Velociraptor Intro

Velociraptor Intro
No Logs, No problem

This is an open-source endpoint visibility and collection platform developed by Mike Cohen, which is being maintained by Rapid7. This tool is used widely in DFIR. What makes it such a versatile response tool is the ease of installation as the server and client can installed from a single binary which allows for immediate access and quarantine of the infected endpoint.

Velociraptor's true power also comes from its own query language, Velociraptor Query Language (VQL), which allows you to you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network.

Using VQL, you can learn of a new type of indicator, write relevant VQL queries, package them in an artifact, and hunt for the artifact across the entire deployment, which could consist of thousands of endpoints.

💡
For Documentation visit https://docs.velociraptor.app/docs/

This post is also inspired by AntiSyphon Training SOC core labs

You can follow the same training in a relatively short time to get acquainted with Velociraptor and gain an understanding in how to setup velociraptor as a demo.

Installation and Deployment on Windows - Demo

Download the Velociraptor binary below through the Velocidex Github Repo 

velociraptor-v0.7.1-windows-amd64.exe

Next Create a directory on your home directory labeled "vlab" - this is where we will install the velociraptor client and server

💡
Generally, the velociraptor server is installed on a separate system.

A Typical Deployment

  1. Generate a configuration file for the server and clients.
  2. Create a server package that includes the generated configuration file.
  3. Set up a cloud VM for the server (If deploying in the cloud) or create a new physical server.
  4. Install the server package on the VM. Once installed you will be able to access the Admin GUI and front end.
  5. Create client packages for target operating systems (for example, MSI for windows).

"We typically use Ubuntu or Debian based VMs to deploy the server in production. We do not support Windows based servers at scale, although you can install the server on windows for a demo or for a few endpoints." - Velocidex

Continuing our Deployment

For this lab, we will continue with the default configurations until we can add our GUI user. Select windows and Self Signed SSL for the first two options, then hit enter for the rest (defaults).

Default Configuration

Then you can run the following within the "vlab" directory and choose the password for this admin user

velociraptor-v0.7.1-1-windows-amd64.exe --config server.config.yaml user add root --role administrator

From the Velocidex Github Repo also download the following msi

velociraptor-v0.7.1-windows-amd64.msi

Run this msi to load the proper files to the proper directories

Start the Server

velociraptor-v0.7.1-1-windows-amd64.exe --config server.config.yaml frontend -v

Then navigate to the following and proceed:

https://127.0.0.1:8889

Start the Client

Next, we will need to start the client. To do this will need to run the MSI first.

velociraptor-v0.7.1-1-windows-amd64.msi

When you get the pop up, select Run. This will install the proper libraries and files.

Next, we will connect the client.

velociraptor-v0.7.1-1-windows-amd64.exe --config client.config.yaml client -v

We have now fully spun up our velociraptor client and server!!

💡
To learn more about Velociraptor, visit https://github.com/Velocidex/velociraptor