Everything Open Conference 2023

Full agenda

Incident Response with Velociraptor

With the increased prevalence of CyberCrime in recent years the likelihood that your organization will be targeted by organized crime groups has increased dramatically. Professional Cyber criminals are proficient and agile with typical dwell times measured in hours, not weeks or months as was common in the past. An unsuccessful incident response exercise can result in massive losses to the organization with critical data either ransomed or exfiltrated.

Don’t worry - Velociraptor has your back! This tutorial will introduce you to this powerful open source framework capable of responding to many thousands of endpoints within minutes. Velociraptor has come onto the scene a few years ago and is getting better all the time. It is now the obvious choice for an open source Digital Forensic and Incident Response (DFIR) tool.

Velociraptor’s superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.

Full Screen