We covered the open source digital forensics and incident response platform, Velociraptor. We went over Velociraptor deployment modes such as client and server mode and standalone mode. We also covered how to extract artifacts using VQL language. We extracted system information, the file system, the registry and also we queried the endpoint for possible presence of printnigthtmare vulnerability. This was part of TryHackMe Velociraptor.

Get Computer Forensics Study Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION
Learn Velociraptor, an advanced open-source endpoint monitoring, digital forensic and cyber response platform.

Video Highlights

Per the official Velociraptor documentation, “Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints. Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches“.

Velociraptor is unique because the Velociraptor executable can act as a server or a client and it can run on WindowsLinux, and MacOS.  Velociraptor is also compatible with cloud file systems, such as Amazon EFS and Google Filestore.

Velociraptor can be deployed across thousands, even tens of thousands, client endpoints and runs surprisingly well for an open-source product.

Per the official documentation, “Velociraptor’s power and flexibility comes from the Velociraptor Query Language (VQL). VQL is a framework for creating highly customized artifacts, which allow you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server“.

With many tools that you will encounter in your SOC career, some tools may have their own query language. For example, in Splunk its SPL (Search Processing Language), Elastic has KQL (Kibana Query Language), Microsoft Sentinel has KQL [too] (Kusto Query Language), etc.

VQL is the meat and potatoes of Velociraptor. Throughout each task thus far, unbeknownst to you, you have been interacting with VQL.

Room Answers

 Using the documentation, how would you launch an Instant Velociraptor on Windows?
What is the hostname for the client?

What is listed as the agent version?

In the Collected tab, what was the VQL command to query the client user accounts?

In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?

In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?

Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?

Review the output. How many files were uploaded?
Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)

Which accessor provides file-like access to the registry? (format: xyz accessor)

What is the name of the file in $Recycle.Bin?

There is hidden text in a file located in the Admin’s Documents folder. What is the flag?

What is followed after the SELECT keyword in a standard VQL query?

What goes after the FROM  keyword?

What is followed by the WHERE keyword?

What can you type in the Notepad interface to view a list of possible completions for a keyword?
What plugin would you use to run PowerShell code from Velociraptor?
What are the arguments for parse_mft()?

What filter expression will ensure that no directories are returned in the results?

What is the name in the Artifact Exchange to detect Printnightmare?

Per the above instructions, what is your Select clause? (no spaces after commas)
What is the name of the DLL that was  placed by the attacker?

What is the PDB entry?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles