FREE Incident Response With Velociraptor

Intro

Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform.

  • Hunt for evidence of sophisticated adversaries
  • Investigate malware outbreaks and other suspicious network activities
  • Monitory continuously for suspicious user activities, such as files copied to USB devices
  • Discover whether disclosure of confidential information occurred outside the network
  • Gather endpoint data over time for use in threat hunting and future investigations

Velociraptor Server Install

We first begin by deploying the Velociraptor server. All endpoints will connect to the server via the Velociraptor agent. The Velociraptor server provides a Web UI for end users to view their endpoints, run hunts / playbooks, and much more.

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-linux-amd64
chmod +x velociraptor-v0.6.4-2-linux-amd64
./velociraptor-v0.6.4-2-linux-amd64 config generate -i
./velociraptor-v0.6.4-2-linux-amd64 --config server.config.yaml debian server --binary velociraptor-v0.6.4-2-linux-amd64
dpkg -i velociraptor_0.6.4-2_server.deb
systemctl status velociraptor_server

Velociraptor Client Install

With our server now installed and running. We now need to configure the agent packages to run on our endpoints. We will create our own packages that will be preconfigured with the contents within the client.config.yaml file.

Linux

The dpkg (Debian) or rpm (Red Hat/CentOS/Fedora) tools can be used to install Velociraptor on Linux clients after creating an appropriate package.

# velociraptor-v0.6.4-2-linux-amd64 --config client.config.yaml debian client
scp velociraptor_0.6.4-2_client.deb 5.161.107.5:/tmp/
dpkg -i velociraptor_0.6.4-2_client.deb
# velociraptor-v0.6.4-2-linux-amd64 --config client.config.yaml rpm client

Running A Hunt

Let’s run a basic hunt that lists all SSH logins from our newly installed clients.

Conclusion

Velociraptor is an extremally powerful and free incident response platform that can be used for a number of tasks. The extent amount of provided artifacts allows users collect files, scan for intrusions, quarantine hosts and run remediation tasks remotely. Standup Velociraptor today to provide a scalable, free, and fast Incident Response platform.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SOCFortress

SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).