The 2021 Contributor Contest

Mike Cohen & Carlos Canto 2021-10-12

The 2021 Velociraptor Contributor Competition has drawn to a close and this year we have received 6 excellent submissions. Each submission pushes the state of the art in DFIR and enhances Velociraptor’s capabilities. Without our wonderful Community an open source project such as Velociraptor would not be nearly as capable.

And the winners are…

We are thrilled to announce the winners of the Competition! Each of these submissions separated itself from the pack by earning the top combined ratings in five key selection criteria:

Usefulness, Creativity, Effort/Difficulty, Completeness of Solution and Clarity of Documentation

Without further ado, the winners are…

  • Grand Prize ($5,000 USD) - Justin Welgemoed
  • Second Place ($3,000 USD) - Eduardo Cunha Mattos
  • Third Place ($2,000 USD) - Josh Brower

Congratulations to all three winners! We’ll be reaching out soon with details on how to claim your prizes. The Velociraptor team would also like to sincerely thank all the judges for their valuable time and effort in evaluating the submissions. A great big shoutout and thanks to all our Community members who submitted entries as well.

You can still view our award presentation at the SANS Threat Hunting Summit by registering to view a replay of the summit here. But until then, take a look at all the submissions below and evaluate them yourself.

Be sure to follow us on Twitter @velocidex, join our Discord server, sign up for our mailing list and regularly check out this blog for details on upcoming Velociraptor events. We have some exciting things planned for the rest of 2021, into 2022 and beyond!


Justin Welgemoed

This submission demonstrates how Velociraptor can be used to automate collection, analysis and post processing using a combination of client and server artifacts. Justin has also re-purposed the GUI to automate further processing of files by signature identification using tools such as GENE and CAPA for further triaging.

References:

https://github.com/predictiple/VelociraptorCompetition.git


Shae Bailey

Shae contributed a number of artifacts to enhance Cobalt strike detection and utilize ETW for real time monitoring.

References:

https://drive.google.com/drive/folders/1Jr4CJO6y2VZVNl7vRSiuAs8Ys7IDmVub?usp=sharing


Eduardo Cunha Mattos

Eduardo contributed many useful artifacts including a number of MacOS artifacts

Some highlights include

  • Loki integration
  • Enriched hollows hunter
  • Registry UsrClass
  • JECmd integration

References

https://github.com/eduardomcm/VelociraptorCompetition


Jonathan Woodward

Jonathan contributed many MacOS artifacts focusing on acquisition of critical files for DFIR triaging.

References

https://drive.google.com/drive/folders/1cmmoOkP5tWD9skIAU5ClWRG_uagzUYVO?usp=sharing


Josh Brower

Josh wrote VQL artifacts that uses a sysmon configuration as a source to filter out known-good processes when running pslist() across Windows endpoints.

References

Context & Overview video: https://www.screencast.com/t/iLw4f2jL0FPu

Code: https://gist.github.com/defensivedepth/09a6c91a593bdc62b63f2d40b1bc2f84


Daniel Kelly

Daniel contributed a large number of useful artifacts providing collection capabilities for Windows and Linux focused around initial triage.

References

https://drive.google.com/drive/folders/1Q3b4b1NN_xo5_2ak1-INn8l5kIBbfNZ2?usp=sharing