This talk was given at the Linux Conference 2022 remotely https://lca2022.linux.org.au/schedule/presentation/58/
Velociraptor is the new open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can!
This talk will introduce Velociraptor and cover specifically the recent capabilities investigating and monitoring the security of Linux hosts. Velociraptor’s superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.