Velocidex Enterprises 2019 / www.velocidex.com Monitor for encoded PowerShell • PowerShell encoded commands are easy to decode individually, but harder at scale • By default, Velociraptor watches all endpoint process execution and sends logs to the server • When the server sees PowerShell, it can check for encoded commands and decodes them automatically
  • 102. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Monitor for service creation and automatically sandbox the executable
  • 106. Function to submit file to online sandbox
  • 107. Function to submit file to online sandbox Connect to Velociraptor API
  • 108. Function to submit file to online sandbox Connect to Velociraptor API Monitors files uploaded to server
  • 109. Function to submit file to online sandbox Connect to Velociraptor API Monitors files uploaded to server Submit each uploaded file to online sandbbox
  • 113. Event triggers the action Which submits the executable
  • 114. Turn monitoring into responding
  • 115. © Velocidex Enterprises 2019 / www.velocidex.com Scenario: Block PsExec remoting
  • 116. © Velocidex Enterprises 2019 / www.velocidex.com
  • 117. © Velocidex Enterprises 2019 / www.velocidex.com
  • 118. © Velocidex Enterprises 2019 / www.velocidex.com
  • 119. © Velocidex Enterprises 2019 / www.velocidex.com Note: this is a race condition
  • 120. © Velocidex Enterprises 2019 / www.velocidex.com So, what do you want to find?
  • 121. © Velocidex Enterprises 2019 / www.velocidex.com Where to from here? Velociraptor is a work in progress – please be patient • Our development roadmap includes: • Sysmon integration • Better presentation of results • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows
  • 122. © Velocidex Enterprises 2019 / www.velocidex.com Where to from here? Velociraptor is a work in progress – please be patient • Our development roadmap includes: • Sysmon integration • Better presentation of results • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows
  • 123. © Velocidex Enterprises 2019 / www.velocidex.com Where can you start? • Visit www.velocidex.com for links to docs and downloads • Download the latest release • RTFM ☺ • Setup a test deployment • Send us your ideas and input • Contribute back to the project
  • 124. www.velocidex.com Thanks Nick Klein Director, Velocidex Enterprises nick@velocidex.com Director, Klein & Co. nick@kleinco.com.au SANS DFIR Certified Instructor Mike Cohen Director, Velocidex Enterprises mike@velocidex.com