forked from Velocidex/velociraptor-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 220c1ae
Showing
23 changed files
with
897 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: github pages | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main # Set a branch to deploy | ||
| pull_request: | ||
|
|
||
| jobs: | ||
| deploy: | ||
| runs-on: ubuntu-20.04 | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| with: | ||
| submodules: true # Fetch Hugo themes (true OR recursive) | ||
| fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod | ||
|
|
||
| - name: Setup Hugo | ||
| uses: peaceiris/actions-hugo@v2 | ||
| with: | ||
| hugo-version: 'latest' | ||
| # extended: true | ||
|
|
||
| - name: Build | ||
| run: hugo --minify | ||
|
|
||
| - name: Deploy | ||
| uses: peaceiris/actions-gh-pages@v3 | ||
| if: github.ref == 'refs/heads/main' | ||
| with: | ||
| github_token: ${{ secrets.GITHUB_TOKEN }} | ||
| publish_dir: ./public |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| [submodule "themes/hugo-theme-learn"] | ||
| path = themes/hugo-theme-learn | ||
| url = https://github.com/matcornic/hugo-theme-learn.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| title: "{{ replace .Name "-" " " | title }}" | ||
| date: {{ .Date }} | ||
| draft: false | ||
| weight: 20 | ||
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| baseURL: http://www.velocidex.com/ | ||
| languageCode: en-us | ||
| title: "Velociraptor - Digging deeper!" | ||
|
|
||
| theme: "hugo-theme-learn" | ||
|
|
||
| menu: | ||
| shortcuts: | ||
| - name: "<i class='fab fa-github'></i> Github repo" | ||
| identifier: "ds" | ||
| url: "https://github.com/Velocidex/velociraptor" | ||
| weight: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| +++ | ||
| title = "Overview" | ||
| date = 2021-06-09T02:33:37Z | ||
| weight = 5 | ||
| chapter = false | ||
| pre = "<b>1. </b>" | ||
| +++ | ||
|
|
||
| # Velociraptor Installation and overview | ||
| ### Introducing the little green reptile! | ||
|
|
||
| In this chapter we introduce the tool and explain the rationale behind its design. | ||
| We will deploy Velociraptor in a cloud environment - We aim to be as close to how one would deploy it on a real deployment as possible. | ||
| We will play with the GUI and introduce some of the main concepts | ||
|
|
||
|
|
||
| ## What is Velociraptor? | ||
|
|
||
| Velociraptor is a unique DFIR tool, giving you power and flexibility through the Velociraptor Query Language (VQL) | ||
| VQL is used for everything: | ||
|
|
||
| * Collecting information from endpoints (also called clients) | ||
| * Controlling monitoring and response on endpoints | ||
| * Controlling and managing the Velociraptor server. | ||
|
|
||
|
|
||
| 95 | ||
| The VFS view is similar to many other forensic packages. This makes it easier to use but it is very much less effective than writing artifacts! | ||
|
|
||
| 129 | ||
| The Velociraptor Reverse Proxy | ||
| Velociraptor has a built in reverse proxy | ||
|
|
||
| This allows us to serve other web applications through the Velociraptor server. Velociraptor will take care of authentication and SSL for free. | ||
| It is useful to export the filestore so users can just download the files they want. | ||
|
|
||
|
|
||
| Export the file store over HTTPS | ||
| GUI: | ||
| reverse_proxy: | ||
| - route: /files/ | ||
| url: file:///var/tmp/velociraptor/clients/ | ||
| require_auth: true | ||
|
|
||
|
|
||
| 130 | ||
|
|
||
| 131 | ||
| Browse the internal file store and note the location of different files. | ||
|
|
||
| 132 | ||
| Double check your security | ||
| It is really important that auth is required! | ||
| Test this twice! | ||
| Try to get one of the URLs with no authentication using curl - it should redirect to the auth screen. | ||
|
|
||
|
|
||
|
|
||
| Conclusions | ||
| In this module we introduced Velociraptor - a powerful endpoint visibility solution | ||
| We mentioned that Velociraptor is based on VQL - a flexible query language | ||
| We installed Velociraptor in a cloud deployment, prepared custom MSI packages and distributed them using group policy to our endpoints. | ||
| 133 | ||
|
|
||
| Conclusions | ||
| We introduced the Velociraptor GUI | ||
| The Virtual Filesystem abstraction (VFS) provides server side caching of the client’s filesystem | ||
| We can navigate and refresh our view of the client’s filesystem in a familiar way. | ||
| We learned about artifacts as a way of encapsulating VQL queries in a human readable, functionally focused YAML file. | ||
| 134 | ||
|
|
||
| Conclusions | ||
| We learned how artifacts can be collected from one end point | ||
| Exporting the collection into a zip file can archive the files collected and query results as CSV files. | ||
| Leveling up, we can collect the same artifact from many systems. This is called a hunt. | ||
| Exporting the hunt as a Zip file allows large collections to be archived as a snapshot from the entire deployment. | ||
| 135 | ||
|
|
||
|
|
||
| ### Velociraptor Overview | ||
|
|
||
| # Velociraptor Installation and Overview | ||
|
|
||
|  | ||
|
|
||
|
|
||
| Lorem Ipsum. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| --- | ||
| title: "Deployment" | ||
| date: 2021-06-09T03:52:24Z | ||
| draft: false | ||
| weight: 2 | ||
| --- | ||
|
|
||
| ## Deployment overview | ||
|
|
||
| Persistent communications C&C | ||
| Velociraptor Server | ||
| Web based admin console | ||
| Assets | ||
| Admin | ||
|
|
||
|  | ||
|
|
||
|
|
||
| ## Typical deployments | ||
|
|
||
| Velociraptor is very efficient and scalable: | ||
| Server simply collects the results of queries - clients do all the heavy lifting. | ||
| Client memory and CPU usage is controlled via throttling and active cancellations. | ||
| Server is optimized for speed and scalability | ||
| Concurrency control ensures stability | ||
| Bandwidth limits ensure network stability | ||
|
|
||
| ## Typical deployments | ||
|
|
||
| Current recommendations | ||
| 10k-15k clients - single server with file based data store (usually cloud VM). | ||
| SSL load is the biggest load - TLS offloading helps a lot! | ||
| 8 GB RAM/8 cores is generous towards the top of the range. | ||
| We recommend Ubuntu/Debian server | ||
|
|
||
| ## Multi-Frontend configuration | ||
| Available since 0.5.9 - suitable for > 10k endpoints | ||
| Still considered experimental - help us test it! | ||
| Master/Minion model | ||
| Outside the scope of this course but you can find more information in our blog post | ||
|
|
||
|
|
||
| ### Deploying Velociraptor | ||
|
|
||
|
|
||
| Run Velociraptor on your machine | ||
| Download Velociraptor from GitHub (.msi or .exe) | ||
|
|
||
| ```sh | ||
| "C:\program files\Velociraptor\Velociraptor.exe" gui | ||
| ``` | ||
|
|
||
| #### Self Signed SSL mode | ||
|
|
||
| Frontend served using TLS on port 8000 (connected to clients) | ||
| GUI uses basic authentication with usernames/passwords. | ||
| GUI Served over loopback port 8889 (127.0.0.1) | ||
| By default not exposed to the network | ||
| You can use SSH tunneling to forward the GUI | ||
|
|
||
| #### Installing a new server | ||
|
|
||
| Use the password provided in the Workshop setup to log into the server. | ||
| Fetch the latest Velociraptor Windows and Linux release binaries | ||
| Create a new configuration | ||
|
|
||
| ```sh | ||
| velociraptor config generate -i | ||
| ``` | ||
|
|
||
| Create a new server debian package | ||
|
|
||
| ```sh | ||
| velociraptor.exe --config server.config.yaml debian server --binary velociraptor-v0.5.5-windows.exe | ||
| ``` | ||
|
|
||
|
|
||
| #### Installing a new server | ||
|
|
||
| Push the debian package to the server using scp | ||
|
|
||
| ```sh | ||
| scp velociraptor_server*.deb [email protected]:/tmp/ | ||
| ``` | ||
|
|
||
| Install package | ||
| ```sh | ||
| sudo dpkg -i velociraptor_server*.deb | ||
| ``` | ||
|
|
||
| ### Automating config generation | ||
|
|
||
| Some people want to automate the config generation step. | ||
| Velociraptor supports a JSON merge for non interactive configuration generation | ||
|
|
||
| ```sh | ||
| velociraptor config generate --merge | ||
| '{"autocert_domain": "domain.com", "autocert_cert_cache": "/foo/bar"}' | ||
| ``` | ||
|
|
||
| The service adds a new velociraptor user to run under. | ||
| You can now access the Velociraptor server using your browser. | ||
|
|
||
| The first time you navigate to the SSL URL the server will obtain a | ||
| certificate from Let's Encrypt. There will be a small pause as this | ||
| happens. | ||
|
|
||
| You will be redirected to Google for authentication - Velociraptor | ||
| does not handle any credentials in this configuration. Google will | ||
| determine if the user authenticated properly (2 FA etc) and convey | ||
| simple info like the user’s email address and avatar. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| --- | ||
| title: "Clients" | ||
| date: 2021-06-09T03:53:38Z | ||
| draft: false | ||
| weight: 20 | ||
| --- | ||
|
|
||
|
|
||
| Now let’s configure some clients. | ||
|
|
||
| 45 | ||
| Deploying clients | ||
| We typically distribute signed MSI packages which include the client’s config file inside them. | ||
| This makes it easier to deploy as there is only one package to install. | ||
|
|
||
| We also change name of service/binary etc to make the service a little bit harder to stop. | ||
|
|
||
| 46 | ||
| Deploying clients | ||
| It is possible to embed the config in the clients using the velociraptor config repack command (more later) | ||
| Pros | ||
| Only a single binary no need for an additional config file | ||
|
|
||
| Cons | ||
| You have to sign the binary again since the config alters the binary. | ||
|
|
||
| Resigning binaries | ||
| After buying a code signing cert you can use a script to sign automatically. | ||
| We recommend having a standalone isolated signing machine or VM with FDE | ||
| 47 | ||
|
|
||
| 48 | ||
| On your windows machine, Download the latest binary and the source code. | ||
| github.com/velocidex/velociraptor/releases | ||
|
|
||
| 49 | ||
| Velociraptor’s public directory | ||
| It is handy to have somewhere to serve files from. Velociraptor has a public directory where files are served without any authentication requirements | ||
|
|
||
| We can use this to distribute third party binaries | ||
| We can serve velociraptor MSI files | ||
| We can serve various support files (yara rules etc). | ||
|
|
||
| Velociraptor’s public directory | ||
| Select the Admin.Client.Upgrade artifact and upload the MSI to the tools setup page (We will learn about that in the next few sessions). | ||
|
|
||
| This will now produce a random URL you can serve the MSI from. | ||
| 50 | ||
|
|
||
| Copy WIX source to desktop. | ||
| 51 | ||
|
|
||
| 52 | ||
| Build an MSI using Wix Toolkit | ||
| Extract the docs/wix directory from the Velociraptor source tree. | ||
| These are the required files to construct a new MSI | ||
| The main file we use is custom.xml . This file will embed the config file within the MSI and deploy it to the correct directory. | ||
|
|
||
| 53 | ||
| There are many knobs to tweak here | ||
| The name of the binary | ||
| The location of the files | ||
| The name of the service | ||
| The name of the config file. | ||
|
|
||
| WIX will take the binary and config file from the Output directory, so create it and place the files there. | ||
|
|
||
| 54 | ||
|
|
||
| 55 | ||
| The custom msi contains the client config embedded in it. | ||
|
|
||
| This is the recommended way to deploy clients. | ||
|
|
||
| 56 | ||
| After installing the MSI you should be able to see it immediately in the server’s search screen. | ||
|
|
||
| 57 | ||
| Domain deployment | ||
| We can deploy the MSI to the entire domain using group policy. | ||
|
|
||
| 2 Methods | ||
| Via scheduled tasks. | ||
| Via assigned software. | ||
|
|
||
| 58 | ||
| Create a share to serve the MSI from. | ||
|
|
||
|
|
||
| 59 | ||
| Ensure everyone has read access from this share - and only administrators have write access! | ||
|
|
||
| 60 | ||
| Use the group policy management tool create a new Group Policy Object in the domain (or OU) | ||
|
|
||
| 61 | ||
| Edit the new GPO | ||
|
|
||
| 62 | ||
|
|
||
| 63 | ||
| Ensure the new scheduled task is run as system | ||
|
|
||
|
|
||
| 64 | ||
| Using scheduled tasks you can run any binary - use this method to run interactive collection if you do not have a dedicated Velociraptor server | ||
|
|
||
| 65 | ||
| Ensure the new scheduled task is run only once | ||
|
|
||
|
|
||
| 66 | ||
| Method 2 - install via assigned software packages in GPO | ||
|
|
||
| The main advantage here is that it is possible to upgrade or uninstall Velociraptor easily | ||
|
|
||
| 67 | ||
|
|
||
| 68 | ||
| You will need to wait until group policy is updated on the endpoint or until the next reboot. The endpoint must be on the AD LAN |
Oops, something went wrong.