What is Velociraptor?
Velociraptor, in its simplest definition, is a device that increases visibility on endpoints, has advanced features and incident response It is an artificial intelligence-based EDR product used in processes. In general, it can run on Linux, Windows and mac OS systems.
To give an example of the advantages of this architecture, if one of the endpoints where the Velociraptor product is installed leaves the environment and works in a different environment, it will be able to continue reporting to the server. This is of great importance in threat hunting processes in terms of examining monitoring and endpoint activities.
Architecturally, it consists of server and client logic, just like in different systems.
As a prerequisite for installation on configuring Velociraptor on a Windows;
- Windows 10 operating system with minimum 4 GB Ram and 4 CPU features
- It requires minimum environment requirements such as a system with administrative authority (Administrator or root) and CMD command line.
What is VQL?
Velociraptor Query Language (VQL) is a framework designed to easily adapt to the analyst's requests without requiring additional software, without making any changes to the query or structures in the product interface. It enables the collection of information by making various queries on the endpoints where it is installed with Velocidex queries.
The power and flexibility of Velociraptor comes from the Velociraptor Query Language (VQL). In addition to its tasks on the server, it can also be used to create rules for continuous monitoring at endpoints.
For example, in the Notebooks area on the dashboard “SELECT * FROM info()” Information about the relevant client can be accessed by making a short velocidex query.
Velociraptor installation is very simple. Detailed information and more can be found in the github repo.
You can also review the general documentation.
After installation, the agent can be installed and the activities on the relevant agent can be examined. There are two ways to install: normal or using MSI. Speaking of MSI, it is a standard Windows package installer. So the MSI and executable file must be signed. Windows Defender quickly quarantines unsigned binaries. For this reason, signing Velociraptor is highly recommended. With Windows MSI, Velociraptor runs as a service on the endpoint. For an example here, we did a normal installation because we bypassed Windows Defender.
Forensic Investigation and Threat Hunting
Information about the client (endpoint) installed on Velociraptor (hostname, OS, etc.) can be obtained.
We can also see the information collected by making queries about the client. These may also be some basic information about the customer that it returns by default.
The data obtained from the field in the box in the image above can be downloaded as a zip file and its contents can be checked. An example image is below.
If we need to examine other areas available to the analyst, there is an area called "Hunt Manager" where we can hunt.
Thanks to this feature, it allows searching for certain events on the client, displaying certain artifacts, controlling server structures, in other words, carrying out a threat hunting process in its simplest definition. Additionally, a hunt can be started by selecting specific artifacts. Here, as an example, a hunting operation was performed through Chrome History. As can be seen in the image, details about the process have been determined.
We proceed to the next step, the Select Artifact field, and determine the parts we want to bring to us by searching.
As we continue to proceed, it shows certain artifacts in json format for searching on the selected areas in the Review section. Any changes can be made to these, that is, they can be customized.
For the hunting process, the above settings are completed and recorded in the field shown in the image below with the Launch button and the hunt process can be started by confirming it.
If we need to examine the Hunt process outputs, for example, Chrome History information about the client machine can be accessed. Likewise, cookies can also be examined. An example cross-section is given in the image below.
So far, a small analysis has been made on Chrome. Now, if we want to analyze Windows forensic artifacts on the client, we will need to create a new hunt process. We created a hunt task in the same way.
We started a search on the artifacts we specified and the outputs are as in the image below. In this way, investigations can be made on the client by creating hunt tasks. Likewise, the activities on the endpoint can be seen by examining the files one by one.
As an example application, when we hunt for the Agent Tesla malware, which was previously detected on the client in different sandboxes and for which we submitted an analysis report as the Infinitumit team, we can see the information about the malware. With such queries, threat hunting strategies on endpoints can be expanded. The query used to hunt for the malware is to retrieve Windows.System.Pslist, that is, running process lists.