We covered the open source digital forensics and incident response platform, Velociraptor. We went over Velociraptor deployment modes such as client and server mode and standalone mode. We also covered how to extract artifacts using VQL language. We extracted system information, the file system, the registry and also we queried the endpoint for possible presence of printnigthtmare vulnerability. This was part of TryHackMe Velociraptor.
Get Computer Forensics Study Notes
The Complete Penetration Testing with BackBox Course
Video Highlights
Per the official Velociraptor documentation, “Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints. Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches“.
Velociraptor is unique because the Velociraptor executable can act as a server or a client and it can run on Windows, Linux, and MacOS. Velociraptor is also compatible with cloud file systems, such as Amazon EFS and Google Filestore.
Velociraptor can be deployed across thousands, even tens of thousands, client endpoints and runs surprisingly well for an open-source product.
Per the official documentation, “Velociraptor’s power and flexibility comes from the Velociraptor Query Language (VQL). VQL is a framework for creating highly customized artifacts, which allow you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server“.
With many tools that you will encounter in your SOC career, some tools may have their own query language. For example, in Splunk its SPL (Search Processing Language), Elastic has KQL (Kibana Query Language), Microsoft Sentinel has KQL [too] (Kusto Query Language), etc.
VQL is the meat and potatoes of Velociraptor. Throughout each task thus far, unbeknownst to you, you have been interacting with VQL.
Room Answers
What is listed as the agent version?
In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?
In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?
Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?
Which accessor provides file-like access to the registry? (format: xyz accessor)
What is the name of the file in $Recycle.Bin?
There is hidden text in a file located in the Admin’s Documents folder. What is the flag?
What is followed after the SELECT keyword in a standard VQL query?
What goes after the FROM keyword?
What is followed by the WHERE keyword?
What filter expression will ensure that no directories are returned in the results?
What is the name in the Artifact Exchange to detect Printnightmare?
What is the PDB entry?
