ToolsFebruary 9, 20262 min readby 0xt0pus

Velociraptor

Open-source DFIR platform for endpoint monitoring, collection, and threat hunting

#dfir#blue-team#threat-hunting#endpoint

Velociraptor

Description

Velociraptor is an open-source DFIR platform to collect, monitor, and hunt on a single endpoint, a group of endpoints, or an entire network. One of its power points is its query language, VQL (Velociraptor Query Language). The pre-defined hunting queries within the platform are written in VQL and can be extended to your needs. Velociraptor excels over tools like OSQuery and Google's Rapid Response (GRR) for three main reasons: ease of deployment, speed, and minimal footprint on the system running the agent.

Usage 1: Collect Evidence of Downloads

Use the Windows.Analysis.EvidenceOfDownload artifact to find all download evidence within the User directory on an enrolled endpoint.

Steps:

1. Click on Client ID (e.g., C.2b3a22f66b1c0ad6)
2. Click on the "Collected" button
3. Add a "New Collection"
4. Search for "Windows.Analysis.EvidenceOfDownload" artifact
5. Hit "Launch"

Usage 2: List Running Processes

Use the Windows.System.Pslist artifact to identify running processes on an endpoint. This is used to find the process name of a suspicious/infected process before dumping its memory.

Steps:

1. Click on Client ID
2. Add a New Collection
3. Search for "Windows.System.Pslist" artifact
4. Launch the collection

Usage 3: Capture Memory Dump for an Infected Process

Use the Windows.Triage.ProcessMemory artifact to dump the memory of a specific process. First identify the process using Windows.System.Pslist, then dump it.

Steps:

1. Identify the process name using Windows.System.Pslist artifact
2. Add a New Collection
3. Search for "Windows.Triage.ProcessMemory" artifact
4. Enter the process name (without .exe extension)
5. Launch the collection

Deployment Options

Server Installation:

  • Self-Signed SSL - Recommended for on-premises environments
  • Cloud Deployment - Recommended for easy deployments
  • Instant Velociraptor - Recommended for testing (self-contained client and server on local machine)

Client Enrollment:

  • Run clients interactively
  • Install using Custom MSI
  • Install the Client as a Service
  • Agentless Deployment

Access the Console:

https://127.0.0.1:8889

Key Artifacts Reference

  • Windows.Analysis.EvidenceOfDownload - Find download evidence in User directories
  • Windows.System.Pslist - List running processes on the endpoint
  • Windows.Triage.ProcessMemory - Dump memory of a specific process