- 9
- 72 529
Recon InfoSec
เข้าร่วมเมื่อ 23 พ.ค. 2017
Live Incident Response with Velociraptor
Recon InfoSec CTO, Eric Capuano, performs a hands-on demonstration of a live incident response against a compromised environment using nothing but the free and open source Velociraptor agent. Gain exposure to this incredibly powerful tool and many of its most common use-cases for IR, including use of notebooks for analysis and enrichment.
Notebook examples can be found here: gist.github.com/ecapuano/daee6f3704273c2c8b527f522c1725db
Notebook examples can be found here: gist.github.com/ecapuano/daee6f3704273c2c8b527f522c1725db
มุมมอง: 24 066
วีดีโอ
Analyzing Timestomping with Velociraptor
มุมมอง 1.1K2 ปีที่แล้ว
In a brief excerpt from our Network Defense Range training, Eric Capuano discusses ways to identify time stamp manipulation using Sysmon and Velociraptor. Learn more about our NDR training here: www.reconinfosec.com/training/
Fortune 100 InfoSec on a State Government Budget
มุมมอง 5813 ปีที่แล้ว
Recon CTO, Eric Capuano, talks about leveraging open source and inexpensive solution to fill gaps in security operations for budget-stretched teams.
Intro to Velociraptor or How to eliminate a red team in under 30min
มุมมอง 9K4 ปีที่แล้ว
This segment was stripped and sanitized from a longer briefing given by Recon CTO, Eric Capuano, during a recent hunt exercise. This video only demonstrates a fraction of the capability of Velociraptor, many other use-cases exist but were not covered due to time constraints. Learn more about Velociraptor here: www.velocidex.com/ Links to code snippets: - Sysmon deploy VQL: gist.github.com/ecapu...
OpenSOC Scenario Debrief - "Urgent IT Update!!!"
มุมมอง 11K4 ปีที่แล้ว
A break down of the oldest and longest running OpenSOC.io scenario, "Urgent IT Update!!!"
Graylog Basic Query Syntax - Process Creation
มุมมอง 11K4 ปีที่แล้ว
A quick guide to using basic query syntax for analyzing process creation events.
Graylog Quick Values - Part 2 - Finding Evil
มุมมอง 2.5K4 ปีที่แล้ว
Leveraging Graylog's "Quick Values" feature for hunting for unusual activity. Be sure to check out Part 1 of this video: th-cam.com/video/0IUQbY2lAsE/w-d-xo.html
Graylog Quick Values - Part 1 - Basics
มุมมอง 11K4 ปีที่แล้ว
Basic description of the Quick Values feature of Graylog Already savvy with this feature? Check out Part 2 for a threat hunt example: th-cam.com/video/sA-1rHFC7AM/w-d-xo.html
OpenSOC Blue Team CTF webcast: Post DEFCON26
มุมมอง 2.3K5 ปีที่แล้ว
The team meets after DEFCON26 to discuss the success of the first annual DEFCON Blue Team Village, how we scaled to meet unexpected demand, and what's in store for the future. For more info, check out opensoc.io and recon_infosec/. Participants: Eric - eric_capuano Aaron - _surefire_ Megan - megan_roddie Matt - mbromileyDFIR Whitney - ...
Simply wow
wow
Really great structured information. Thanks. How to integrate hyabusa in hunt profile????
Incredible demo showing how Velociraptor truly takes IR capabilities to a whole other level! This is a game changer! The only thing missing was did the threat actor actually exfil those plans to the death star :) Thank you for this great insight! I have a new lab to build post haste!
Amazing stuff :D
Thanks a lot for such detailed explanation
Hi, thanks for the great video. I have a question. How the shellcode is decrypted and which component will decrypt it?
Great stuff! Thank you. Have you thought about releasing the collected data so that we can play with it in our own velociraptor server?
So I'm currently a windows system administrator and I've been in IT for about 7 years now. I'm looking to pivot into cybersecurity as an entry level SOC Analyst. Would you say this video is a good representation of what a brand new SOC Analyst would do right away or would you build up to this level of knowledge over time?
Absolutely incredible and in-depth demo! The pacing, the contents are all great! Bravo Eric!
I heard about this at the NCFI and started using it. Cederpelta was the one i used to use. Greetings from LaredoTx.
This was amazing. I just started learning about Velociraptor recently and have much to learn. This video was extremely helpful.
how to install OpenSOC on ubuntu?
Good video
Good job!
How did you prepared the demo environment with more than 60 workstations? is that a simulator tool? awsome talk by the way and thank you!
I used a large virtual environment we've built for other trainings like OpenSOC & our Network Defense Range.
Great talk thanks
Wow! Incredible video, thank you!
This is awesome Really in-depth analysis Just had one question where can I find this data or the malware ? Is their a repository you have used for this ?
Sadly this was run inside of our live training range so the data is not available otherwise. I’ll see about trying to capture and release the data in the future!
Issues that I see with this: 1. This seems to rely on AD GPO (or some sort of deployment tool), these days people are also using Macs and *inux so you might not get all the coverage. Secondly on this point is if GPO is disabled at the AD / workstation level then this too is rendered useless. 2. I personally don't know of one analyst that knows VQL let alone SQL 3. The UI is 🤮 4. Tools like Crowdstrike kinda do this using ML/AI without all the manual stuff 5. Dropping session seems quite POCCY to me 6. A lot of this stuff can be done using windows remote management in a scripted way
what an amazing video! thanks for all the info, really usefull!
This was so awesome!!! I could have watched this for hours. Motivated me so much to get my hands on this. Do you have more stuff Like this? Im hungry to learn! Thanks you for the Video
Thanks a lot dude. It would be really nice to upload more scenarios like this one. <3
Hello sir i need your mail or whatsapp for help
Awesome, impressed :) How about if the adversary does the cleanup while doing lateral movement?
32:54 😂
As a prospective blueteamer, this is very valuable. Only issue is having access to the tools to get the experience.
Dont know what more motivation is needed to use this awesome tool - for FREE! Thank you Eric C for sharing invaluable experience for FREE & Mike C for sharing this tech for FREE 👑🙌
Well done live hunt. thanks for sharing.
Wow, such a cool talk. Does velociraptor have to be implemented with a single network? Is there a way to have velociraptor clients from different networks communicate with a single server?
Absolutely. The server doesn’t know/care what network the agent checks in from. You can host the server in the cloud and have hosts on many different networks checking in.
@@EricCapuano that sounds like a wonderful setup. Can you imagine a situation where velociraptor replaces a MSP's end point detection and aggregates all clients to a universal dashboard?
wait @23:39 , if a user login , will 4624 stored in the AD on in his/her PC.
A 4624 (successful logon) gets generated on the system being logged onto to... The authentication event (4768) shows up on the domain controller.
This is so cool, I hope to work for a company that uses this some day.
Im deploying it where I work, glad the sysadmin is open minded to give me free reign on cyber security
Really excellent talk with so much information. Great to see Velociraptor wielded by such a skillful defender! A must watch presentation for any Blue Teamer or defender out there!
Great Demo Eric. Excellent example and a great presentation. Thanks, appreciated !
Thank you! Glad you enjoyed it.
Thank you!
Looks like you could’ve gone for “under 15 minutes” 😂 nice content. I don’t know how there are not more subscribed!
This was very helpful! Hopefully you can do more videos like this to teach us! If you know of other resources that can bring to light the research process I would like to learn more. Thank You!
Is there any kind of simulated environment that someone could use to practice this type of SOC analysis?
@32:11 why when loading CyberChef in Moloch, did it say 'Mining Bitcoin Cash', as CC was loading? Also, this was a fantastic scenario walkthrough.
It’s a joke. The devs of cyber chef think they are comedians and like all devs who try to be funny, it’s an epic failure.
Super useful...is SOC Analyst an entry level in Cybersecurity field?
Indeed, but not an entry-level IT job. Working Help Desk for a little bit helps build a great foundation for Security and other fields in IT.
Hey, great video. Is it somehow possible to exports the logs from a particular stream and for a particular timeframe from the console?
nice video, really interesting to learn!
This is criminally under viewed for soc analyst applicants. Good content. Subbed.
This is awesome ! do you mind sharing the eradication script pls
please ignore this, just saw the link ...keep up the awesome work
What's your thoughts on Splunk vs Graylog?
I thought you said you have no degree or certification, that is not true
Really valuable stuff! Great examples and very easy to understand! Thanks for taking your time, and explaining so great! Please make more tutorials like this one!!!
This is really amazing, we need more content like this, thank you so much
Really valuable! I have a second interview soon for a SOC Analyst 1. Helpful!
What about results of interview??
@@amoltofi1 It didn't work out!
Very educative video. Thank you very much Recon Infosec