SANS Threat Hunting Summit 2022

Full agenda

How to unlock achievements in Threat Hunting using Velociraptor

Velociraptor is the open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can!

This session will introduce Velociraptor and cover the recent capabilities investigating and monitoring the security of Linux and Windows hosts. Velociraptor’s superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We will cover common use cases such as hunting for ssh keys across large networks.

We will also discuss the advantages and disadvantages of the Velociraptor philosophy: Push processing to the endpoint rather than transfer raw data for local processing.

Full Screen