Live Incident Response with Velociraptor
ฝัง
- เผยแพร่เมื่อ 17 มิ.ย. 2022
- Recon InfoSec CTO, Eric Capuano, performs a hands-on demonstration of a live incident response against a compromised environment using nothing but the free and open source Velociraptor agent. Gain exposure to this incredibly powerful tool and many of its most common use-cases for IR, including use of notebooks for analysis and enrichment.
Notebook examples can be found here: gist.github.com/ecapuano/daee... - วิทยาศาสตร์และเทคโนโลยี
Really excellent talk with so much information. Great to see Velociraptor wielded by such a skillful defender! A must watch presentation for any Blue Teamer or defender out there!
Incredible demo showing how Velociraptor truly takes IR capabilities to a whole other level! This is a game changer! The only thing missing was did the threat actor actually exfil those plans to the death star :) Thank you for this great insight! I have a new lab to build post haste!
Dont know what more motivation is needed to use this awesome tool - for FREE! Thank you Eric C for sharing invaluable experience for FREE & Mike C for sharing this tech for FREE 👑🙌
Absolutely incredible and in-depth demo! The pacing, the contents are all great! Bravo Eric!
This was amazing. I just started learning about Velociraptor recently and have much to learn. This video was extremely helpful.
Wow! Incredible video, thank you!
This was so awesome!!! I could have watched this for hours. Motivated me so much to get my hands on this. Do you have more stuff Like this? Im hungry to learn! Thanks you for the Video
what an amazing video! thanks for all the info, really usefull!
Well done live hunt. thanks for sharing.
I heard about this at the NCFI and started using it. Cederpelta was the one i used to use. Greetings from LaredoTx.
Amazing stuff :D
Great Demo Eric. Excellent example and a great presentation. Thanks, appreciated !
Thank you! Glad you enjoyed it.
Really great structured information. Thanks. How to integrate hyabusa in hunt profile????
Great talk thanks
Awesome, impressed :)
How about if the adversary does the cleanup while doing lateral movement?
This is so cool, I hope to work for a company that uses this some day.
Im deploying it where I work, glad the sysadmin is open minded to give me free reign on cyber security
Great stuff! Thank you. Have you thought about releasing the collected data so that we can play with it in our own velociraptor server?
Good video
This is awesome
Really in-depth analysis
Just had one question where can I find this data or the malware ? Is their a repository you have used for this ?
Sadly this was run inside of our live training range so the data is not available otherwise. I’ll see about trying to capture and release the data in the future!
Hi, thanks for the great video. I have a question.
How the shellcode is decrypted and which component will decrypt it?
How did you prepared the demo environment with more than 60 workstations? is that a simulator tool? awsome talk by the way and thank you!
I used a large virtual environment we've built for other trainings like OpenSOC & our Network Defense Range.
Wow, such a cool talk. Does velociraptor have to be implemented with a single network? Is there a way to have velociraptor clients from different networks communicate with a single server?
Absolutely. The server doesn’t know/care what network the agent checks in from. You can host the server in the cloud and have hosts on many different networks checking in.
@@EricCapuano that sounds like a wonderful setup.
Can you imagine a situation where velociraptor replaces a MSP's end point detection and aggregates all clients to a universal dashboard?
wait @23:39 , if a user login , will 4624 stored in the AD on in his/her PC.
A 4624 (successful logon) gets generated on the system being logged onto to... The authentication event (4768) shows up on the domain controller.
Issues that I see with this:
1. This seems to rely on AD GPO (or some sort of deployment tool), these days people are also using Macs and *inux so you might not get all the coverage. Secondly on this point is if GPO is disabled at the AD / workstation level then this too is rendered useless.
2. I personally don't know of one analyst that knows VQL let alone SQL
3. The UI is 🤮
4. Tools like Crowdstrike kinda do this using ML/AI without all the manual stuff
5. Dropping session seems quite POCCY to me
6. A lot of this stuff can be done using windows remote management in a scripted way