📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Setup
  • 3. Installation
  • 4. Adding Windows Client
  • 5. Viewing the Client
  • 6. Collecting first artifact

Was this helpful?

  1. Live Response

Velociraptor P1

PreviousLive ResponseNextVelociraptor P2

Last updated 2 years ago

Was this helpful?

1. Introduction

Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. In this exercise we'll setup a velociraptor server based on linux and connect a windows client to it. Further we'll collect our first artefact.

2. Setup

Prerequisite:

  • Linux VM ()

  • Windows 10 VM ()

Velociraptor can be run on windows, linux and macOSX. In this case I'll run velociraptor on a virtual linux machine and I'll setup a windows box which is connected to the velociraptor server.

3. Installation

mkdir Velociraptor
cd Velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-linux-amd64
chmod +x velociraptor-v0.6.4-2-linux-amd64
./velociraptor-v0.6.4-2-linux-amd64 config generate > velociraptor.config.yaml

Edit the velociraptor.config.yaml configuration file and replace every localhost or 127.0.0.1 entry with the ip address of the virtual machine.

mv velociraptor.config.yaml /etc

Set administrator password:

./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml user add admin --role administrator

Start Velociraptor GUI:

./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml frontend -v 

The basic setup of velociraptor is now up and running. We can now start to add clients in our velociraptor environment.

4. Adding Windows Client

Edit the velociraptor.config.yaml file again.

Scroll down to the first END CERTIFICATE line.

Below the "nonce: line, insert this line, as shown in the image above.

use_self_signed_ssl: true

Prepare Client installer for windows:

cd Velociraptor
./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml config client > client.config.yaml

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-windows-amd64.exe

./velociraptor-v0.6.4-2-linux-amd64 config repack --exe velociraptor-v0.6.4-2-windows-amd64.exe client.config.yaml repackaged_velociraptor.exe

I'm using winscp to transfer the repacked exe file to my windows box

Open a elevated cmd prompt:

cd %userprofile%\Desktop
repackaged_velociraptor.exe service install

5. Viewing the Client

We have now full control over the client, can browse trough the filesystem and registry or collecting some artefacts!

6. Collecting first artifact

At the top left, click the house icon to go to the home page, which shows "Server status".

At the top center, click the "Show All" button.

In the "Client ID" column, click the blue link.

At the top center, click the Collected button.

At the top left, click the plus-sign (see image below)

At the top left, in the search box, type netstat.

Click Windows.Network.NetstatEnriched.

A description of this artifact appears, as shown below.

At the lower left, click the blue "Configure Parameters" link.

At the top left, click the wrench icon.

In the "ProcessNameRegex" field, enter velociraptor.* as shown below.

At the lower right, click the blue Launch link.

In the next screen, at the top center, click the Windows.Network.NetstatEnriched line to highlight it. In the lower pane, click the Results tab.

You see information about the Velociraptor process, as shown below:

As we know the basics, we can practise a little bit ;-)

developed by SAM BOWNE:

Original Lab
https://livecd.hacking-lab.com/
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
samsclass.info: Sam Bowne Class Information
Logo
Exploring Filesystem
Exploring Registry