Velociraptor
Overview
Velociraptor
is an opensource tool designed for the collection of forensic artefacts on live machines running the Microsoft Windows or Linux operating systems.
Velociraptor
relies on Velocidex Query Language (VQL)
queries to collect artefacts. Velociraptor
notably implements a KAPE "Targets"
collection mode which uses glob expressions defined in the KapeFiles
repository to collect files (with out any post processing).
While Velociraptor
can be deployed in an server / clients mode for continuously collecting endpoint events, it can also be used as a standalone binary to conduct one-time collection. For instance, artefacts retrieved this way can be parsed latter using, among others, Kape
.
Pre-compiled released Velociraptor
binaries are available on GitHub.
System drive independent collect
The following command can be used to collect the KAPE
default triage artefacts and the anti-virus logs of a number of products. The artefacts are collected on the system drive (retrieved from the system environment variable).
.\velociraptor.exe artifacts collect -v Windows.KapeFiles.Targets --output "$(hostname).zip" --args Device=$($Env:SystemDrive) --args KapeTriage=Y --args Avast=Y --args AviraAVLogs=Y --args Bitdefender=Y --args ESET=Y --args FSecure=Y --args HitmanPro=Y --args Kaseya=Y --args Malwarebytes=Y --args McAfee=Y --args McAfee_ePO=Y --args Kaseya=Y --args SentinelOne=Y --args Sophos=Y --args Symantec_AV_Logs=Y --args TeamViewerLogs=Y --args TrendMicro=Y --args VIPRE=Y --args WindowsDefender=Y
Offline collector binaries
Standalone collector binary can be executed, without any argument, to conduct the artefacts collection on a live system.
The pre-compiled released Velociraptor
binaries may be used to generate the collector binary, which will collect the artefacts as defined in the provided configuration file:
velociraptor.exe config repack <CONFIG_YAML> <COLLECTOR_BINARY.exe>
[Windows] Standard collection - no autoruns
The following configuration file will collect the artefacts defined in the KapeFiles.Targets
as well as a number of other targets (web browsers logs, remote admins tools logs, anti-virus logs for around 20 solutions, ...) for the specified drive and its associated VSS
volumes. The RecycleBin
artefact can be removed to better control the resulting collection file.
Note that the MFT
will not be collected from the VSS
. To collect the MFT
from the VSS
, refer to the more advanced configuration below.
The collected files will be placed in a ZIP
file <HOSTNAME>.zip
.
# Build standalone collector binary:
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_light.yaml velo_light.exe
autoexec:
argv: ["artifacts", "collect", "-v", "Windows.KapeFiles.Targets",
"--output", "$COMPUTERNAME.zip", "--password", "<PASSWORD>",
"--args", "Device=C:",
# Run the collection across all VSS and collect only unique changes.
"--args", "VSSAnalysis=Y",
# Kape default triage.
"--args", "KapeTriage=Y",
# In completion to KapeTriage
# The RecycleBin artefact can be removed to better control the resulting collection file.
"--args", "RecycleBin=Y",
"--args", "_MFTMirr=Y",
"--args", "PowerShellConsole=Y",
"--args", "RDPCache=Y",
"--args", "ScheduledTasks=Y",
"--args", "StartupFolders=Y",
"--args", "CloudStorage_Metadata=Y",
"--args", "CombinedLogs=Y",
# Web browsers history, bookmarks, ...: Edge, Chrome, Firefox, and Internet Explorer
"--args", "WebBrowsers=Y",
"--args", "InternetExplorer=Y",
# Remote admin tools.
"--args", "RemoteAdmin=Y",
# Windows Firewall Logs
"--args", "WindowsFirewall=Y",
# USB devices log files: Setupapi.log XP, Setupapi.log Win7+
"--args", "USBDevicesLogs=Y",
# Anti-virus logs
"--args", "Antivirus=Y",
# Transfer tools.
"--args", "BITS=Y",
"--args", "CertUtil=Y",
# Webservers logs.
"--args", "WebServers=Y",
# Exchange server related logs.
"--args", "Exchange=Y",
"--args", "ExchangeClientAccess=Y",
# WSL files.
"--args", "WSL=Y",
"--args", "LinuxOnWindowsProfileFiles=Y",
# Windows text editors apps.
"--args", "MicrosoftOneNote=Y",
"--args", "MicrosoftStickyNotes=Y",
"--args", "Notepad__=Y",
# MS SQL ErrorLogs : MS SQL Errorlog, MS SQL Errorlogs
"--args", "MSSQLErrorLog=Y"
]
[Windows] Standard collection - with autoruns & MFT VSS
The following configuration file can be used to additionally:
Execute
autoruns
to produceJSON
/CSV
output files for persistence entries.Collect all the
MFT
(even duplicate ones) from theVSS
.
It is however advised to generate the collector directly from the velociraptor
server so the autoruns
binaries will be embedded in the binary (otherwise autoruns
will be downloaded at runtime, requiring internet access on the collected system).
The collected files will be placed in a ZIP file Collection-<HOSTNAME>-<OS>-<TIMESTAMP>.zip
.
# Build standalone collector binary:
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_light_autoruns.yaml velo_light_autoruns.exe
autoexec:
argv:
- artifacts
- collect
- Collector
- --logfile
- Velociraptor_collect.log
- -v
- --require_admin
artifact_definitions:
- name: Collector
parameters:
- name: Artifacts
default: |-
[
"Windows.KapeFiles.Targets",
"Windows.Search.FileFinder",
"Windows.Sysinternals.Autoruns",
"Windows.Forensics.ProcessInfo"
]
type: json_array
- name: Parameters
default: |-
{
"Windows.KapeFiles.Targets": {
"VSSAnalysis": "Y",
"_MFTMirr": "Y",
"Antivirus": "Y",
"BITS": "Y",
"CertUtil": "Y",
"CloudStorage_Metadata": "Y",
"CombinedLogs": "Y",
"Exchange": "Y",
"ExchangeClientAccess": "N",
"InternetExplorer": "Y",
"KapeTriage": "Y",
"LinuxOnWindowsProfileFiles": "Y",
"MSSQLErrorLog": "Y",
"MicrosoftOneNote": "Y",
"MicrosoftStickyNotes": "Y",
"Notepad__": "Y",
"PowerShellConsole": "Y",
"RDPCache": "Y",
"RecycleBin": "Y",
"RemoteAdmin": "Y",
"ScheduledTasks": "Y",
"StartupFolders": "Y",
"USBDetective": "Y",
"WSL": "Y",
"WebBrowsers": "Y",
"WebServers": "Y",
"WinDefendDetectionHist": "Y",
"WindowsFirewall": "Y"
},
"Windows.Search.FileFinder": {
"Upload_File": "Y",
"SearchFilesGlob": "*\\$MFT",
"Accessor": "ntfs"
}
}
type: json
- name: Template
- name: Password
default: <PASSWORD>
- name: Level
default: "5"
type: int
- name: Format
default: csv
- name: OutputPrefix
- name: CpuLimit
default: "0"
type: int
- name: ProgressTimeout
default: "0"
type: int
- name: Timeout
default: "0"
type: int
- name: target_args
default: |-
{
"bucket": "",
"GCSKey": "",
"credentialsKey": "",
"credentialsSecret": "",
"region": "",
"endpoint": "",
"serverSideEncryption": ""
}
type: json
sources:
- query: |
// Add all the tools we are going to use to the inventory.
LET _ <= SELECT inventory_add(tool=ToolName, hash=ExpectedHash)
FROM parse_csv(filename="/inventory.csv", accessor="me")
WHERE log(message="Adding tool " + ToolName)
LET baseline <= SELECT Fqdn FROM info()
// Make the filename safe on windows but we trust the OutputPrefix.
LET filename <= OutputPrefix + regex_replace(
source=format(format="Collection-%s-%s",
args=[baseline[0].Fqdn,
timestamp(epoch=now()).MarshalText]),
re="[^0-9A-Za-z\\-]", replace="_")
LET _ <= log(message="Will collect package " + filename)
LET report_filename <= if(condition=Template, then=filename + ".html")
SELECT * FROM collect(artifacts=Artifacts, report=report_filename,
args=Parameters, output=filename + ".zip", template=Template,
cpu_limit=CpuLimit,
progress_timeout=ProgressTimeout,
timeout=Timeout,
password=Password, level=Level, format=Format)
- name: Generic.Utils.FetchBinary
parameters:
- name: SleepDuration
default: "0"
type: int
- name: ToolName
- name: ToolInfo
- name: IsExecutable
default: "Y"
type: bool
sources:
- query: |
LET RequiredTool <= ToolName
LET matching_tools <= SELECT ToolName, Filename
FROM parse_csv(filename="/inventory.csv", accessor="me")
WHERE RequiredTool = ToolName
LET get_ext(filename) = parse_string_with_regex(
regex="(\\.[a-z0-9]+)$", string=filename).g1
LET temp_binary <= if(condition=matching_tools,
then=tempfile(
extension=get_ext(filename=matching_tools[0].Filename),
remove_last=TRUE,
permissions=if(condition=IsExecutable, then="x")))
SELECT copy(filename=Filename, accessor="me", dest=temp_binary) AS FullPath,
Filename AS Name
FROM matching_tools
[Windows] More comprehensive collection - OST/PST + memory dump files + users files
The following configuration file will collect the artefacts, in the system drive, defined in the KapeFiles.Targets
as well as anti-virus logs, web browsers artefacts, web servers logs, users files (C:\Users\*
), Outlook
PST
and OST
files, etc. Depending on the triaged machine usage and I/O
performance, collection may requires several hours and generate a resulting archive of multiple gigabytes.
The collected files will be placed in a ZIP
file <HOSTNAME>.zip
.
# Build standalone full collector binary
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_full.yaml velo_full.exe
autoexec:
argv: ["artifacts", "collect", "-v", "Windows.KapeFiles.Targets",
"--output", "$COMPUTERNAME.zip", "--password", "<PASSWORD>",
"--args", "Device=C:",
# Run the collection across all VSS and collect only unique changes.
"--args", "VSSAnalysis=Y",
# Kape default triage.
"--args", "KapeTriage=Y",
# In completion to KapeTriage
# The RecycleBin artefact can be removed to better control the resulting collection file.
"--args", "RecycleBin=Y",
"--args", "_MFTMirr=Y",
"--args", "PowerShellConsole=Y",
"--args", "RDPCache=Y",
"--args", "ScheduledTasks=Y",
"--args", "StartupFolders=Y",
"--args", "CloudStorage_Metadata=Y",
"--args", "CombinedLogs=Y",
# Web browsers history, bookmarks, ...: Edge, Chrome, Firefox, and Internet Explorer
"--args", "WebBrowsers=Y",
"--args", "InternetExplorer=Y",
# Remote admin tools.
"--args", "RemoteAdmin=Y",
# Windows Firewall Logs
"--args", "WindowsFirewall=Y",
# USB devices log files: Setupapi.log XP, Setupapi.log Win7+
"--args", "USBDevicesLogs=Y",
# Anti-virus logs
"--args", "Antivirus=Y",
# Transfer tools.
"--args", "BITS=Y",
"--args", "CertUtil=Y",
# Webservers logs.
"--args", "WebServers=Y",
# Exchange server related logs.
"--args", "Exchange=Y",
"--args", "ExchangeClientAccess=Y",
# WSL files.
"--args", "WSL=Y",
"--args", "LinuxOnWindowsProfileFiles=Y",
# Windows text editors apps.
"--args", "MicrosoftOneNote=Y",
"--args", "MicrosoftStickyNotes=Y",
"--args", "Notepad__=Y",
# MS SQL ErrorLogs : MS SQL Errorlog, MS SQL Errorlogs
"--args", "MSSQLErrorLog=Y",
# Files collection.
# Users folders files.
"--args", "LiveUserFiles=Y",
# Memory dump files: hiberfil.sys, pagefile.sys, swapfile.sys
"--args", "MemoryFiles=Y",
# Current Group Policy Enforcement: Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts
"--args", "GroupPolicy=Y",
# Managed Object Format (MOF) files
"--args", "MOF=Y",
# Outlook PST and OST files: PST XP, OST XP, PST, OST - may generate a lot of data
"--args", "OutlookPSTOST=Y",
# Windows explorer-like utilities.
"--args", "FileExplorerReplacements=Y"
]
[Windows] Offline collector build process
The process to generate the collector from the velociraptor
server web interface is as follow:
- Server Artifacts -> Build offline collector
-> Select `Windows.KapeFiles.Targets`, `Windows.Search.FileFinder`,
`Windows.Forensics.ProcessInfo`, and `Windows.Sysinternals.Autoruns`.
-> `Windows.KapeFiles.Targets` configuration:
-> Check "If set we run the collection across all VSS and collect only unique changes."
-> Modules for standard collection: `_MFTMirr`, `Antivirus`, `BITS`,
`CertUtil`, `CloudStorage_Metadata`, `CombinedLogs`, `Exchange`,
`InternetExplorer`, `KapeTriage`, `LinuxOnWindowsProfileFiles`,
`MSSQLErrorLog`, `MicrosoftOneNote`, `MicrosoftStickyNotes`,
`Notepad__`, `PowerShellConsole`, `RDPCache`, `RecycleBin`,
`RemoteAdmin`, `ScheduledTasks`, `StartupFolders`, `USBDetective`,
`WSL`, `WebBrowsers`, `WinDefendDetectionHist`, `WindowsDefender`,
`WindowsFirewall`.
-> Modules for the more comprehensive collection:
`FileExplorerReplacements`, `GroupPolicy`, `LiveUserFiles`,
`MemoryFiles`, `MOF`, `OutlookPSTOST`.
-> `Windows.Search.FileFinder` configuration:
-> "SearchFilesGlob": `*\$MFT`
-> "Accessor": `ntfs`
-> Check "Upload_File"
-> Configure collection:
-> "Password": <PASSWORD>
-> "Output format": "CSV and JSON"
-> Launch
Last updated