Security Operations with Velociraptor

thank you

[Applause] um

you know

share screen interview teams

sure yeah

of course

yeah um

[Applause]

you let myself in that's awesome [Music] look at that time decided to restart it I had to restart the client okay now sure there it is

[Applause]

thank you okay great yeah thanks so much all right everyone thank you for your patience um here today we have Eric and Whitney they are the co-founders of readmon and today they'll be seven of us awesome thanks a lot [Applause] thanks so much folks um really appreciate you all showing up uh to catch this talk especially right after lunch or even actually during lunch yeah depending on what time you eat um uh really appreciate besides Tampa crew for having us out here um they reached out actually not that long ago it's kind of a last minute uh plan for us to come out here uh they reached out because they wanted us to run our dfir

CTF I said I'd love to um and so we said well we're already going to be here let's do our best to submit a talk and see if uh if folks want to hear about this really awesome tool that uh that's near and dear to our hearts um so uh I'll give a a quick round of introductions and then I'm going to explain a little bit about uh what Velociraptor is um because even if you've heard of it which many of you probably have at this point um I'm hoping that this talk is going to shed some light on things that maybe you didn't know it was also very capable of so um let's dive into those intros so a

little bit about me my name is Eric capuano I'm the CTO and one of the co-founders of Recon MS which is a managed detection and response provider out of Austin Texas so simply way to put that is we are a sock as a service everything on the defensive side of security operations we handle from threat hunting detection containment eradication all of the above effectively um so we are blue team at heart we are Defenders um and that's that's kind of where our our passion lies I also teach digital forensics instant response for Sam's for those of you that are familiar with stance um and we've both taught uh for several years now at black hat so if you go out

to Vegas in the summertime um you can actually catch us out there teaching live incident response um inside of a simulated corporate Network and that's a lot of fun um like many of my colleagues at Recon I'm a former Air Force and Air National Guard member supporting cyber warfare operations out of Lackland Air Force Base in San Antonio a lot of cool experiences there met a lot of really good people and convinced half of them to come and work with me at Recon so that was fun and uh and I had another previous experience standing up the first security operations center for the Texas Department of Public Safety which just like in the State of Florida right

that's everything from State Police highway patrol all the way down to Driver's Licensing regulatory Services you name it so it's a mission critical Network you know 450 locations across the state of Texas and when I arrived there was no security capability At All by the time I left my team was publishing thread Intel back up to U.S cert so we had really kind of made a name for ourselves as a small underfunded State uh state agency we were doing really good work and I gotta say one of the one of the secrets that I picked up in that time was figuring out how to be highly effective at security operations with the shoestring budget and that's where you'll you'll quickly

find out that open source is the magic answer it really is so you know hopefully you're in an organization that has an open mind to open source because if you don't you're missing out on some of the most powerful tools out there and I'm talking even comparing to those really expensive off-the-shelf tools that we trust so much for unknown reasons um so that's one of the things we like to we like to show off about open source is it can get a lot of good things done hopefully I didn't hit a nerve there all right uh but let me let me turn it over to uh Whitney who's actually kind of the superhero of our team she's the

the lifter of many of the awesome things that we do you're gonna have to speak up though I'm not good at speaking up um I'm Whitney Champion as Eric mentioned I'm one of the co-founders and Elite architect at Recon infosec um formerly Red Hat who's Alan spay War my background is largely in Cloud security and large-scale uh security infrastructure Automation and orchestration um if you are familiar with the Defcon hacker tracker that was my my brainchild many many years ago um and if you see anything with Angry Eyebrows floating around the community that chances are it's my art as well you're welcome awesome so let me give a high level of agenda of what we uh we're hoping to

cover in this this very very uh condensed 45 minute section session here so we're going to talk a little bit about what Velociraptor is for those of you that haven't heard of it prepare to be enlightened it's it's going to be one of your new most favorite tools it certainly is one of mine um then we're going to talk about some of the things that it can do like for instance and remember this is a secops talk so this you know Velociraptor is well known as an incident response tool and it is a phenomenal one but what a lot of folks don't know is that you could use this daily every day in your sock your it

team could even get value out of a Velociraptor so I'm going to talk about things like deploying and managing your other security agents your EDR sysmon whatever Velociraptor can kind of be like the supervisor of those things right so there's a lot of cool things we can do there there's things that we can do with these scheduled hunts and server events to basically keep a constant watch on certain things in our environment with nothing but velociraptor in play um we'll also talk about how we can get real-time visibility into what's happening on our endpoints right which of course you probably know well that's what my seam does okay but not everybody can afford a seam right and even though

there are open source seams that's a lot of elbow grease to stand that up so what if I told you Velociraptor is almost as good if you have nothing better to start getting real-time Telemetry and advancing of what's going on inside your network and even the ability to respond to those things right uh and then we're going to get into okay now what happens when it hits the fan you know bad guy breaks in starts trying to you know encrypt files whatever all right now can we get involved with Velociraptor and do something about it absolutely it's actually probably one of the things that shines at the best and that'll spill right into instant instant response

containment and Remediation uh there at the end so let's talk about what it is now folks let me tell you even though it probably sounds like Velociraptor is going to be this wildly complex like who knows this is going to be really impossible to to stand up deploy and even use that could not be more uh opposite of the truth it is the most simple thing you will probably ever try to deploy even if you ever done anything like it before you pull down a single pay a single executable from GitHub and you deploy your server with it and then that same executable that's what all your clients are going to use it just runs with a slightly different

configuration right so that's it a single executable and you now have a velociraptor server and you can have tens of thousands of velociraptor clients all connecting back to that server giving you a real time command and control capability of all your endpoints whether that's just getting visibility reaching into file systems and pulling back malware or responding to a threat actor that's actively you know wreaking havoc inside of that Network so it doesn't get any easier than this right for those of you that have been around long enough to remember a project called ger Google rapid response yep see a lot of heads shaking because girl made a dent in the open source IR Community because it was a

very very powerful toolkit let me tell you this the the the one of the developers of ger was Mike Cohen who eventually you know branched out left Google and create created Velociraptor basically is a way of saying gur could have been a lot simpler than it was because one of the biggest complaints about gur was it's very powerful but who's got time to stand that thing up and keep it running and alive and all that stuff so basically he wrote Velociraptor to be the the predecessor um uh or I should say the successor of ger and he did a rock solid job at it um so um let me just kind of show you so

imagining that you drop your Velociraptor server on a box and you got all your clients out there the agents are connecting back to the server you log into that server and you have a very very simple and intuitive web interface right so you're not dropping to a shell and running SQL commands here we can very easily pop into this list of clients here and I can see every one of my agents that are checking in I got a green light saying these are connected in real time so anything I want to do to any of these systems it's going to happen instantaneously and by the way that agent running on the box it runs as

a system level service so there's no limit to what I can do I have I have god mode on that box right so anything under the sun I can do which yes for anybody thinking a little mischievous here would be detrimental in the wrong hands right so keep that in mind but that's true about any tools that we use security tooling especially right you would never want an adversary to get access to your EDR portal right well same thing here so you want to make sure that this is something you do with defensible architecture in mind but once I log in I take a peek at all these endpoints checking in I can drill into any one of

these endpoints to get more information browse the file system I'm going to show you some of that here in just a bit I can also very smartly apply specific labels to subsets of my systems so for instance maybe I've got a pocket of systems that are critical right my domain controllers exchange or if I'm a law enforcement agency I probably got sieges systems if I'm a critical infrastructure I probably have scada ICS systems I can get in here and label and tag all those systems so that in the future I can run very targeted hunts hey I only want to hunt for this artifact on these subset of systems or these or the others right so so that's a pretty cool

capability to have as well so let's say I decided I wanted to drill into one of these systems and take a deeper dive like I'm picking on this desktop device here it's running Windows 10 Pro okay got it um and we're going to click into it and see what we can do inside of the context of this system right so clicking into it I now have a summary of that endpoint right I've got its unique client ID some version information all that kind of good stuff some operating system full qualified domain name all that okay cool now there's a variety of options that I have access to in here and one thing I'm pointing out the reason this arrow is up

here is because this is what's reminding me as I start clicking through some of these other menu items up here this is reminding me the context of what I where what I'm looking at so I'm looking at this system this desktop machine here now I'm going to do a deeper dive into some of these other functions and features but I'm going to go ahead and hand it off to Whitney to talk about how we can use Velociraptor to orchestrate our security agents of any kind right whether it's the small on or carbon black or whatever using Velociraptor to maintain full posture of those uh those agents all right so as Eric mentioned we use Velociraptor heavily for agent

deployment and orchestration uh something we do a lot in our line of work um so whether it's this one or when logbeat or file beat um it could even be your EDR agent that may or may not be a headache to deploy well Velociraptor allows us to do that really quickly and really easily at Large Scale which is why we use it um and so Velociraptor comes with a lot of artifacts they're called artifacts and Velociraptor we'll get to that in a minute but it comes with a lot of artifacts out of the box and one of those is syswon so it's specifically built for deploying system on across all of your endpoints so in this case we're

going to create a hunt Say Hey I want to take all my windows boxes and push this one to everything that's out there um so this is the windows.sys internals.sys monastery you may or may not be able to read that that's the name of the built-in artifact uh from Velociraptor to deploys this one and it uses something called tools inside a velociraptor so it's a tool inside of a tool basically um so if you see we've got two tools listed one is the six month binary and one is the sysmon config so what uh Mike Cohen has built into this is essentially a really simple way to deploy um binaries or config files or you name

it um really smoothly because what it does is it uploads those files to Velociraptor so this does two things for us um this allows us to download um the binary or config file or whatever it is it downloads it to the Velociraptor server so now your endpoint no longer has to go and reach out to some third party it's just going to go reach out to Velociraptor and say hey give me this file because Velociraptor has already fetched it and stored it so you no longer have to have another communication that may or not be blocked on the network uh in that particular environment the other thing it does is it caches that file so if your system

has to reuse it or grab it later on in the in the artifact it's already there the executable or the XML or whatever file it is you need so this is basically just going to pull down the sysmon binary in this case so we know how to deploy sysmon via a hunt but one of the things that we don't want to do all the time in all of our environments is go deploy this manually so one of the really powerful things about Velociraptor is this thing called client event monitoring and client event artifacts so essentially what we're going to do is say hey set it and forget it because we don't want to do this over

and over again um we're going to use basically labels which are built into Velociraptor the name of the label is arbitrary but hey we want everything that's labeled Recon 99 to check in and get this artifact that is called Windows checks or the name doesn't matter but basically what it's going to do it's going to set up a job that runs constantly that goes and deploys this to everything labeled Recon 99. a really good use case of that is if you know you want 100 deployment rate of a certain agent like this month then this means that the second Velociraptor gets installed on this box and it checks in Velociraptor is going to push this on

automatically without without delay so it's just a way to kind of know you've got that full coverage that you that you expect to have and and what it's going to do is depending on the time frame that you put on here it's not just going to run it when it checks in it's going to run when it checks in and then every x amount of time from there on out so it could be every five minutes it could be every five hours it could be every other day every month it doesn't matter but you can essentially set it and forget it and say Hey I want this thing to run indefinitely on all of these systems it

could be by OS it could be by label whatever you need and in this case it's just everything that's windows it's going to pick up this artifact so this is the artifact that it's actually running behind it's an artifact there's an artifact or the artifacts all fun um if if this is also all vql which if you're not familiar is Velociraptor query language so get another query language to have fun with um basically what this is doing is this is going to go say hey is sysmon on the box yes or no well if it is cool if it's not go deploy if the pro if the service is there but it's not running go start

it if it's running we're all good continue on and it doesn't do anything because what we don't want is it to keep redeploying and redeploying we just wanted to make sure it's there and make sure it's happy and move along so this is basically just for grins what it looks like on the back end when it does run it says Hey I've checked in every 10 minutes from here on out we're okay I'm not going to deploy anything um just basically to give you visibility into what's actually doing because because imagine I mean you might deploy syslaw into 10 000 endpoints but do you know every hour of every day that cislon is on those endpoints and is still

running right that's essentially what this is doing every 10 minutes oh and if it stops running guess what we're going to start it right back up so even if you get an adversary you know in there for jacking around or a customer who wants their stuff turned off because we've all been there and it'll turn right back on and they won't even know so one of the really powerful things that um Velociraptor allows us to do is what we're doing here in server event monitoring so we can schedule hunts um we can schedule all kinds of things in here and this allows us to do a lot more with our endpoints and a lot more

with our data does anybody in here use Velociraptor currently oh oh good one okay well we use it a whole lot in um in IRS in um in incidents to do Korea the triage Acquisitions of particular endpoints and so that requires going out Gathering a whole ton of data from a whole ton of endpoints and then doing something with that data so Velociraptor lets us do that very quickly very easily at scale um whenever we need to foreign

that's at the end so stick around we'll talk about triage you bet so one of that's one of the things that's already built into Velociraptor is uh a artifact called Cape file so if anybody is familiar with uh Cape by somebody one person at least um it's familiar with cape it's a tool uh by Eric Zimmerman Cape is not open source but this particular uh list of files is and what that list of files is it's all the things that we should go collect when we're in the middle of an IR don't know what we need to get off a box so this list is built into one of the artifacts of velociraptor and we can

go pick and choose the mft registry whatever we need to get off the Box endpoint logs um all that stuff will get pulled down and bundled up so this artifact is essentially going to sit here and monitor and wait for us to run that triage on any endpoint and then say hey what do you want to do with this data and in this particular instance we're going to say watch for us to run this cape artifact and when it's done take all those files zip them all up and then shoot them up to S3 but this doesn't necessarily have to be S3 it can be wherever you want your data to go which is what makes this really powerful

because you can do lots of other things with data that would otherwise have been a royal pain in the butt to go gather this is a snippet of the artifact um the full oops what did I just push you're going forward I'm hitting the back button why am I hitting that you're hitting forward no but I hit back okay there we go there we go um so this is a snippet of the artifact um Eric and I did a talk a couple years ago um uh it was breeches be crazy it was on the sends D for Summit and so it was in this repo that we give you the full dump of all of that but that was also really

useful so say you've got thousands of endpoints and you want to be able to gather all this data from all of your endpoints continuously um Velociraptor allows us to do that really easily because there's already all these artifacts bundled in it that go grab users go grab Network information go grab uh services that are running packages that are installed anything that you want to gather off of an endpoint and keep that data in could be a cmdb it could just be a different inventory back-end you get all these things regularly um and gather them and you can basically use those same server monitoring artifacts to pump them into a back-end database how many times has a atlassian bug or a

manage engine zero day dropped and you'd love to answer the question where is that software in my network right I'm gonna tell you right now that's a tough question to answer unless you've got a lot of real expensive tooling well Velociraptor is already on the endpoint you can already interrogate and get those software packages bring them up to the server pump them into a database and now you've got a running snapshot of all software all users everything all those endpoints um in a database so these artifacts are are called server event artifacts and so that's exactly what this is doing it says every morning at 3am go grab everything from this artifact and pump it into whatever back-end database of my

choosing um and in this case it's just services but like I said it could be packages it could be used it could be Network information whatever it is you want to gather and ship elsewhere so this particular artifact will take anything from an artifact name that matches the regex of your choosing uh it says go grab all this data from all of my endpoints and then push it to a SQL server but like I said it can go anywhere you can push it to elastic you can push it to Splunk uh sqlite S3 it's very flexible and the other benefit of it being open source if you want to shape it to a different kind

of endpoint or different kind of back-end it's totally doable and totally buildable

oh awesome so uh so let's talk about some of those visibility things that we get to uh we get to tap into here here and you know folks you know you're going to start to see some capabilities here you're going to say yeah but my EDR can do that okay I I would agree but I would also ask you to compare the price tag right because EDR EDR is nice it's nice when you have it and I work with a lot of orgs that don't have the budget for some of those types of tools so so keep an open mind when I show you some of the things we're able to do here with this

awesomely free tool so um so here we are back at that endpoint screen right so I'm taking a look at one of my my systems in my environment and I want to take a deeper dive I want to be able to maybe run some commands you know maybe just you know poke around a little bit here so what I can do is I can drop into this little this little icon right here my arrows misaligned sorry about that but the shell the shell icon here I click into that and now I can execute any command on this box whether it's a Powershell command CMD um bash for for applicable systems you name it and I can run a command and I

can get the results right here now that might sound trivial but it's actually not because right to be able to get a command prompt on a remote system securely you really got to kind of know what you're doing there well this is a local system service running on this box so I'm not like passing credentials or anything like that in order to run these commands so yeah I could just you know ask quick questions like hey show me all your running processes with the git process command and there you have it there's all my running processes and as you know with something like Powershell there's no limit to what I can do here right I could run a download cradle with

an eradication script and you know blow into an attacker off a box before they know what happened but that's kind of cool but I'll also admit a bit manual right I'm not necessarily going to be using this on every IR I do and that's also not the way that Velociraptor was designed to be used but it's kind of neat that I can do that now here's a really cool trick and it really undervalued capability if I wanted to drill into the file system of this endpoint right how many times have you wished you could reach into someone's computer and get that one macro enabled Excel document out of their downloads so you could quickly deconflict is this a is this a threat or

not right you know I I don't want to call the user and say hey we're looking at your email can you forward that to me so what if I could just reach into the file system and grab a copy of it myself you bet so what we do is we click into VFS and as you can see over here on the left hand side I've got a full directory tree of the C drive in this case we also have a D drive I can also go into the registry hives just like they were a file system and I can drill down to any location on this disk because I have full privileges on this machine so

there's no protections that are going to stop me I can go into that user downloads directory and say that's the file I want right there let's click download from client and what it's going to do is it's going to fetch that file off the endpoint ship it up to the Velociraptor server hash a couple times which you know what that's probably all I needed right there right I'm going to take that hash plug it into virus total find out what this is really quickly but if that's not enough if I want this sample in my little hands I'll just click this right here and download it off the Velociraptor server onto my analysis workstation and start taking it

apart right so that's pretty cool but that's just one example right another example I'd like to show here on this next slide is and this one's probably nearly impossible to see but I'll walk you through what's up on the screen right now is there are many very juicy forensic artifacts that we know and love when we're doing IR especially around the usage of Powershell and one of the artifacts that we love with Powershell is what we call transcript logs these are these are logs that basically capture an entire Powershell session in a text file on the disk in the user profile that was that was responsible for creating it right so what I can do

is I can browse to that location and I can peek right into your Powershell session and see every command you ran and every output of that command just because I have this ability to browse the file system here remotely so that's kind of neat foreign thing goes with the registry so all I'm showing you here um and forgive me I know I think it just gets harder to see with the dark slide but what I'm showing you here is we've Dr we've dove into a specific location of the registry where a well-known uh a well-known tool like uh like CIS internals toolkit right um now this is just sysmon but CIS internals also includes tools like PS

exec s delete some of the evil tools we don't like to see a whole lot of well I would say right now this is a really juicy indicator of compromise when I can find the accepted flag inside the user's registry Hive I know that they use that tool right and I can just easily browse to that location there right there in the VFS just like it was a file system okay now um but let's say I really want to use Velociraptor for what it was designed for it was designed for very systematically pulling and parsing artifacts off of an endpoint right so let's go through that process here and pretend let's let's gonna we're gonna

dive into one of these endpoints and we're gonna go collect specific artifacts from it using the built-in artifacts that when Velociraptor ships with so in this example what I'm going to do this is a bit more sophisticated than a minute ago when I ran git process just to list the processes on one system you know it would be a lot more powerful what if I could get processes on a thousand systems at one time bring all of that data back and say just show me just show me the least common or the rarest processes or the ones that are not digitally signed or some combination of the two this is exactly how I'd approach that so I'm going to

run a hunt across all of my endpoints saying get the running processes the artifact I'm going to use for that is this one right here it's called windows.system.pslist now this is a lot juicier than just simply running get processed because it's not just getting processes here what it's also going to do for me is it's going to enrich those processes with additional information like the hashes of the executables as well as the authentic code code signing status of those binaries as well because just looking at process names I don't know you know SPC hosts there's 12 of them I don't know which one's legit or not but when I start bringing in code setting status full path information as

well as the hashes I can very quickly find anomalies in this environment and the more data I have the easier it is to find those anomalies because I'm going to use things like lease prevalence right so that's what we're going to work towards here in this example so build this little hot here we're going to run this across a handful of endpoints and let's take a look at the results that come back so we're back here at the hunt manager screen so up on this on the top half you can see where I created that hunt get all running processes well Down Below in this little notebook these are the results of that hunt and they're probably thousands

thousands of rows of results that come back I'm not going to look through all of those I'm going to use the power of the notebook and just say hey I only care about the least prevalent so the the processes that came back on the fewest number of systems they're rare that's interesting but I'm also really interested in things that are not trusted meaning they're not digitally signed by a trusted publisher that's another anomaly and as it happens right here in this screenshot there is definitely malware to be found and you don't have to look very far matter of fact you could just can just pay attention to the counts here that's a pretty clear giveaway and then the next

giveaway is the untrusted code I don't know about you but I don't like the looks of either of these executables right just just go down a limb maybe maybe maybe something worth looking into in this case it was absolutely 100 malicious but just showing you like I didn't need any fancy tooling or big seam or anything find this right and that's pretty cool um so here's another use case where hey remember the example I gave a few minutes ago a new zero day drops right because that never happens new zero day drops and some kind of java you know run the desk time runtime environment or desktop uh runtime environment or whatever Adobe PDF whatever okay and you

need to now answer the question where are we exposed where in our Network are we running that version of that particular software again not an easy question to answer without certain types of tools well same thing I just did go and get all the programs on all the boxes period when that data comes back I'm going to use a notebook to basically search and filter for a certain file or certain uh program name a certain version the sky's the limit I can also use the prevalence tactic show me the least commonly installed software in this environment why do I only have TeamViewer on one system out of 500. hmm right might be worth looking into so

it's another cool trick right this isn't super down in the weeds incident responsy no this is basic everyday security operations you know know what your least prevalent executions are know what your least prevalent installed programs are and there's some pretty quick wins here so this is just me uh scheduling that hot get software and all systems kick that off there's the artifact we're going to use windows.sys programs and you know what I love about these artifacts is that it's not closed Source it's very very transparent about what it's doing hey I'm going to query these registry keys and get all the installed programs from these locations and this is how I'm going to parse the results

how I'm going to name each column that comes back if you don't like it you can click the edit button on that artifact and change it to be whatever you want you want to add more to it you want to get it to do something fancier with it it's all open ready to be changed to do exactly what you want it to do so we've run that hunt against in this case 54 assistants to go get all the software that's installed and then here's just yet another example of how we can use least prevalence so notice how I've got them sorted by count here if you're wondering how I did that this is a preview into the notebook editor

where I can basically choose exactly how this notebook gets parsed because there could be thousands and thousands of results here I don't care to look at all of them so I'm going to write a little query in this notebook that says okay here are the columns I want to see and I want to group and count based on the display name display version and what have you right and then I'm going to filter out this noise like language packs or anything signed by Microsoft don't care about that and then we're going to group and we're going to sort right so this is the result I've got mainly only the least prevalent software in this environment now here and that's

what made it possible to find things that you might want to make sure the stock knows about right VNC servers hide my ass Pro VPN you know yep CCleaner you know WinRAR I mean I'm just saying I'm not saying all this is evil I don't know anybody know what this is K light yeah yeah yeah okay like but then you something like you torrent right I don't know just all I'm gonna say is that might violate some sort of you know acceptable use policy right but okay all right but moving on moving on real-time advancing now okay because another critical capability of any security especially IR teams but security teams um just as much is having

visibility on an endpoint in real time not just a point in time get the data and go parse it somewhere no I mean what's happening right this second we can do that here and we can also configure Velociraptor to forward logs Force if we needed to in a pinch so let me show you a couple examples of the real-time events that we have access to and by the way this view right here that uh that I've got up this is basically just the artifact browser when you're gonna run a hunt and you're looking for a certain artifact and you're not even sure what it's called just start typing up there in the search bar and it's

going to automatically filter for artifacts that have that in the name it's a quick way to find out what can Velociraptor even do right search for the word execution search for the word you know ms-1710 search for all kinds of fun words and you're going to see a lot of built-in capabilities here but okay so in this in this case though I'm looking that one particular artifact called Windows etw DNS and so etw we're using the Windows Event tracing to basically watch in real time every DNS query made by this system that's actually a really hard piece of telemetry to get I promise you there are no really built-in reliable ways of watching all the DNS queries that a

system makes unless you've got Network sensors right or you've got the the DNS server logs but you can't force a client to use your DNS server in many cases so I just

like malware.com and I want to know every system that has resolved that that domain name I'll very quickly be able to figure that out with these uh DNS events another similar example and this one's hand down hands down my favorite process creation I tell my students all the time one of the most valuable Telemetry sources I have in an environment is process creation because I don't care if it's nation state zero day evilness or script kitties they're all going to involve process creation they're all launching programs launching processes launching you know LOL bins or whatever so process creation is where the truth lies so that's one of the first Telemetry sources I go to turn on

when I get into an incident is I need process creation if nothing else this all right so in a pinch I can turn on this artifact in Velociraptor and it will start watching every process creation event and ship it stream it real time to lost Raptor so not only do I know that okay uh you know Excel just launched VPS you know some Visual Basic script through the the the the W script engine or something but I know the parent uh An ancestry of that process as well so let me show you an example of what that looks like here in just a quick sec but as most of you are hopefully familiar with you've got things like sysmon

already right sysmon does a really awesome job at this too DNS uh um queries uh process creation file creation file system uh timestamp manipulation the list goes on so so let me just put system on the box yes you should there's a built-in artifact that you've already seen will deploys this month for you there's another one that will ingest its logs and ship them to Velociraptor so if you already know the value of that Telemetry now you've got a free way to centralize it if you don't have something better now when I'm not saying here folks I'm not saying that Velociraptor is all you need for Telemetry okay I'm saying if it's all you have

you can get a lot of value out of it so this is an example if I had flipped on for instance process creation tracking on an endpoint with Velociraptor and then started streaming those events in real time this is what it would look like so what I'm able to see here are all the processes that have launched you can see them all down here but notice under the call chain I get to see basically the ancestry of that process because no process launches itself something launched it and something launched that parent too right so I can kind of follow the tree and this is a quick way to start to identify anomalies because maybe SVC host is legit but if

it was not launched by a legit parent that might be the thing that kind of keys me in on something out of uh the ordinary here so this is just phenomenal and which is very valuable if I know I've got Ontario on the system and I don't want to miss a beat I want to see every command they run I want to see every process they launch I can sit here and stream that um and then there's just a similar example but in this case what I'm actually using is not the built-in Eventing I've got system on the box now and I've just simply told it to forward the small logs it's the same type of

output here so I've got uh in this case network connections so on the left hand side you see all the processes that are creating network connections but now I have for instance destination hostname destination IP destination port and when it happened so I'm seeing real-time network connection information cross it between process creation and network connections there's nothing you can do on this box I'm not going to see right and that's kind of neat for free 99 but but let's get a little I know I know some of you in the room are like okay I was hoping for a little bit meatier topic so uh for the limited time we still have here I'll I'm going to move a

little quickly through some of these but bear with me folks anybody wants to talk about it we'll hang out we'll answer questions but threat hunting detection yes what if I want to hunt for threats I don't want to sit here and watch in real time I only want to hunt for specific threats like for instance somebody once told me that kerberosting is this very terrifying credential theft attack because any user in my environment can do it they don't require any kind of privileges in order to Kerberos attack so I could go from regular user to domain admin with this technique sure sounds like something I should be looking for in my environment right there's a built-in artifact for that so

I could turn on this Windows events curb roasting detection and now Velociraptor is constantly looking for signs of curb roasting in my environment hey that's cool how much does that cost again oh it's free right cool awesome another tool now this is another tool I'm going to bolt on here for a quick second you want to find threats on an endpoint in seconds and you don't have a seam let me tell you about a quick tool called Hayabusa you might already be familiar with a tool that's like it called chainsaw it's been around longer Hayabusa is kind of the next thing what Hayabusa is is a very small lightweight agent you could drop at an endpoint and

it will scan all the event logs for about 1200 different well-known threads well I can just deploy that with Velociraptor and now I can do that across 10 000 systems at one time well Eric you should use the seam for that yes but if there's not a seam this might be my next closest capability to a seam and that is phenomenal capability here so uh thanks to to Whitney and I we decided to turn that into an artifact so that's a built-in capability you can run Windows event logs Hayabusa it'll push it down run it and just show you where the threats are in those event logs and this is just simply what it looks like

to run that artifact no big deal here if you ever want to get Hands-On with it be sure to check it out basically what it's doing is it's pulling down all those well-known threat signatures off of Sigma but it also has its own built-in threat signatures as well and it's just going to go through and parse those event logs looking for bad guys like it has done here so we ran this against an endpoint that definitely had threats on it and this is the result from the Hayabusa execution so it discovered several critical level uh detections Cobalt strike service installations used in lateral movement uh of the uh copper strike Beacon payload so again pretty

cool for two tools the price is double though if you use Velociraptor and Hayabusa it doubles the price but they're both free so you're still cool all right this is just a little G whiz into what a sigma signature is I'm not going to go into that but I did drop a link here in the slides and this talk is recorded but if you want to know more about the detection rules the sigma project is one you must know as a Defender and you probably should know as an offensive person too because that's how we catch it but uh good stuff we love Sigma all right but let's take it even further right so another one of

those really fancy EDR only capabilities is what if I suspect there's a threat actor in my network using some evil tool like Cobalt strike you know what really be an easy way to find them what if I could just sit in a Yara scan for Cobalt strike beacons in memory of all of my systems well that sounds expensive right but Velociraptor can do it as well so all I have to do is say hey I'm going to Yara scan processes on every Windows system in this environment and what am I going to scan for well check this out if you go to this artifact Windows detection Yara process which as you can derive scans processes in memory with

whatever your signature you want if you come to this artifact and change nothing just leave it the defaults the default Yara signature is Cobalt strike Beacon uh I could change nothing and just say yeah sure go ahead launch and you are now finding one of the most prolific attack tools in the world in memory across all your systems in a matter of minutes I think that's kind of neat but hey you got better your signatures than that no problem just provide a URL to that signature or upload it right here and you're scanning for whatever you could possibly imagine using this uh agent and it cannot it's not only able to scan the processes it can also scan the file

system whatever you want it to do it'll find it'll find the stuff so if you want to get Savvy with Yara there's so many open source repositories of your rules it's really just the limit is your imagination of where to go get fancy fun yard rules that you could feed to Velociraptor and immediately start hunting for threats all right let's say we found some threats I got some bad guys in my environment I don't like it but I need to know everywhere that they are I need to fully determine the scope of this intrusion right maybe all I have is the name of a file the name of a process can I use Velociraptor to find everywhere

that the bad guys are yes so what we'll do is we'll say I want to find iocs across all my systems so in this case the ioc that we're choosing here is the name of a couple really suspicious executables that we've already found right we saw this when we were just looking at rare processes in our environment untrusted processes so if these are those executables what I'm able to do is here is I can search the file system of every system in my network for the presence of these files it'll take about 30 seconds or less I don't care how many thousands of systems you you're going to run this on it's very very very fast I could also use ER

rule or whatever and hey by the way I can say if you find any of these go ahead and hash them or even just upload them to my server so I can analyze them further run the hunt what do we get we got hits we got hits on this system here it13 has hits for those file names at these locations and there's the scope based on the iocs that we provided that's kind of neat all right so we're gonna we're gonna move real quick here because I think I'm out of time um feel free to give me the boot folks if I'm if I'm holding up the next speaker but um but if I wanted to get

into full incident response mode I can absolutely do that so I've already identified a few systems maybe I want to know everywhere that the compromised user has been I can use an artifact like this one here event logs already P off provide that a regular expression pattern for a compromised user like in this case James dinar sorry James your your creds have been stolen the attacker is using your account to move around our Network and I need to know everywhere James denard's been this artifact is going to answer that question so I can now see everywhere that James Denard has logged in inside this network just by running a quick scan against every one of the endpoints looking at

their event logs log on events involving James Leonard once again Eric I can do this with my seam okay cool if you have a seam that's the place to go for this if you don't which as an IR consultant there's never a scene right this is the next best way to answer some of the same questions but folks I'm gonna I'm gonna press through here um one last capability we can do from an IR perspective if I identify boxes that I know were popped of course the next thing I want to do is stop the bleeding right Velociraptor will quarantine that system for you I can even do it automatically I could say if you ever

see TT count back.exe execute boom quarantine the box pop up this message to the user so they know what's just happened I still have connectivity from Velociraptor it can no longer talk to anything else so ransomware whatever it's not going anywhere that's kind of neat as well but here folks I know we're out of time here we'll post slides for anybody that's curious we're just talking about some triage acquisition stuff like my friend up here asked yes Velociraptor can be your forensic triage acquisition tool to get all the forensic data that you need on an effective input but here folks I'm going to throw up our uh our exit slide here if anybody has any questions we'll be around check out

our booth over the main lobby thank you so much for having us sorry for running late

decisions

right over there in the next video

it uses cake files so clearly