VeloCON 2023

On September 13th 2023, we held the 2nd annual VeloCON virtual summit. VeloCON is a 1 day event focused on the Velociraptor community. It’s a place to share experiences in using and developing Velociraptor to address the needs of the wider DFIR community and an opportunity to take a look ahead at the future of our platform.

VeloCON ended with Mike Cohen VeloCON with a review of the last twelve months for Velociraptor, and some insight into the next twelve.

YouTube links to the sessions can be found below.

Agenda at a glance

Detailed Program

Content Management Like a Boss!

By Matt Green - Principal Software Engineer, Velociraptor/Rapid7

Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.

Fast DFIR with Velociraptor

By Mike Cohen - Digital Paleontologist

You have probably already heard of Velociraptor - the leading open source DFIR platform! Velociraptor provides unprecedented deep visibility into the endpoint with an impressive number of built in and community contributed analysis modules - all available for free under an open source license! However, with all the capabilities that Velociraptor comes with, it can be a little confusing to know exactly which artifact to collect when responding to any one situation. This can be even harder when the clock is ticking… while containing an incident!

This is when a real world, practical walk through can be most valuable! In this webcast, Mike Cohen, the lead developer of Velociraptor will work through a typical DFIR investigation: Detecting and containing an attacker who gains a foothold on a network. We will examine techniques for hunting at scale for the attacker to identify their foothold and reconstruct the event timeline. We then detect attacker persistence to prevent re-infection.

There is something to learn for everyone: If you currently use Velociraptor in your daily workflow you might learn some additional artifacts you might be able to leverage. If you currently do not use Velociraptor, this webinar will provide a demonstration of some of the powerful capabilities that come bundled in this widely popular DFIR tool!

Empowering SOC Analysts with Velociraptor: Revolutionizing Live Response and Automation

By: Semanur Güneysu - SOC Analyst, IMPERUM

In today’s rapidly evolving threat landscape, SOC analysts are constantly challenged to detect, respond to, and remediate security incidents swiftly and efficiently. This presentation focuses on designing automation playbooks while using Velociraptor’s features that enable SOC analysts to enhance their capabilities: The presentation begins by highlighting the significance of live response in incident handling and investigations. We delve into the limitations of traditional approaches and showcase how Velociraptor revolutionizes the live response landscape. Through its open-source nature, extensibility, and powerful query language, Velociraptor empowers SOC analysts to perform real-time investigations and gather valuable forensic data across endpoints, networks. Additionally, the presentation highlights the capabilities of the Velociraptor app within the SOAR platform. We showcase how the Velociraptor app, leveraging its API integration.This integration empowers SOC analysts to leverage Velociraptor’s powerful live response capabilities directly within the IMPERUM platform, enhancing efficiency and centralizing incident response efforts.With the integration of Velociraptor and IMPERUM, SOC analysts can streamline incident response workflows, automate repetitive tasks, and orchestrate complex security operations seamlessly. The presentation then underscores the benefits of Velociraptor and live response automation. We emphasize how these technologies improve the efficiency, accuracy, and speed of incident response. By enabling SOC analysts to gather forensically sound evidence, perform deep-dive investigations, and make data-driven decisions, Velociraptor becomes a force multiplier in the SOC ecosystem. Moreover, the integration of Velociraptor with IMPERUM augments the effectiveness of incident response by enabling proactive threat hunting, correlation of events, and automated remediation actions. Lastly, we discuss real-world use cases and success stories that demonstrate the tangible impact of Velociraptor in live response scenarios. Through these examples, we illustrate how SOC analysts can effectively handle and mitigate security incidents, significantly reducing the mean time to detect and respond and minimizing the overall impact of cyber threats. In conclusion, this presentation highlights the transformative potential of Velociraptor and IMPERUM in empowering SOC analysts. By combining the live response capabilities of Velociraptor with playbooks, organizations can enhance their incident response capabilities, strengthen their security posture, and adapt to the ever-evolving threat landscape effectively.

Windows Search Index: The forensic artifact you’ve been searching for

By Phalgun Kulkarni - DFIR Consultant - Aon And Julia Paluch DFIR Software Developer - Aon

For examiners investigating cyber-crimes on Windows endpoints, the Windows Search Index consists of rich information such as a user’s Internet history, emails, file interactions, and even deleted data. Created as a tool to enable searching for files across the Windows operating system, the Windows Search Index as a forensic artifact provides insight into file existence and user activity. In this presentation, we will discuss how the Windows Search Index can be used as a source of evidence in DFIR investigations and how it can be parsed at scale by integrating an open-source tool named SIDR (Search Index Database Reporter) with Velociraptor.

This presentation will provide an overview of the data recorded in the Windows Search Index by default and user actions that trigger modifications of the index. Next, we will introduce the structure of the index in Windows 10 and prior operating systems, and how it has changed in Windows 11. We will also discuss use cases for the information present in the index, such as finding evidence of website access, deleted data, and activity from users of interest. Finally, we will introduce SIDR (Search Index Database Reporter) and a Velociraptor plugin, to parse the Windows Search Index at scale.

Attendees will gain a deep understanding of the Windows Search Index structure, how it can be used as a forensic artifact, and the insights it can provide to bolster the next investigation.

PSA: For reference please see https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/

SIDR available at https://github.com/strozfriedberg/sidr

Velociraptor As a Learning Tool

By: Andreas van Leeuwen Flamino - Cyber Intelligence Center Team Lead, Flamino IR

The objective of this talk will be to persuade the audience to use Velociraptor as a learning and teaching tool. The talk takes many cues from my personal experience with Velociraptor. I have used it as a key tool in the DFIR function at a mega event, and in high-profile incident response engagements when I worked in an IR service delivery team. I will cover how Velociraptor can be used as a learning and teaching tool.

Part 1 - As a learning tool In this part of the presentation I will expand how it helped me, someone who has a decent foundation and experience with operating systems, become a better threat hunter, incident responder and forensic analyst. I will cover how it helped me:

• Become a better threat hunter, because the operator has to be explicit when asking the tool questions. Really thinking through what you are looking for sharpens the mind.
• Understand the limitations of commercial tooling;
• I will cover some advantages over typical EDRs, because Velociraptor allows you to ask such diverse and specific questions.
• I will cover the advantages over forensic tooling, touching on the speed and scale with which you can perform investigations, if forensic soundness is not a hard requirement.
• Remove abstraction layers. Becoming more tool agnostic, and less limited by commercial tooling feature sets.
• Understand the limitations of your own knowledge. Spotting gaps in one’s own knowledge and understanding. For example, different hashes of certain DLLs in an environment where all endpoints are created from the same Golden Image with the same level of patching, can make one curious why these DLLs are different. I will add more examples.
• Deepen practical understanding of the arts and science of digital forensics and incident response. I can cover how I feel that delivering rapid Incident Response engagements is an art, where creativity is a must, on top of a solid foundation of the science of Operating Systems and computing principles. Velociraptor allows the responder to get to work quickly, creatively (by virtue of the wide variety of pivots it allows for) and intentionally.
• Lean how certain functionality is exposed to user land in Windows. By virtue of having source code for artifacts.
• Understand how widespread vulnerabilities are, or how certain exploits work. One example that comes to mind are the several Log4J artifacts that were released around the time of that vulnerability being (re)discovered and exploited en masse. Understanding how these artifacts are implemented can greatly deepen the operator insight.
• Stand on the shoulders of great researchers. Explaining we don’t need to know the fine details to get started. This is a nod back to a comment Mike made in one of the Enterprise Hunting and Incident Response course videos.
• Understand how vulnerable a lot of software is, including software from vendors that should know better. Unquoted service definitions for AV agents, for example. I will add more examples.

Part 2 - As a teaching tool In the second part I will cover how it helped make associate analysts rapidly increase their exposure and experience. I will explain how I feel that Velociraptor has some parallels to UNIX and Linux shell commands, in the sense that it offers many core artifacts that can do one thing really well. If the practitioner learns how each of these core artifacts works, and then learns how to combine them, they can start to answer complex questions quickly. Because this process is fluid (you can combine and dig deeper in whatever interests you), it truly develops the qualities of being self-starting and resourceful. I believe these two skills are foundational in many areas of life.

The main thought I will expand on in the second part is how Velociraptor can help interested junior associates become more senior associates in a shorter amount of time. Some examples I will share are:

• Analyzing results of hunts on a regular basis, first perhaps only in Excel, and later leveraging basic, and later more creative VQL statements.
• Digging deeper on endpoints to qualify alerts from other tools on an ongoing basis to establish a much more thorough baseline.
• Being able to quickly pivot. For example, from looking at a potentially malicious execution in UserAssist, to pulling MFT for a specific time window to increase context. Or pulling authentication logs for that same time window to see if there are any anomalies. All while not leaving the Velociraptor interface.
• Removing dependency on the typical SOC chain of: typical commercial endpoint tooling being installed and running > availability, and proper definition of (custom) detection rules > event collectors, and all their possible issues > SIEM > use-cases and their potential gaps > SOAR technologies that are created with right intentions, but can also lead to tunnel vision, etc. Then contrasting this to having one tool where you can ask questions across all enrolled hosts and just dig into the result set yourself.
• Being closer to the OS because you are directly interacting with it.
• Reducing reliance on vendors and their support teams. I will add some great examples of the power of the Velociraptor community, where practitioners of diverse backgrounds and experience levels can easily find each other and get answers. Contrasting this to using the support contract of large commercial vendors where you often have to wait several days to get a response that doesn’t go beyond what you can already read in the available documentation yourself.
• Reducing reliance on automation and other people’s opinions and enrichment. I will explain how enrichment isn’t bad, but that it’s great to not only rely on third party enrichment to start.
• I will reiterate that when you combine all the above, you becoming more resourceful and self-starting as a result.

Clawing Your Way To Compliance with Velociraptor

By Wes Lambert

In this presentation, we’ll explore the multifaceted capabilities of Velociraptor as an endpoint visibility monitoring tool in meeting various security compliance standards. While compliance has traditionally been seen as a complex and arduous task, the application of innovative tools like Velociraptor can significantly streamline this process and ensure that organizations maintain their adherence to different cybersecurity policies. Cybersecurity compliance is increasingly being seen not just as an administrative burden, but as an essential component of an organization’s cybersecurity framework. Amid the ever-evolving cybersecurity landscape, compliance with the right security standards can help organizations mitigate threats and reduce risk. Velociraptor’s capacity to provide real-time, comprehensive visibility of endpoints makes it a vital instrument in achieving and maintaining security compliance.

Throughout the presentation, we’ll delve into the application of Velociraptor in creating a robust, efficient, and effective security compliance framework. We will illustrate how its features, like live response, artifact collection, and advanced querying capabilities can be leveraged to fulfill regulatory requirements. By highlighting specific case scenarios, we will demonstrate how Velociraptor’s ability to investigate security threats and breaches, and monitor security configurations, aligns with critical compliance needs. We’ll further examine how Velociraptor can support the different aspects of the compliance lifecycle. By enabling continuous monitoring and auditing of endpoints, Velociraptor can help organizations maintain an accurate inventory of assets, track and control configurations, identify and respond to security incidents, and conduct post-incident analyses, all of which are crucial to ensuring adherence to various security standards.

Continuing, we’ll discuss how the open-source nature of Velociraptor allows for customization and flexibility in responding to unique compliance requirements. Whether it’s creating custom artifacts to capture specific data or modifying existing artifacts to suit specific environments, Velociraptor provides the flexibility organizations need to meet compliance standards.

In conclusion, the presentation will underscore the significance of adopting a proactive, tool-supported approach to achieving compliance. By employing Velociraptor’s advanced endpoint visibility monitoring capabilities, organizations can not only demonstrate their adherence to required security standards but also enhance their overall cybersecurity posture. The insights shared during this presentation will be especially beneficial for security professionals and compliance officers seeking efficient ways to align their compliance strategies with dynamic cybersecurity needs. Through this exploration of Velociraptor’s potential in the compliance arena, attendees will gain a deeper understanding of how to leverage this powerful tool in their quest to maintain security compliance.

Tracing the Footsteps: A Bird’s Eye View of Lateral Movement Using Velociraptor

By: Phalgun Kulkarni - DFIR Consultant And Kostya Ilioukevitch - DFIR Sr. Consultant, Aon

One of the commonly asked questions by stakeholders and major goals during an incident response investigation is to identify the systems accessed by the threat actor; in short, identification of “Lateral Movement.” Recently, our team has developed a new Velociraptor plugin that goes deeper into a broader set of lateral movement artifacts to provide examiners with more opportunities to detect threat actor movement during investigations.

Typically, forensic examiners rely on Windows Event Logs to identify lateral movement. While Windows Event Logs are a great source to identify such activity, there may be a chance that the events may have rolled over or certain event IDs are not enabled. Other artifacts such as Windows UAL, Shellbags, Windows Registry, application configuration files etc. can be utilized in addition to Windows Event Logs to provide a more holistic overview into lateral movement activity within a network.

This presentation focuses on: Introducing a brand-new Velociraptor plugin that provides a holistic view of lateral movement across the network. A process to efficiently visualize lateral movement across multiple systems.

This talk briefly discusses various Windows OS artifacts, including the artifacts generated by remote access tools like WinSCP, that can be analyzed using Velociraptor to identify lateral movement. We categorize the artifacts into inbound (destination system artifacts) and outbound (source system artifacts) access, making it easier to identify the type of access. Additionally, we introduce a new Windows lateral movement Velociraptor plugin that provides a better, data-rich, and contextual view of lateral movement. This plugin builds on the existing Windows.Packs.LateralMovement hunt by adding more data such as the time, source host, destination host, and application while supporting a more diverse set of artifacts such as Windows UAL, Shellbags, Windows Registry ,and application configuration files. Finally, we will also cover how to efficiently consume the output generated by this plugin through tools that support data visualizations.

Future implementations:

The current implementation of this plugin includes artifacts from Windows systems. It can be further enhanced by including lateral movement artifacts from Linux environments.

Attendees will gain:

Knowledge about various lateral movement artifacts present on Windows OS (including Remote Access Tools artifacts), which can be utilized to identify the affected systems and Threat Actor’s movement in a network. The ability to efficiently consume the data generated by our Velociraptor plugin through data visualizations.