SlideShare une entreprise Scribd logo

RSA APJ Velociraptor Lab

Velocidex Enterprises
Velocidex Enterprises

This document provides an overview and introduction to Velociraptor, an open source forensic tool. It summarizes who developed Velociraptor, how it works, and how to install and use it. The document guides users through collecting artifacts from endpoints, hunting across networks, and monitoring endpoints for events using Velociraptor's query language and artifact system. It encourages customizing the tool's abilities and contributing feedback to its ongoing development.

Logiciels
1  sur  80
Télécharger pour lire hors ligne
SESSION ID: LAB-T05 #RSAC Velociraptor - Dig deeper. Digital Paleontologist Velocidex Enterprises Nick Klein Director, Velocidex Enterprises Director, Klein & Co. Computer Forensics SANS DFIR Certified Instructor Dr Michael Cohen
#RSAC Who are we? 2 Dr Michael Cohen • Experienced digital forensic software developer. • Developer of foundation forensic tools including Volatility and Rekall. • Former lead developer of Grr Rapid Response at Google Inc. Nick Klein • Director of Klein & Co. digital forensic and cyber response team. • SANS DFIR Certified Instructor.
#RSAC What will you need today? A Windows computer or virtual machine, with admin access. A copy of Velociraptor from our official release page: https://github.com/Velocidex/velociraptor/releases A hunting frame of mind.
#RSAC What is Velociraptor? Velociraptor is a unique DFIR tool, giving you power and flexibility through the Velociraptor Query Language (VQL) VQL is used for everything: • Collecting information from endpoints (also called clients) • Controlling monitoring and response on endpoints • Controlling and managing the Velociraptor server.
#RSAC Velociraptor overview Everything uses the same binary - both clients and server. • The server is controlled via the server configuration file. • The client is controlled via the client configuration file. In this lab, we run the server and client on the same machine. In real cases, we typically deploy a Velociraptor server in the cloud.
#RSAC Architecture overview Client Send Chan Recv Chan Data store File Store Front End GUI Server
#RSAC Installing Velociraptor Download the Windows MSI from our releases page: https://github.com/Velocidex/velociraptor/releases On Windows, double-click the MSI to install. Or run: C:> msiexec /i velociraptor.msi Note: You can try other OS versions, but today we’ll use Windows.
#RSAC Configuring Velociraptor Everything is controlled by a pair of configuration files. The configuration files contain key data, making them unique (and secure) to your deployment. The server configuration file contains private keys - make sure to secure it! Genering new configuration files is easy: C:> cd “c:Program FilesVelociraptor” C:> Velociraptor.exe config generate -i
#RSAC
#RSAC Starting the server The same binary acts as a server or client depending on configuration options. The previous step generated two files: client.config.yaml server.config.yaml Open two Command Prompt windows as administrator. Start the Velociraptor server and frontend: velociraptor.exe --config server.config.yaml frontend -v
#RSAC Starting the server
#RSAC Test that the GUI works Connect to the GUI address mentioned previously: https://localhost:8889/ Note the certificate error - this is OK. It’s because we chose self-signed SSL mode. You can click through the warning for now. In real deployments we use proper SSL certificates.
#RSAC Your Velociraptor server is ready. Now let’s configure some clients.
#RSAC Starting a client In Windows, installing the Velociraptor MSI installs a client service. The service needs the client configuration file. Simply move the client configuration file into place (see next slide). When deploying at scale, you can use SCCM or Group Policy to do this - today we simply use Windows Explorer or the shell.
#RSAC Copy the client configuration file, then start the Velociraptor service.
#RSAC The Dashboard The Dashboard shows the current state of the installation: • How many clients are connected • Current CPU load and memory footprint on the server. When running hunts or intensive processing, memory and CPU requirements will increase but not too much. You can customize the dashboard - it’s also just an artifact.
#RSAC Clients have a persistent connection to the server. They’re ready to receive your commands.
#RSAC Interactive investigations on individual clients
#RSAC Searching for a client Sometimes we want to see information about a client. Press the Search icon to see all the clients
#RSAC Or search for clients by hostname, label or client ID.
#RSAC Client overview This provides some general information about a client. Click VQL Drilldown to see more detailed information. You can customize the information collected and shown by editing the configuration file, to add extra VQL queries.
#RSAC
#RSAC The Virtual File System (VFS) The VFS visualizes some server-side information we collect about the clients. Top level corresponds to the type of information we collect: • File - Access the file system using the filesystem API • NTFS - Access the file system using raw NTFS parsing • Registry - Access the Windows Registry using the Registry API • Artifacts - A view of all artifacts collected from the client.
#RSAC
#RSAC Exercise: Browse the client file system using VFS Task: Find your user NTUSER.DAT file and download it locally. Hunting hints: • NTUSER.DAT stores the Registry for your user account • It’s locked when the user is logged in • Therefore you need to fetch it using raw NTFS access • Do you know where this file is located?
#RSAC
#RSAC Use Velociraptor artifacts to automate everything
#RSAC Use Velociraptor artifacts to automate everything We can collect information about many things in DFIR cases: • Registry keys, files, WMI queries, sqlite databases … But we really just want to answer specific questions: • What program did the attacker run? • What files were downloaded? • What DNS lookups occured? • Did a particular file exist on a client?
#RSAC Velociraptor uses expert knowledge to find the evidence A key objective of Velociraptor is encapsulating DFIR knowledge into the platform, so you don’t need to be a DFIR expert. • We have high level questions to answer • We know where to look for evidence of user / system activities We build artifacts to collect and analyze the evidence in order to answer our investigative questions.
#RSAC Velociraptor's unique feature - user specified artifacts An artifact is a YAML file … • (therefore user-readable, shareable and editable) • … that answers a question … • … by collecting data from the endpoint … • … and reporting on this data in a human readable way. Artifacts encode expert knowledge into human reusable components.
#RSAC
#RSAC Exercise: Collect all user NTUSER.DAT files Previously we collected one NTUSER.DAT - let’s get them all. Select Collected Artifacts to view all artifacts previously collected. Click Collect More Artifacts to open the New Artifact Wizard. Search for an artifact that fetches NTUSER.DAT files. Click Add to add the artifact to the list for collection. Click Next to start the collection.
#RSAC
#RSAC Get the collected data One file will be downloaded for every user on the endpoint. Click Download to download the results of this artifact collection through your web browser (see next slide). The result is a ZIP file with the collected files (NTUSER.DAT) and a CSV file of the collection results.
#RSAC
#RSAC The ZIP file contains a directory structure for each client mirroring the original directory structure on the client.
#RSAC Hunting across the whole network
#RSAC Hunting is the collection of artifacts across the network Any artifact that can be collected on a single computer, can be simultaneously hunted across the entire network. A hunt can cover a group of clients, or the whole network. A hunt will continue running until it expires, or is stopped. As new machines appear, they automatically join in the hunt. Downloading the hunt results generates a ZIP file with all the uploaded files (in this exercise NTUSER.DAT files).
#RSAC
#RSAC Surgical collection of evidence
#RSAC Finding files Searching for files is a fundamental capability. Velociraptor provides a powerful File Finder artifact for this. • Use wildcards to ‘glob’ over directories • Use Yara to search the contents of files for keywords • Filter by modified or created dates • Upload matching files to the server, for further analysis. The Windows.Search.FileFinder is a great start for many custom artifacts - just copy/paste and pre-populate with the right defaults.
#RSAC
#RSAC Exercise: File collections Tasks: • Collect all exe’s created in a home directory in the last day • Also collect all text files containing a keyword. Hunting hints: • Create a text file containing the keyword “secret” • Search for it as before.
#RSAC
#RSAC
#RSAC Exercise: File collections - Microsoft Word docs Task: Collect Microsoft Word documents containing a keyword. Hunting hints: • Create a Word document containing the word “secret” • Search for it as before - does it work? – (it won’t work because Word documents are compressed) What can we do? • We have an artifact for that ...
#RSAC
#RSAC Scenario: Chrome extensions Chrome extensions can be very dangerous. They could access all website data including cookies and logon creds. They can create XSS opportunities for complete compromise. Exfil is difficult to spot, since all communications occur over SSL. Many Chrome extensions have been found to be malicious or vulnerable. So what Chrome extensions do your users have installed?
#RSAC
#RSAC Exercise: IP theft We’ve just been advised that our confidential data has been found on the dark web. Task: We need to know which machines had this file in the past. Hunting hints: • Create a new file called my secret file.txt on your client • Scan your MFT for the unique string • This may work even if the file is deleted.
#RSAC
#RSAC Scenario: Hunt down “shadow IT” Dropbox is one of many common “shadow IT” threats. It can be accessed through a web browser or an installed program. Exercise: • Which of your users have Dropbox accounts? • When did they access Dropbox through their web browsers? • What confidential documents are shared through Dropbox? • Let’s search web browsing history for accesses to Dropbox.
#RSAC
#RSAC
#RSAC
#RSAC Scenario: Use of Microsoft SysInternals tools SysInternals tools are powerful system administration tools which are also used by attackers “living off the land”. Did any SysInternal tools ever run on your endpoint? For non-administrator accounts, this is very suspicious. • Hint: Sysinternals tools require the user accepting a EULA, which leaves an interesting forensic artifact - a Registry key showing the user accepted the EULA. We have an artifact for that too!
#RSAC
#RSAC Event artifacts and endpoint monitoring
#RSAC What are event artifacts? Event artifacts are never-ending VQL queries that watch for events on clients and stream those events to the server. Example: Generic.Client.Stats VQL pluginQuery Rows Partial Result Sets
#RSAC
#RSAC Scenario: Monitor all DNS lookups DNS lookups are an excellent network signal. They can reveal C2 activity and help scope the extent of compromise across a network by showing all clients attempting to connect to known-bad domains. Most organisations don’t log DNS lookups. But with Velociraptor, we can store all DNS lookups from clients, then historically search this data when threat intel reveals C2 and other suspicious DNS names.
#RSAC
#RSAC Scenario: Monitor endpoint for USB drive insertion USB drives are a constant threat: • They can introduce malware • They’re commonly used to exfiltrate confidential documents. This has long been a blind spot in Windows forensic artifacts! Velociraptor provides an artifact that watches every client for USB drives being inserted, then sends us a listing of all files copied to them.
#RSAC Automating response with server event artifacts
#RSAC Post-process client events Server event artifacts are similar to the client event artifacts, except they run on the server. The server listens for events and responds to them. The events may originate with the clients or post-process any other activity on the server.
#RSAC Exercise: Decode encoded PowerShell commands PowerShell can accept a base64 encoded command line, often used by attackers to pass commands and script blocks. These are easy to decode individually, but harder at scale. Velociraptor can decode these automatically. Test this by running the following encoded PowerShell: powershell -encodedCommand ZABpAHIAIAAiAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAI gAgAA==
#RSAC Exercise: Alert if a new service is installed Installation of new services could indicate attacker activities. Example: winpmem is a tool used to obtain memory images. It installs a kernel driver and a service called pmem. Velociraptor can easily send an email alert if this is detected.
#RSAC Customizing artifacts
#RSAC Customizing artifacts Artifacts simply contain VQL statements. It’s easy to modify existing artifacts to your needs. As you learn VQL, you can easily write your own. Custom artifacts start with the Custom prefix. You can use official or custom artifacts interchangeably. You can also contribute your artifacts to the Velociraptor project (and get a special Velociraptor gold sticker)
#RSAC
#RSAC Lateral Movement - Service Control Manager Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
#RSAC Scenario: Detecting lateral movement Imagine a new service spawning PowerShell: C:> sc create FakeDriver binpath="cmd.exe /Q /c powershell.exe -nop -c dir" C:>sc start FakeDriver We can monitor clients for service creation events and alert when a service is installed using PowerShell.
#RSAC
#RSAC
#RSAC
#RSAC
#RSAC Apply what you learned Investigations involve answering questions about our endpoints. Now ask yourself: What questions do you want to answer about your network?
#RSAC Start hunting today 78 • Download Velociraptor from our GitHub repository. • Review the Quick Start documentation. • Setup a Velociraptor server and deploy some test clients. • Start by hunting for some pre-built artefacts. • Then customise some hunts to your own requirements. • Contribute back with your feedback and ideas.
#RSAC Watch this space ... 79 Although Velociraptor is being used on DFIR cases, it's still a work in progress. Our roadmap already includes many exciting features and developments, including: • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows. So please share your feedback and ideas with us.
Thank you. github.com/Velocidex/velociraptor

Recommandé

ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Kali presentation
Kali presentationKali presentation
Kali presentation
Zain Ul abadin
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
Melinda Shore
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 

Recommandé

ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
Kali presentation
Kali presentationKali presentation
Kali presentation
Zain Ul abadin
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
Melinda Shore
 
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej SistlaSecure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Secure Redis Cluster At Box: Vova Galchenko, Ravitej Sistla
Redis Labs
 
Using ansible vault to protect your secrets
Using ansible vault to protect your secretsUsing ansible vault to protect your secrets
Using ansible vault to protect your secrets
Excella
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
Andy Robbins
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
Tony Godfrey
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
Teri Radichel
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
Deploy360 Programme (Internet Society)
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
Ben Bromhead
 
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
Gianluca Varisco
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 

Contenu connexe

Tendances

Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
Steve Phillips
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
Mike Felch
 

Tendances (20)

Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
DevOoops (Increase awareness around DevOps infra security) - VoxxedDays Ticin...
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 

Similaire à RSA APJ Velociraptor Lab

How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
Robert Conti Jr.
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Ajin Abraham
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Priyanka Aash
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway
 

Similaire à RSA APJ Velociraptor Lab (20)

Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019Velociraptor - SANS Summit 2019
Velociraptor - SANS Summit 2019
 
Pentest and Security Discussion
Pentest and Security DiscussionPentest and Security Discussion
Pentest and Security Discussion
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Crikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor WorkshopCrikeycon 2019 Velociraptor Workshop
Crikeycon 2019 Velociraptor Workshop
 
Nikto
NiktoNikto
Nikto
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Hacking Tizen : The OS of Everything - Nullcon Goa 2015
Hacking Tizen : The OS of Everything - Nullcon Goa 2015
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software CraftersImplementing Active Security with Sysdig Falco - Barcelona Software Crafters
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
Webinar Docker Tri Series
Webinar Docker Tri SeriesWebinar Docker Tri Series
Webinar Docker Tri Series
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 

Dernier

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 

Dernier (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 

RSA APJ Velociraptor Lab

  • 1. SESSION ID: LAB-T05 #RSAC Velociraptor - Dig deeper. Digital Paleontologist Velocidex Enterprises Nick Klein Director, Velocidex Enterprises Director, Klein & Co. Computer Forensics SANS DFIR Certified Instructor Dr Michael Cohen
  • 2. #RSAC Who are we? 2 Dr Michael Cohen • Experienced digital forensic software developer. • Developer of foundation forensic tools including Volatility and Rekall. • Former lead developer of Grr Rapid Response at Google Inc. Nick Klein • Director of Klein & Co. digital forensic and cyber response team. • SANS DFIR Certified Instructor.
  • 3. #RSAC What will you need today? A Windows computer or virtual machine, with admin access. A copy of Velociraptor from our official release page: https://github.com/Velocidex/velociraptor/releases A hunting frame of mind.
  • 4. #RSAC What is Velociraptor? Velociraptor is a unique DFIR tool, giving you power and flexibility through the Velociraptor Query Language (VQL) VQL is used for everything: • Collecting information from endpoints (also called clients) • Controlling monitoring and response on endpoints • Controlling and managing the Velociraptor server.
  • 5. #RSAC Velociraptor overview Everything uses the same binary - both clients and server. • The server is controlled via the server configuration file. • The client is controlled via the client configuration file. In this lab, we run the server and client on the same machine. In real cases, we typically deploy a Velociraptor server in the cloud.
  • 6. #RSAC Architecture overview Client Send Chan Recv Chan Data store File Store Front End GUI Server
  • 7. #RSAC Installing Velociraptor Download the Windows MSI from our releases page: https://github.com/Velocidex/velociraptor/releases On Windows, double-click the MSI to install. Or run: C:> msiexec /i velociraptor.msi Note: You can try other OS versions, but today we’ll use Windows.
  • 8. #RSAC Configuring Velociraptor Everything is controlled by a pair of configuration files. The configuration files contain key data, making them unique (and secure) to your deployment. The server configuration file contains private keys - make sure to secure it! Genering new configuration files is easy: C:> cd “c:Program FilesVelociraptor” C:> Velociraptor.exe config generate -i
  • 10. #RSAC Starting the server The same binary acts as a server or client depending on configuration options. The previous step generated two files: client.config.yaml server.config.yaml Open two Command Prompt windows as administrator. Start the Velociraptor server and frontend: velociraptor.exe --config server.config.yaml frontend -v
  • 12. #RSAC Test that the GUI works Connect to the GUI address mentioned previously: https://localhost:8889/ Note the certificate error - this is OK. It’s because we chose self-signed SSL mode. You can click through the warning for now. In real deployments we use proper SSL certificates.
  • 13. #RSAC Your Velociraptor server is ready. Now let’s configure some clients.
  • 14. #RSAC Starting a client In Windows, installing the Velociraptor MSI installs a client service. The service needs the client configuration file. Simply move the client configuration file into place (see next slide). When deploying at scale, you can use SCCM or Group Policy to do this - today we simply use Windows Explorer or the shell.
  • 15. #RSAC Copy the client configuration file, then start the Velociraptor service.
  • 16. #RSAC The Dashboard The Dashboard shows the current state of the installation: • How many clients are connected • Current CPU load and memory footprint on the server. When running hunts or intensive processing, memory and CPU requirements will increase but not too much. You can customize the dashboard - it’s also just an artifact.
  • 17. #RSAC Clients have a persistent connection to the server. They’re ready to receive your commands.
  • 19. #RSAC Searching for a client Sometimes we want to see information about a client. Press the Search icon to see all the clients
  • 20. #RSAC Or search for clients by hostname, label or client ID.
  • 21. #RSAC Client overview This provides some general information about a client. Click VQL Drilldown to see more detailed information. You can customize the information collected and shown by editing the configuration file, to add extra VQL queries.
  • 22. #RSAC
  • 23. #RSAC The Virtual File System (VFS) The VFS visualizes some server-side information we collect about the clients. Top level corresponds to the type of information we collect: • File - Access the file system using the filesystem API • NTFS - Access the file system using raw NTFS parsing • Registry - Access the Windows Registry using the Registry API • Artifacts - A view of all artifacts collected from the client.
  • 24. #RSAC
  • 25. #RSAC Exercise: Browse the client file system using VFS Task: Find your user NTUSER.DAT file and download it locally. Hunting hints: • NTUSER.DAT stores the Registry for your user account • It’s locked when the user is logged in • Therefore you need to fetch it using raw NTFS access • Do you know where this file is located?
  • 26. #RSAC
  • 27. #RSAC Use Velociraptor artifacts to automate everything
  • 28. #RSAC Use Velociraptor artifacts to automate everything We can collect information about many things in DFIR cases: • Registry keys, files, WMI queries, sqlite databases … But we really just want to answer specific questions: • What program did the attacker run? • What files were downloaded? • What DNS lookups occured? • Did a particular file exist on a client?
  • 29. #RSAC Velociraptor uses expert knowledge to find the evidence A key objective of Velociraptor is encapsulating DFIR knowledge into the platform, so you don’t need to be a DFIR expert. • We have high level questions to answer • We know where to look for evidence of user / system activities We build artifacts to collect and analyze the evidence in order to answer our investigative questions.
  • 30. #RSAC Velociraptor's unique feature - user specified artifacts An artifact is a YAML file … • (therefore user-readable, shareable and editable) • … that answers a question … • … by collecting data from the endpoint … • … and reporting on this data in a human readable way. Artifacts encode expert knowledge into human reusable components.
  • 31. #RSAC
  • 32. #RSAC Exercise: Collect all user NTUSER.DAT files Previously we collected one NTUSER.DAT - let’s get them all. Select Collected Artifacts to view all artifacts previously collected. Click Collect More Artifacts to open the New Artifact Wizard. Search for an artifact that fetches NTUSER.DAT files. Click Add to add the artifact to the list for collection. Click Next to start the collection.
  • 33. #RSAC
  • 34. #RSAC Get the collected data One file will be downloaded for every user on the endpoint. Click Download to download the results of this artifact collection through your web browser (see next slide). The result is a ZIP file with the collected files (NTUSER.DAT) and a CSV file of the collection results.
  • 35. #RSAC
  • 36. #RSAC The ZIP file contains a directory structure for each client mirroring the original directory structure on the client.
  • 38. #RSAC Hunting is the collection of artifacts across the network Any artifact that can be collected on a single computer, can be simultaneously hunted across the entire network. A hunt can cover a group of clients, or the whole network. A hunt will continue running until it expires, or is stopped. As new machines appear, they automatically join in the hunt. Downloading the hunt results generates a ZIP file with all the uploaded files (in this exercise NTUSER.DAT files).
  • 39. #RSAC
  • 41. #RSAC Finding files Searching for files is a fundamental capability. Velociraptor provides a powerful File Finder artifact for this. • Use wildcards to ‘glob’ over directories • Use Yara to search the contents of files for keywords • Filter by modified or created dates • Upload matching files to the server, for further analysis. The Windows.Search.FileFinder is a great start for many custom artifacts - just copy/paste and pre-populate with the right defaults.
  • 42. #RSAC
  • 43. #RSAC Exercise: File collections Tasks: • Collect all exe’s created in a home directory in the last day • Also collect all text files containing a keyword. Hunting hints: • Create a text file containing the keyword “secret” • Search for it as before.
  • 44. #RSAC
  • 45. #RSAC
  • 46. #RSAC Exercise: File collections - Microsoft Word docs Task: Collect Microsoft Word documents containing a keyword. Hunting hints: • Create a Word document containing the word “secret” • Search for it as before - does it work? – (it won’t work because Word documents are compressed) What can we do? • We have an artifact for that ...
  • 47. #RSAC
  • 48. #RSAC Scenario: Chrome extensions Chrome extensions can be very dangerous. They could access all website data including cookies and logon creds. They can create XSS opportunities for complete compromise. Exfil is difficult to spot, since all communications occur over SSL. Many Chrome extensions have been found to be malicious or vulnerable. So what Chrome extensions do your users have installed?
  • 49. #RSAC
  • 50. #RSAC Exercise: IP theft We’ve just been advised that our confidential data has been found on the dark web. Task: We need to know which machines had this file in the past. Hunting hints: • Create a new file called my secret file.txt on your client • Scan your MFT for the unique string • This may work even if the file is deleted.
  • 51. #RSAC
  • 52. #RSAC Scenario: Hunt down “shadow IT” Dropbox is one of many common “shadow IT” threats. It can be accessed through a web browser or an installed program. Exercise: • Which of your users have Dropbox accounts? • When did they access Dropbox through their web browsers? • What confidential documents are shared through Dropbox? • Let’s search web browsing history for accesses to Dropbox.
  • 53. #RSAC
  • 54. #RSAC
  • 55. #RSAC
  • 56. #RSAC Scenario: Use of Microsoft SysInternals tools SysInternals tools are powerful system administration tools which are also used by attackers “living off the land”. Did any SysInternal tools ever run on your endpoint? For non-administrator accounts, this is very suspicious. • Hint: Sysinternals tools require the user accepting a EULA, which leaves an interesting forensic artifact - a Registry key showing the user accepted the EULA. We have an artifact for that too!
  • 57. #RSAC
  • 59. #RSAC What are event artifacts? Event artifacts are never-ending VQL queries that watch for events on clients and stream those events to the server. Example: Generic.Client.Stats VQL pluginQuery Rows Partial Result Sets
  • 60. #RSAC
  • 61. #RSAC Scenario: Monitor all DNS lookups DNS lookups are an excellent network signal. They can reveal C2 activity and help scope the extent of compromise across a network by showing all clients attempting to connect to known-bad domains. Most organisations don’t log DNS lookups. But with Velociraptor, we can store all DNS lookups from clients, then historically search this data when threat intel reveals C2 and other suspicious DNS names.
  • 62. #RSAC
  • 63. #RSAC Scenario: Monitor endpoint for USB drive insertion USB drives are a constant threat: • They can introduce malware • They’re commonly used to exfiltrate confidential documents. This has long been a blind spot in Windows forensic artifacts! Velociraptor provides an artifact that watches every client for USB drives being inserted, then sends us a listing of all files copied to them.
  • 65. #RSAC Post-process client events Server event artifacts are similar to the client event artifacts, except they run on the server. The server listens for events and responds to them. The events may originate with the clients or post-process any other activity on the server.
  • 66. #RSAC Exercise: Decode encoded PowerShell commands PowerShell can accept a base64 encoded command line, often used by attackers to pass commands and script blocks. These are easy to decode individually, but harder at scale. Velociraptor can decode these automatically. Test this by running the following encoded PowerShell: powershell -encodedCommand ZABpAHIAIAAiAGMAOgBcAHAAcgBvAGcAcgBhAG0AIABmAGkAbABlAHMAI gAgAA==
  • 67. #RSAC Exercise: Alert if a new service is installed Installation of new services could indicate attacker activities. Example: winpmem is a tool used to obtain memory images. It installs a kernel driver and a service called pmem. Velociraptor can easily send an email alert if this is detected.
  • 69. #RSAC Customizing artifacts Artifacts simply contain VQL statements. It’s easy to modify existing artifacts to your needs. As you learn VQL, you can easily write your own. Custom artifacts start with the Custom prefix. You can use official or custom artifacts interchangeably. You can also contribute your artifacts to the Velociraptor project (and get a special Velociraptor gold sticker)
  • 70. #RSAC
  • 71. #RSAC Lateral Movement - Service Control Manager Finding and Decoding Malicious Powershell Scripts - SANS DFIR Summit 2018
  • 72. #RSAC Scenario: Detecting lateral movement Imagine a new service spawning PowerShell: C:> sc create FakeDriver binpath="cmd.exe /Q /c powershell.exe -nop -c dir" C:>sc start FakeDriver We can monitor clients for service creation events and alert when a service is installed using PowerShell.
  • 73. #RSAC
  • 74. #RSAC
  • 75. #RSAC
  • 76. #RSAC
  • 77. #RSAC Apply what you learned Investigations involve answering questions about our endpoints. Now ask yourself: What questions do you want to answer about your network?
  • 78. #RSAC Start hunting today 78 • Download Velociraptor from our GitHub repository. • Review the Quick Start documentation. • Setup a Velociraptor server and deploy some test clients. • Start by hunting for some pre-built artefacts. • Then customise some hunts to your own requirements. • Contribute back with your feedback and ideas.
  • 79. #RSAC Watch this space ... 79 Although Velociraptor is being used on DFIR cases, it's still a work in progress. Our roadmap already includes many exciting features and developments, including: • Improving the user interface • Expanding the artefact library • Further documentation • More artefact parsers • A true kernel driver for Windows. So please share your feedback and ideas with us.