 Hi everyone. I'm Mike and today I wanted to speak with you about Velociraptor. I wanted to go through a few examples of how we can use Velociraptor in a real DFIR case. You must have heard of Velociraptor. Velociraptor is a unique DFIR tool that gives you, the user, the power to be very flexible about the way that we collect artifacts or information from endpoints. And the thing that makes it really cool is that it has this very powerful Velociraptor query language and I'm going to show you today how we can use that to do some advanced hunting. So it's a very short talk so we're going to go and skip a lot of the information but there's going to be some references at the end so you can have a look at some more information about this. So let's just take a quick look at the overview. What does Velociraptor look like? So it's an agent based system where we have an agent running on different assets and we have the Velociraptor server. Usually it's deployed in the cloud and the admin UI, which is what we're going to be using today, we can use that to task and control the server. The nice thing about it is it has persistent communication to the endpoints so we don't really have to poll or anything. We can just go ahead and query the endpoints interactively in seconds. So I'm just going to go through a quick tour of the Velociraptor UI because I'm not going to show you guys how to install it because we have a lot of references about installing it already. But I just wanted to just point out that it's a very fast, very efficient scalable system and typically we're looking at about 10,000 endpoints on one server so it is actually pretty efficient. We can do some very, very fast hunting with that. So let me just show you a quick Velociraptor GUI tour. Let me switch to the UI. So this is the Velociraptor UI once you have it installed and the first thing that you can do is you can search for different machines. Let me just show you the sidebar here. The homepage is the dashboard. We'll just have a look at the dashboard here and you can see that I have this server running for a while and this is the memory usage of the server, just a bit of monitoring. And this server has about 2,000 clients connected to it. We're going to do some hunting in just a minute. What I will do is first I'll show all the machines. There's a whole bunch of them and it just goes on for ages. But we can actually search for specific machines by label so we can label a machine and we just highlight it here and add a label and that allows us to group machines into groups so we can hunt in a more targeted way. I have a machine here which is my machine here which I've labeled as the label's mic. Let me just find it. I'll just show you on another machine. Let me just quickly have a look here at the dashboard. We've seen that. We can investigate individual clients interactively. Let's just pick a client and so this is just some information about this client. If we have a look at the VFS we can actually go and interact with files on the machine so we can go through and at the moment this is just showing us what information the server has on this machine. So we can just refresh that by clicking that. That just syncs that directory listing so we can see what's on there. We can also do a recursive directory listing and see a whole bunch of files and on that machine and we can go in and download individual files or whatever from that machine. So when we look at a file let's say and user that this one we can simply click collect from client and then it just collects that file from the machine and then we can look at it. Let me just stop that. I'm just going to go through that part very quickly because I wanted to show you guys an example of what we actually use. I just wanted to show you quickly the interactive shell feature that we can actually go through and we can get a shell on that machine at any time. So for instance in this case if I wanted to know what are the local users on that machine you don't have a little power shell snippet here I can simply paste that here and collect that and that just basically runs the power shell on the machine and we get back the responses. So you know in this case this particular power shell just tells us what the local admin users are so we've got this. So let me go through and so we've seen how we can fetch files and interact with the machine but what's really cool about Velociraptor is because we have that query language that we can use to really customize the way that we are actually interacting with the machine and querying things. I just wanted to show you an example of what we call a forensic artifact or Velociraptor artifact and we use that term a lot and you'll see that a lot in the documentation of the artifact, the term artifact. So when you look here in the UI we have our artifact viewer and you can just click on any of these artifacts randomly you'll see that these artifacts are essentially just queries that are packaged up inside a YAML file I'm not going to go really into details about the query language itself in this talk but you just need to know that these artifacts are just queries that are named so they have a name and so we can actually just use those queries and just ask the endpoint about them at any time. So just to give you an example of how useful it is having these artifacts in the YAML form allows us to interchange them and share them with the community. So I'm just going to go through an example, a really quick one and this is just something that I just put together in the last few days because it's actually like the current zero there you know that at the time of recording at least it is the Sirius Sam or Hive Nightmare example. So let me just go through that and you can see that there is a CVE for it and there's an advisory art and you know we can have a look at you know the different resources there are many resources that explain this vulnerability but essentially what this vulnerability is if you read the details is that there is just a weak permission on the SAM file so if you look at it the built-in users group has read permission on the SAM directory where the SAM is contained and that allows you to allow low privilege users to just read the SAM crack the hashes and escalate to domain admin from there. So it is actually quite a serious vulnerability and so you might have you know a whole bunch of machines and you can say oh well how do I how do I fix that well you can see the advisories and Microsoft has released an advisory about it and we need to check the ACLs but how do I do that to 2000 machines how do I check that you know 2000 machines are patched or whatever so this is where a query language really shines right I can the idea is that I could write a query right now and run it on all my 2000 machines and then see the results in seconds right so so let's let's have a look at some at our public artifact reference which is a public place where we can share these kind of artifacts these queries so this is our website the commutation website and we have a thing called the artifact exchange the artifact exchange is a place where we can change information about current threads and people can write different queries different artifacts that we can share with the community so most of the time you don't really need to be able to write your own VQL you can just have a look at the artifact exchange to see whether there's something similar I mean you see we've already got something here but the one that I just wanted to show you today was this access control list artifact which is allowed which basically pauses uses a partial to get the access to the ACLs of the of of the SAM this is the SAM files right so I'm not going to go again into too much details here but all you have to do is really just find the artifact that you're interested in and then you just copy it from here and then we're just going to go back to our server into the artifact viewer and we're just going to paste that artifact into our server right so this is very simple we just click the plus button here highlight delete you know paste and and that just pastes the artifact from the artifact exchange so so you could just directly use it I mean if you're you can pretty much see that that's the first part that's the power shell script a very small power shell thing and then we wrap it in VQL and then we do some filtering there with with extra extra processing right so it's a pretty straightforward approach but now when we save it then you'll see that it actually we have a customized artifact it's part of the UI part of the also raptor and we can just use it in any context that any of the other artifacts can be used in so let's go back to our to our machine let's see if we can find it again yep so this is my my label right so this is the machine here and now I'm just going to look at that one machine here over here on the top I've got the name the host name of the machine and it says connected so it's now connected to the machine so we don't really pull we are directly connected to it so when we task it we can immediately immediately get information from it so I'm just going to go through the collected artifacts and Velociraptor just deals with artifacts that's all it knows about so this is the list of the artifacts that are collected when when we first start we collect this information general information artifact but what I'm going to do now is I'm going to click this plus button here and we're going to collect that new custom artifact that we've created which is the access control list so I'm just going to select that I can search for it first and it again shows me a bit of a description of it reminds me about it but you can see that there are a couple of parameters here that I can use to customize this artifact that I've got from the artifact exchange so I'm just going to configure those and you can see that I can change the glob so I can you know check for other files and access controls in this case I'm interested in the SAM specifically so it's it's going to be in this directory with an S star and this is the ACL filter that I'm specifically looking for I'm only interested in files that have that that permission that filter so because this is the vulnerable permissions so once I do that and configure it then I can just launch it and and off it goes so this is going to go to the endpoint to that endpoint and run this partial thing and and then it will come back with a result that would just be all of the see it's finished and it's uploaded for rows so just like but also after is a query language really queries only just return rows I mean click on the results and we can see here that it's showing me the SAM this is the owner administrator but these are the ACLs on it and you can see that this is the kind of problematic ACL here so this machine is vulnerable to this to this Hive nightmare zero day so so that's cool and so I could I could do that and I could and I'll show you in a minute how you can do a hunt of thousands of machines and find that out in which ones of your machines are vulnerable in seconds but now what am I going to do about this I mean like okay so I know this machine is actually so this is just a big of a recap to show you just the general structure of this VQL query and how we adjusted the parameters and we could see the the vulnerable thing so how do we what are we going to do about this this machine is now vulnerable so we actually really need to remediate it now I mean of course we can always log into that machine and and use our remediation steps and in fact if we look at our references there are some remediation guides and particularly we need to run this command here but this command so you know we can do that to one or two machines but we want to really be able to do it to many machines and this is where the lost raptor can really help us because we can just change this VQL to add that extra command here that extra mediation step and then and then we can use that to remediate that machine so let's let's give that a try okay so this is their remediation step and what we're going to do is we're going to go back to our artifact here and and instead of we can now customize that so the one that we copied from the from from the artifact exchange is is good it just tells us about it but we want to change it so we're going to just click the pencil button here to customize and and what we're going to call it is you know remediate for example we change the name so it's going to be a different artifact but it's very similar right like essentially the same thing except we're going to add that that thing here and what we're going to do is we're just going to out let me just check this this format what it was supposed to be out now okay so this one basically just runs it without yeah without any output because we don't want to mess up the the JSON that we are we are extracting right so so we're just going to as extra step run this extra remediation step and then we're going to look at the permission so hopefully that will show us that the permissions have been fixed after we do this so we're going to save this so now this is the remediation step and I mean generally we want to be very careful when we do remediation because you know we don't really want to mess up the the system right but let's let's have a look so so we're going to do a new collection going to collect this new one this is the remediation one and we're just going to launch that so it's it's doing the same thing except it's going to do that extra partial snippet to just clean up the machine and then hopefully once we once we finish we should see that that uses one disappear so let's hopefully it worked that's remediated oops sorry let's check that again and hopefully that that would have worked so this gives us an idea of how we uh oh it's still there maybe that remediation is not working too well uh I mean it should run the remediation step maybe it's yeah that's right sorry this remediation is not for PowerShop so we just want to do this in those system 32 yeah okay so let's do the remediation one we can copy it again and launch it around the same thing but with the modified one and this time we should expect to see that command worked and yeah it returns zero rows so it actually worked correctly uh and there's no more results so now if we do that access control this check again so we just copy that same artifact collected again second time uh and then it should return zero rows because now we have no uh vulnerable SAM the SAM is no longer vulnerable right so it doesn't have that ACL on it because we've we fixed it right so again we have to use the correct partial version of the of the of the fix but once we do that we just edit it to partial and it just goes off and does it so we can now do a hunt to to remediate all of these machines okay so that's that was pretty cool um so let's have a look at the second example and this one is a little bit more involved and it it basically uses a bit of research so in this second example is about disabling log files and uh and you might not know that you can actually download things in Windows using the beats downloaded that's a pretty common this one's a pretty common persistence that a lot of a lot of uh people people use right so uh attackers use so here's an example of a command line and it uses something called the beats service right so the beat service is used to download the windows updates and various other updates but essentially it's like curl basically it goes off and downloads stuff from the network now if you have something like an edr that watches to see you know oh is is there a power shell connecting out to the network it could be suspicious so a lot of attackers use this beats admin to download their malware because uh it just beats admins part of windows and it just it's usually white listed and signed and so it goes off and a lot of videos just let it go because they don't monitor what exactly it's downloading so you can actually use it to download anything including you know any any power shell or whatever you want as as a download cradle so let me just try to uh to do this as an example so we'll just open up the shell and what we're going to do is we're just going to download uh let me just put it in mic test okay and if I just run this command then it's going to go and it's going to create a beats job and goes off and downloads this uh google.com into uh see users mic test dot oops test dot ps1 right so that that is what it went off and downloaded that now so this is actually kind of suspicious thing and a lot of people know about this so usually you actually can monitor for that using the event viewer so if you look at the event viewer uh then often uh you will see an event and the event is in windows beats clients operational right so you see the event and this is pretty suspicious a lot of people have like event forwarding and they forward that to their same and you know and then there's alerts and all this kind of stuff in escalates right because this is actually pretty suspicious when you look at uh at this event you can actually see who downloaded it oops the username and you can also see um in one of the other events where it was downloaded from and who created it so you can see this is the url that we downloaded from this is what the downloaded and that would set off a lot of flags as power shells coming from the internet so but i'm not going to talk to you about this bit thing because it's well known what i am going to talk to you about today is this very interesting uh thing that a lot of people don't realize is you could just turn the logs off so if i right click on this and if i just disable the log like so very easy and if i just clear this log i'm gonna i'm gonna clear this log and do it again and show you that now the log is not logging right because the log is disabled so if i had an event uh forwarding type seam that i'm just gonna you know forward event from this then i'm just now completely blind and all it takes is you just right click on this thing and you know just disable the log it's not a big deal right and so you know if attacker is about to do this they're just you know they can do that they can disable the log and off we go so what we would like to know is defenders is like has anyone done this has everyone disabled the log what was the baseline what should it be the baseline so first the first step is figuring out you know what is going on when i disable this log and when i disable this log um what happens is that so let's say if i don't know what it is so usually i would just run prokmon so i have prokmon over here and i would start it up and and then just you know do this disable log business maybe i'll just re-enable it again now enable and then i can stop prokmon stop capturing and i can add a filter i've already added a filter here just for this talk the filter is looking for an operation which is a registered value so basically when i change this in ui something is going to set a value somewhere in registry and i don't know exactly where so i'm just going to see a filter for those and you can see very quickly that when i turn the um the event log on or off disabled it then you'll see a particular key uh somewhere here uh which corresponds to that that setting uh where is it here this one right so this event is a windows current version winivt channels Microsoft beats client so this is a typical example of somehow the attacker is misconfiguring the system and we want to know uh what's going on right so we want to write an artifact here that just detects this across across our system so let's uh let's have a look at this example so this is the example i have here so we did this we look through uh we checked about the disabling we did prokmon we checked this value and in the end we can write an artifact to check for that key that specific registry key and again in this talk we don't have a lot of time to to be able to see um which uh to work out how to write this this query so i'm just going to paste it so we can actually run this query as it is uh and create an artifact from it but let me just show you what that query looks like we're just going to run the query in the ui so in the ui uh we have a thing called a notebook which we can create a new notebook here test and in this in this notebook we can write any vql that we want we can run different vql so uh let me create a new cell vql cell and paste again i'm not going to show you how to actually write this in this talk because it's not enough time but you can see that here's the registry key that we are looking for there's a globe here so there's a star so we're looking at all the events uh all the uh logs and then looking to see whether they're enabled or not so we can run this query and what it will do is it will basically show us which query is enabled and which query is disabled right so we can actually write this artifact using this query to know which which event log is enabled which event log is disabled right so so let's let's uh let's do that so we'll write an artifact so this time we're going to create an artifact out of this query so just like we did before but this time we're going to create a new artifact we're going to go to the artifact viewing the artifact viewer and we're going to add a new artifact but remember before we just copied it from the artifact exchange but now we're just going to write our own artifact so we just need need to give it a name so it's going to be a windows event log uh event log enabled I don't know we just give it a name description and so forth but really the most important thing is to paste our query here oops and because this is YAML we have to kind of like tab it over a bit and you see as soon as I do that the syntax highlighting helps me here I have the precondition so that's telling me that it's only this artifact is only running on windows so I'm just going to delete that and I don't really want any parameters here so I'm just going to just do that so that's that's my new artifact I just create that and there we go we have a new custom uh windows enabled event log enabled artifact so now we can simply collect it from our endpoint right so we can simply go back to our endpoint collect that artifact just as we did before remember there's no parameters this time so we just hit launch and off it goes and that's going to tell us basically which um which uh clients are which logs are enabled or disabled here we go so the same thing so so we've gone from an observation of uh something weeds going on how do we hunt for it and then we create uh an artifact for it so this is the the standard workflow in Velociraptor it's the hunting workflow so we start off with an idea we explore the idea in our vql in our queries once we come up with a query that we like then we simply convert it to an artifact and then we can go hunting this is the part I wanted to show you right now is how we can go hunting for this so what is normal and if you look at the event log you'll see that a lot of them enable a lot of them disabled and you don't know which one's supposed to be enabled that's not enabled which one's supposed to be disabled that's not enabled disabled right so you you don't you want to know is whether one of them has been changed but you don't know what's normal so if you don't know what's normal that's called baseline where we need to guess get a baseline of what's going on and in order to do that what we want to do is we want to collect this information of all the logs that are enabled all the logs that are currently disabled from all the hosts so we want to do a hunt a hunt is basically when we go through and we collect that same artifact this one across the entire network at once so at the moment we've just collected it from this one machine here the mic machine but we want to do it across the entire network so let's just for the sake of argument let's have a look at this log so this log here is enabled right so that's enabled let me just quickly check my other machine here and this is my other machine this is the mic's machine and I'm going to disable the log just on the one machine so I'm going to see like this is going to be the one that stands out right and let's go and do a hunt and see which one is disabled a lot of machines are enabled this this log is enabled by default but we're just going to disable it so we're going to go to the hunt manager this is the hunt manager and we're just going to create a new hunt so we're going to add another artifact we can give you the description so you know events logs select the artifact that we want to collect so it's just this one whether it's enabled or disabled and literally just launch it in this case because there's no parameters it just goes ahead when we create the hunt it's paused so we're just going to launch start it run it and you'll see that as soon as that happens the endpoints are starting to get scheduled and they're starting to that number will increase as they're getting scheduled and each one is going to go off and check its event logs and send back the results and then and then it would be finished right so it's going to be scheduled and then finished and and that goes off and this is basically how we go off and hunt through all our machines right so once this is happening this you know we don't really even need to wait for it it's going to be uh we have like 2000 machines on this on this system so it's going to take a couple of minutes but we can immediately start and analyze the results so this is the processing step in the notebook and the notebook is where we can write different VQL and we can analyze the results so you see for example this is the results that came back from this machine 87 and you know it has some zeros and ones but we don't really know which one is um which one is valid or not so we want to basically just do a group by we want to do a stacking we want to stack all of our results and then see which ones are different so um so what we really want to do is we want to do a group by and then we want to we want to count right count as count and then we have the log all the different log and the value right and the hostname that's the hostname here and then what we want to do is we want to group by the combination of log and value right so group by basically counts together all the unique ones of the same value combination so for example this bit client operational is one on one machine and then it's zero on another machine that's a different group so we want to just do that right so so then when we do that so it's going to go off and and essentially just count them and this way we will be able to see which ones are common and which ones are not not common because they'll sort of stand out this is a pretty classic hunting technique called you know stacking where we can just count just counting different things and we can see that some machines are a bit different to other machines it's going to take a couple of seconds while it's doing that let me just jump on to the presentation to just see what we're doing here so again what we've done is we've done a stacking exercise across all the groups and we counted all of them or we should have also ordered by a little bit but maybe we'll find when we order by we can see the counts you know in order so we can see the ones that are a bit different so that's going to take a couple of seconds while it's collecting the data from the endpoints but typically this is what you see you'll see that that one machine that has it disabled so the value is zero it stands out right and then the other ones are all the same so that's more or less the baseline and then that one is the one that stands out all right so we only have a couple of extra seconds so I'm not going to show you how to do this but I'm just going to tell you how we can turn that artifact into a detection rule and this is a little bit of a more advanced use case I would say and in VQL you can actually create event queries so you can actually write monitoring rules that use the query to detect when something happens in the future and this is kind of what it looks like on the endpoints we have the query running and it basically ends up sending partial results as it happens I'm just going to skip to the architecture so we can see that event queries are running on the on the client and then they're getting buffered and they're sent off to the server when the server when the client is back online so we can write a query that simply you know detects whenever this log file is changing and this is an example of this is an advance over the typical you know OODA loop in a normal EDR type scene system you have basically a whole bunch of events that are going into the scene and then we have escalation and then it goes back through and then the user an operator actually goes back to collect extra information but we can actually do that on the end point by simply adding a query an event query that runs through it so to give you an example in this case we have I'm just going to skip through because we are out of time we can add this particular event artifact to Velociraptor that will simply check whether the event logs are enabled or disabled periodically and when they become disabled then there'll be a difference and the and the event will and the query will basically report a row that will be different so an event log has been disabled so I think we are out of time to actually demonstrate that particular one so we're just going to just show you a screenshot when that happens basically once we install that artifact here then we will see whenever someone added or removed a an entry from the the event logs from from the the registry key so whenever the registry changes we will see on the server an event raised and so that's how we can turn VQL into a monitoring type system so we didn't cover a lot of stuff it was really quick a really quick talk so I do encourage you to go and have a look at all the resources that Velociraptor has so there's many many things that we didn't cover and you know we only just introduced it so hopefully this will give you a bit of a taste to see how you can scale up BFIR and be able to to collect information from thousands of machines in seconds and then in the last slide here I have a whole bunch of references here but really docs.velociraptor.app is a website it's if you go there you know there's lots of resources here we've got training packages announcement documentation and the artifact exchange you could use that to submit to it and so on it's an open source project found on github you can visit us on github file issues and also we are always on discord so you know help help out any questions or anything like that so thanks for thanks for your time and and and have a good conference thank you