IR 370: Velociraptor (30 pts extra)

What You Need for This Project

A Windows machine. I used a FLARE-VM. It helps to give it more RAM: I gave mine 8 GB.

Purpose

To learn about Velociraptor, an endpoint monitoring, threat hunting and incident response system. It's inspired by GRR and OSquery, and is easy to use. In this project we'll do a few very simple things just to see how it works.

Installing Velociraptor

In a Web browser, go to

https://github.com/Velocidex/velociraptor/releases

Download the latest Windows version (the one ending in amd64.msi and install it.

Launching in GUI Mode

In this mode, Velociraptor runs with a default username and password and installs a client on the same system as the server, just to provide a convenient learning environment.

In a working installation, there would be one server, probably a Linux one, and many clients.

In an Administrator Command Prompt, execute this command:

"c:\Program Files\Velociraptor\Velociraptor.exe" gui

A box pops up saying "A security problem occurred". Click OK to close it.

If a box pops up from Windows Defender Firewall, check both network type boxes and click "Allow access", as shown below.

Connecting to the GUI

Open a Web browser and go to

https://localhost:8889

Your browser will warn you that the site is not secure. Bypass the warning and go to the site anyway.

Enter these credentials:

Username: admin
Password: password

You see the Velociraptor GUI, as shown below.

Viewing Server State

In the GUI, click "Inspect the server's state".

You see the CPU and Memory Utilization, and Currently Connected Clients, as shown below.

Finding a Client

At the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Using the Virtual File System

At the top left, click the VFS button.

At the top left, there are four top-level categories: file, ntfs, registry, and artifacts.

Click file. In the top center, click the first folder icon to refresh this directory, outlined in green in the image below.

IR 370.1: Registry Information (10 pts)
Refresh the ntfs and registry categories the same way.
Refresh the HKEY_CURRENT_USER container.
The flag appears, covered by a green rectangle in the image below.

IR 370.2: Collecting a File (10 pts)
Note: in order to do this, I needed to increase the RAM on my Windows VM to 16 GB, assign it 4 server cores, and switch to Firefox as the browser.
In the file category, refresh these items:

C:
Users
IEUser (or your own username, if it is different)
AppData
Local
Temp
Scroll down to the server_config.yaml file and click it, as shown below.
In the lower pane, click the "Collect from the client" button.
Click the Textview tab.
The flag appears, covered by a green rectangle in the image below.

Viewing Artifacts

At the top left, click the three-bar "hamburger" icon, outlined in green in the image below.

In the left pane, click "View Artifacts".

At the top right, in the search box, type windows.

Scroll down and click Windows.Network.ListeningPorts.

In the center pane, the script used to collect this artifact appears, in the VQL language, as shown below.

Collecting Listening Ports from the Client

At the top left, click the three-bar "hamburger" icon.

In the left pane, click "Collected Artifacts".

In the top left, click the plus-sign icon, outlined in green in the image below.

In the search box, type windows.

Scroll down and click Windows.Network.ListeningPorts, as shown below.

In the lower center, click Launch.

IR 370.3: Listening Ports (10 pts)
In the top pane, find the Windows.Network.ListeningPorts artiface and click the blue Flowid number on its line.
The lower pane shows the listening processes on your Windows machine, as shown below.
The largest port number used by Velociraptor is the flag, covered by a green rectangle in the image below.

References

Velociraptor Documentation
Velociraptor Course: Digging deeper (May 2021)

Posted 5-7-2021