# Velociraptor P1

### 1. Introduction

Velociraptor is an advanced digital forensic and incident response tool that enhances your visibility into your endpoints. In this exercise we'll setup a velociraptor server based on linux and connect a windows client to it. Further we'll collect our first artefact.

### 2. Setup

Prerequisite:

* Linux VM (<https://livecd.hacking-lab.com/>)
* Windows 10 VM (<https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/>)

Velociraptor can be run on windows, linux and macOSX. In this case I'll run velociraptor on a virtual linux machine and I'll setup a windows box which is connected to the velociraptor server.

<div align="left"><img src="/files/rN6fuWjyHLO4jjp4Zmr7" alt=""></div>

[Original Lab](https://samsclass.info/152/proj/IR371.htm) developed by SAM BOWNE:

{% embed url="<https://samsclass.info/>" %}

### 3. Installation

```
mkdir Velociraptor
cd Velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-linux-amd64
chmod +x velociraptor-v0.6.4-2-linux-amd64
./velociraptor-v0.6.4-2-linux-amd64 config generate > velociraptor.config.yaml
```

Edit the `velociraptor.config.yaml` configuration file and replace every localhost or 127.0.0.1 entry with the ip address of the virtual machine.&#x20;

![](/files/iwTgXpTn2W2XUK1kb970)

`mv velociraptor.config.yaml /etc`

Set administrator password:

```
./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml user add admin --role administrator
```

Start Velociraptor GUI:

```
./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml frontend -v 
```

![](/files/X5oRnc2MrcscK8RYbJ0r)

The basic setup of velociraptor is now up and running. We can  now start to add clients in our velociraptor environment.

### 4. Adding Windows Client

Edit the `velociraptor.config.yaml` file again.&#x20;

Scroll down to the first END CERTIFICATE line.

<div align="left"><img src="/files/I4BmwALpy7ciq2VtI4FC" alt=""></div>

Below the "nonce: line, insert this line, as shown in the image above.

`use_self_signed_ssl: true`

Prepare Client installer for windows:

```
cd Velociraptor
./velociraptor-v0.6.4-2-linux-amd64 --config /etc/velociraptor.config.yaml config client > client.config.yaml

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.4-2/velociraptor-v0.6.4-2-windows-amd64.exe

./velociraptor-v0.6.4-2-linux-amd64 config repack --exe velociraptor-v0.6.4-2-windows-amd64.exe client.config.yaml repackaged_velociraptor.exe
```

![](/files/dlSDCKuSulD2Sqvxj49C)

I'm using winscp to transfer the repacked exe file to my windows box

![](/files/Ts9y5S1bDZl2P5bKVIJy)

Open a elevated cmd prompt:

```
cd %userprofile%\Desktop
repackaged_velociraptor.exe service install
```

<div align="left"><img src="/files/EjybzAenVq2Kl5GEx3l3" alt=""></div>

### 5. Viewing the Client

![](/files/oxWZga5Ijc8PV2va8QuE)

We have now full control over the client, can browse trough the **filesystem** and **registry** or **collecting some artefacts**!

![Exploring Filesystem](/files/jSgQW0AYlbm5pt4HxjUx)

![Exploring Registry](/files/uHXIYUc62sGdXcdGbCgV)

### 6. Collecting first artifact

At the top left, click the house icon to go to the home page, which shows "Server status".

At the top center, click the "**Show All**" button.

In the "Client ID" column, click the blue link.

At the top center, click the **Collected** button.

At the top left, click the plus-sign (see image below)

![](/files/HhVrUCEDvan1o5kdGt32)

At the top left, in the search box, type **netstat**.

Click **Windows.Network.NetstatEnriched**.

A description of this artifact appears, as shown below.

<div align="left"><img src="/files/AwQvOPaq5nHLLHLN2Lrg" alt=""></div>

At the lower left, click the blue "**Configure Parameters**" link.

At the top left, click the wrench icon.

In the "ProcessNameRegex" field, enter **velociraptor.\*** as shown below.

<div align="left"><img src="/files/xh53iS3xBwCnU3sT8Qxd" alt=""></div>

At the lower right, click the blue **Launch** link.

In the next screen, at the top center, click the **Windows.Network.NetstatEnriched** line to highlight it. In the lower pane, click the **Results** tab.

You see information about the Velociraptor process, as shown below:

![](/files/hg9f5LcfAlgCLOe49LP7)

As we know the basics, we can practise a little bit ;-)&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cas-cyber.gitbook.io/cas-cybersecurity/live-response/velociraptor-p1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.