The 2021 Velociraptor Contributor Competition has drawn to a close and this year we have received 6 excellent submissions. Each submission pushes the state of the art in DFIR and enhances Velociraptor’s capabilities. Without our wonderful Community an open source project such as Velociraptor would not be nearly as capable.
We are thrilled to announce the winners of the Competition! Each of these
submissions separated itself from the pack by earning the top combined
ratings in five key selection criteria:
Usefulness, Creativity,
Effort/Difficulty, Completeness of Solution and Clarity of Documentation
Without further ado, the winners are…
Congratulations to all three winners! We’ll be reaching out soon with details on how to claim your prizes. The Velociraptor team would also like to sincerely thank all the judges for their valuable time and effort in evaluating the submissions. A great big shoutout and thanks to all our Community members who submitted entries as well.
You can still view our award presentation at the SANS Threat Hunting Summit by registering to view a replay of the summit here. But until then, take a look at all the submissions below and evaluate them yourself.
Be sure to follow us on Twitter @velocidex, join our Discord server,
sign up for our mailing list
and regularly check out this blog for details on upcoming Velociraptor events. We have some exciting things planned for the rest of 2021, into 2022 and beyond!
This submission demonstrates how Velociraptor can be used to automate
collection, analysis and post processing using a combination of client
and server artifacts. Justin has also re-purposed the GUI to automate
further processing of files by signature identification using tools
such as GENE and CAPA for further triaging.
https://github.com/predictiple/VelociraptorCompetition.git
Shae contributed a number of artifacts to enhance Cobalt strike detection and utilize ETW for real time monitoring.
https://drive.google.com/drive/folders/1Jr4CJO6y2VZVNl7vRSiuAs8Ys7IDmVub?usp=sharing
Eduardo contributed many useful artifacts including a number of MacOS artifacts
Some highlights include
https://github.com/eduardomcm/VelociraptorCompetition
Jonathan contributed many MacOS artifacts focusing on acquisition of critical files for DFIR triaging.
https://drive.google.com/drive/folders/1cmmoOkP5tWD9skIAU5ClWRG_uagzUYVO?usp=sharing
Josh wrote VQL artifacts that uses a sysmon configuration as a source to filter out known-good processes when running pslist() across Windows endpoints.
Context & Overview video: https://www.screencast.com/t/iLw4f2jL0FPu
Code: https://gist.github.com/defensivedepth/09a6c91a593bdc62b63f2d40b1bc2f84
Daniel contributed a large number of useful artifacts providing collection capabilities for Windows and Linux focused around initial triage.
https://drive.google.com/drive/folders/1Q3b4b1NN_xo5_2ak1-INn8l5kIBbfNZ2?usp=sharing