On September 13th 2023, we held the 2nd annual VeloCON virtual summit. VeloCON is a 1 day event focused on the Velociraptor community. It’s a place to share experiences in using and developing Velociraptor to address the needs of the wider DFIR community and an opportunity to take a look ahead at the future of our platform.
VeloCON ended with Mike Cohen VeloCON with a review of the last twelve months for Velociraptor, and some insight into the next twelve.
YouTube links to the sessions can be found below.
|Time Slot (ET)||Speaker||Topic|
|9:05-10:00 am||Matt Green|
Principal Software Engineer, Velociraptor/Rapid7
|Content Management Like a Boss!|
|10:00-10:45 am||Mike Cohen|
Digital Paleontologist, Velociraptor/Rapid7
|Fast DFIR with Velociraptor|
|11:00-11:45 am||Semanur Güneysu|
SOC Analyst, IMPERUM
|Empowering SOC Analysts with Velociraptor: Revolutionizing Live Response and Automation||11:45-12:30 pm||Phalgun Kulkarni & Julia Paluch|
DFIR Consultants, Aon
|Windows Search Index: The Forensic Artifact You’ve Been Searching For|
|1:00-1:45 pm||Andreas van Leeuwen Flamino|
SOC Team Lead, Oil & Gas
|Velociraptor As A Learning Tool|
|1:45-2:30 pm||Wes Lambert||Clawing Your Way To Compliance with Velociraptor|
|2:45-3:30 pm||Phalgun Kulkarni & Kostya Ilioukevitch|
DFIR Consultants, Aon
|Tracing the Footsteps: A Bird's Eye View of Lateral Movement Using Velociraptor|
|3:30-4:00 pm||Mike Cohen|
Digital Paleontologist, Velociraptor/Rapid7
|Year In Review/Future Roadmap|
By Matt Green - Principal Software Engineer, Velociraptor/Rapid7
Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.
By Mike Cohen - Digital Paleontologist
You have probably already heard of Velociraptor - the leading open source DFIR platform! Velociraptor provides unprecedented deep visibility into the endpoint with an impressive number of built in and community contributed analysis modules - all available for free under an open source license! However, with all the capabilities that Velociraptor comes with, it can be a little confusing to know exactly which artifact to collect when responding to any one situation. This can be even harder when the clock is ticking… while containing an incident!
This is when a real world, practical walk through can be most valuable! In this webcast, Mike Cohen, the lead developer of Velociraptor will work through a typical DFIR investigation: Detecting and containing an attacker who gains a foothold on a network. We will examine techniques for hunting at scale for the attacker to identify their foothold and reconstruct the event timeline. We then detect attacker persistence to prevent re-infection.
There is something to learn for everyone: If you currently use Velociraptor in your daily workflow you might learn some additional artifacts you might be able to leverage. If you currently do not use Velociraptor, this webinar will provide a demonstration of some of the powerful capabilities that come bundled in this widely popular DFIR tool!
By: Semanur Güneysu - SOC Analyst, IMPERUM
In today’s rapidly evolving threat landscape, SOC analysts are constantly challenged to detect, respond to, and remediate security incidents swiftly and efficiently. This presentation focuses on designing automation playbooks while using Velociraptor’s features that enable SOC analysts to enhance their capabilities: The presentation begins by highlighting the significance of live response in incident handling and investigations. We delve into the limitations of traditional approaches and showcase how Velociraptor revolutionizes the live response landscape. Through its open-source nature, extensibility, and powerful query language, Velociraptor empowers SOC analysts to perform real-time investigations and gather valuable forensic data across endpoints, networks. Additionally, the presentation highlights the capabilities of the Velociraptor app within the SOAR platform. We showcase how the Velociraptor app, leveraging its API integration.This integration empowers SOC analysts to leverage Velociraptor’s powerful live response capabilities directly within the IMPERUM platform, enhancing efficiency and centralizing incident response efforts.With the integration of Velociraptor and IMPERUM, SOC analysts can streamline incident response workflows, automate repetitive tasks, and orchestrate complex security operations seamlessly. The presentation then underscores the benefits of Velociraptor and live response automation. We emphasize how these technologies improve the efficiency, accuracy, and speed of incident response. By enabling SOC analysts to gather forensically sound evidence, perform deep-dive investigations, and make data-driven decisions, Velociraptor becomes a force multiplier in the SOC ecosystem. Moreover, the integration of Velociraptor with IMPERUM augments the effectiveness of incident response by enabling proactive threat hunting, correlation of events, and automated remediation actions. Lastly, we discuss real-world use cases and success stories that demonstrate the tangible impact of Velociraptor in live response scenarios. Through these examples, we illustrate how SOC analysts can effectively handle and mitigate security incidents, significantly reducing the mean time to detect and respond and minimizing the overall impact of cyber threats. In conclusion, this presentation highlights the transformative potential of Velociraptor and IMPERUM in empowering SOC analysts. By combining the live response capabilities of Velociraptor with playbooks, organizations can enhance their incident response capabilities, strengthen their security posture, and adapt to the ever-evolving threat landscape effectively.
By Phalgun Kulkarni - DFIR Consultant - Aon And Julia Paluch DFIR Software Developer - Aon
For examiners investigating cyber-crimes on Windows endpoints, the Windows Search Index consists of rich information such as a user’s Internet history, emails, file interactions, and even deleted data. Created as a tool to enable searching for files across the Windows operating system, the Windows Search Index as a forensic artifact provides insight into file existence and user activity. In this presentation, we will discuss how the Windows Search Index can be used as a source of evidence in DFIR investigations and how it can be parsed at scale by integrating an open-source tool named SIDR (Search Index Database Reporter) with Velociraptor.
This presentation will provide an overview of the data recorded in the Windows Search Index by default and user actions that trigger modifications of the index. Next, we will introduce the structure of the index in Windows 10 and prior operating systems, and how it has changed in Windows 11. We will also discuss use cases for the information present in the index, such as finding evidence of website access, deleted data, and activity from users of interest. Finally, we will introduce SIDR (Search Index Database Reporter) and a Velociraptor plugin, to parse the Windows Search Index at scale.
Attendees will gain a deep understanding of the Windows Search Index structure, how it can be used as a forensic artifact, and the insights it can provide to bolster the next investigation.
PSA: For reference please see https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/
SIDR available at https://github.com/strozfriedberg/sidr
By: Andreas van Leeuwen Flamino - Cyber Intelligence Center Team Lead, Flamino IR
The objective of this talk will be to persuade the audience to use Velociraptor as a learning and teaching tool. The talk takes many cues from my personal experience with Velociraptor. I have used it as a key tool in the DFIR function at a mega event, and in high-profile incident response engagements when I worked in an IR service delivery team. I will cover how Velociraptor can be used as a learning and teaching tool.
Part 1 - As a learning tool In this part of the presentation I will expand how it helped me, someone who has a decent foundation and experience with operating systems, become a better threat hunter, incident responder and forensic analyst. I will cover how it helped me:
Part 2 - As a teaching tool In the second part I will cover how it helped make associate analysts rapidly increase their exposure and experience. I will explain how I feel that Velociraptor has some parallels to UNIX and Linux shell commands, in the sense that it offers many core artifacts that can do one thing really well. If the practitioner learns how each of these core artifacts works, and then learns how to combine them, they can start to answer complex questions quickly. Because this process is fluid (you can combine and dig deeper in whatever interests you), it truly develops the qualities of being self-starting and resourceful. I believe these two skills are foundational in many areas of life.
The main thought I will expand on in the second part is how Velociraptor can help interested junior associates become more senior associates in a shorter amount of time. Some examples I will share are:
By Wes Lambert
In this presentation, we’ll explore the multifaceted capabilities of Velociraptor as an endpoint visibility monitoring tool in meeting various security compliance standards. While compliance has traditionally been seen as a complex and arduous task, the application of innovative tools like Velociraptor can significantly streamline this process and ensure that organizations maintain their adherence to different cybersecurity policies. Cybersecurity compliance is increasingly being seen not just as an administrative burden, but as an essential component of an organization’s cybersecurity framework. Amid the ever-evolving cybersecurity landscape, compliance with the right security standards can help organizations mitigate threats and reduce risk. Velociraptor’s capacity to provide real-time, comprehensive visibility of endpoints makes it a vital instrument in achieving and maintaining security compliance.
Throughout the presentation, we’ll delve into the application of Velociraptor in creating a robust, efficient, and effective security compliance framework. We will illustrate how its features, like live response, artifact collection, and advanced querying capabilities can be leveraged to fulfill regulatory requirements. By highlighting specific case scenarios, we will demonstrate how Velociraptor’s ability to investigate security threats and breaches, and monitor security configurations, aligns with critical compliance needs. We’ll further examine how Velociraptor can support the different aspects of the compliance lifecycle. By enabling continuous monitoring and auditing of endpoints, Velociraptor can help organizations maintain an accurate inventory of assets, track and control configurations, identify and respond to security incidents, and conduct post-incident analyses, all of which are crucial to ensuring adherence to various security standards.
Continuing, we’ll discuss how the open-source nature of Velociraptor allows for customization and flexibility in responding to unique compliance requirements. Whether it’s creating custom artifacts to capture specific data or modifying existing artifacts to suit specific environments, Velociraptor provides the flexibility organizations need to meet compliance standards.
In conclusion, the presentation will underscore the significance of adopting a proactive, tool-supported approach to achieving compliance. By employing Velociraptor’s advanced endpoint visibility monitoring capabilities, organizations can not only demonstrate their adherence to required security standards but also enhance their overall cybersecurity posture. The insights shared during this presentation will be especially beneficial for security professionals and compliance officers seeking efficient ways to align their compliance strategies with dynamic cybersecurity needs. Through this exploration of Velociraptor’s potential in the compliance arena, attendees will gain a deeper understanding of how to leverage this powerful tool in their quest to maintain security compliance.
By: Phalgun Kulkarni - DFIR Consultant And Kostya Ilioukevitch - DFIR Sr. Consultant, Aon
One of the commonly asked questions by stakeholders and major goals during an incident response investigation is to identify the systems accessed by the threat actor; in short, identification of “Lateral Movement.” Recently, our team has developed a new Velociraptor plugin that goes deeper into a broader set of lateral movement artifacts to provide examiners with more opportunities to detect threat actor movement during investigations.
Typically, forensic examiners rely on Windows Event Logs to identify lateral movement. While Windows Event Logs are a great source to identify such activity, there may be a chance that the events may have rolled over or certain event IDs are not enabled. Other artifacts such as Windows UAL, Shellbags, Windows Registry, application configuration files etc. can be utilized in addition to Windows Event Logs to provide a more holistic overview into lateral movement activity within a network.
This presentation focuses on: Introducing a brand-new Velociraptor plugin that provides a holistic view of lateral movement across the network. A process to efficiently visualize lateral movement across multiple systems.
This talk briefly discusses various Windows OS artifacts, including
the artifacts generated by remote access tools like WinSCP, that can
be analyzed using Velociraptor to identify lateral movement. We
categorize the artifacts into inbound (destination system artifacts)
and outbound (source system artifacts) access, making it easier to
identify the type of access. Additionally, we introduce a new Windows
lateral movement Velociraptor plugin that provides a better,
data-rich, and contextual view of lateral movement. This plugin builds
on the existing
Windows.Packs.LateralMovement hunt by adding more data
such as the time, source host, destination host, and application while
supporting a more diverse set of artifacts such as Windows UAL,
Shellbags, Windows Registry ,and application configuration
files. Finally, we will also cover how to efficiently consume the
output generated by this plugin through tools that support data
The current implementation of this plugin includes artifacts from Windows systems. It can be further enhanced by including lateral movement artifacts from Linux environments.
Attendees will gain:
Knowledge about various lateral movement artifacts present on Windows OS (including Remote Access Tools artifacts), which can be utilized to identify the affected systems and Threat Actor’s movement in a network. The ability to efficiently consume the data generated by our Velociraptor plugin through data visualizations.