Mass Digital Forensics & Incident Response with Velociraptor
ฝัง
- เผยแพร่เมื่อ 26 มิ.ย. 2024
- This is the 1st video of 2 separate videos -- in the next video, Matt will showcase hunting malware with Velociraptor! MASSIVE thank you to Mike Cohen and Matt Green for joining me for this video! / scudette || / mgreen27
Thanks to @iamkingsage8571 for contributing timestamps!
00:00 Introduction
01:08 Velociraptor VFS
04:05 Artifacts & Automation w/ VQL
06:16 Sigma Rule matching w/ Hayabusa
07:20 Waiting on Hayabusa to finish scan.
09:20 How does Hayabusa compare to Chainsaw?
10:40 Parsing Hayabusa Findings
13:40 PsTree Attempt 1 w/PsList
17:55 PsTree Attempt 2 w/Velociraptor Process Tracker
19:50 Velociraptor Process Tracker
22:35 PSExec Change in v2.30 & How to look for the usage of PSExec
25:25 Why this is useful and example use case'
26:10 PowerShell Artifacts
27:30 Bits Transfer Artifact
28:50 How to hunt for multiple compromised machines.
30:40 Parsing the Results using VQL
33:20 Demo Conclusion
🔥 TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
![[UNCUT] ฝันรักห้วงนิทรา | EP.8 (4/4)](http://i.ytimg.com/vi/RDYJYiDwsj0/mqdefault.jpg)
0:00 Introduction
1:08 Velociraptor VFS
4:05 Artifacts & Automation w/ VQL
6:16 Sigma Rule matching w/ Hayabusa
7:20 Waiting on Hayabusa to finish scan.
9:20 How does Hayabusa compare to Chainsaw?
10:40 Parsing Hayabusa Findings
13:40 PsTree Attempt 1 w/PsList
17:55 PsTree Attempt 2 w/Velociraptor Process Tracker
19:50 Velociraptor Process Tracker
22:35 PSExec Change in v2.30 & How to look for the usage of PSExec
25:25 Why this is useful and example use case'
26:10 PowerShell Artifacts
27:30 Bits Transfer Artifact
28:50 How to hunt for multiple compromised machines.
30:40 Parsing the Results using VQL
33:20 Demo Conclusion
You're a rockstar, huge thanks!!
That new psexec...key with the source is HUGE
John, please use time stamps, it will be helpful😊
Big thanks to @iamkingsage8571, they knocked them out for us!
Not only that but under the section that pops up when you click 'more' you see the chapters which are time stamped
Such a great demo!
I recently set up a Velociraptor server at home and installed agents on all my virtual machines. I still have much to learn, but I love it so far. Still have to dive in to VQL so I can do my own artifacts.
I always wanted to try out Velociraptor but did not have a chance, thank you! I normally use Binalze AIR for mass DFIR, I will watch this with my full attention 😊
Clever girl
Hi guys, awsome demo and product! It would be so great to see you guys working together with the opensource tool Elastic in order to integrate with each other!
used the tool for a long time, its amazing! unfortunately i dont do hunts anymore - which i would love to get back to :)
Time stamps would be better. But amazing video 🔥.
Big thanks to @iamkingsage8571, they knocked them out for us!
Hello. Have you experienced small customers installing Velociraptor? I'm asking because we did a POC for a start-up company and now they wish to deploy it in production.
Clever Girl...
Can you consider making a updated "setup a hacking lab"?
Pros and cons with virtual machines on a local hypervisor vs for instance VPS and cloud vms etc
Liters size
I wanna learn about digital forensics in MacOS & malware analysis does anyone know any good courses (freee) or cheap certs & courses & or resources please?
can't wait more for @mgreen27