InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • System drive independent collect
  • Offline collector binaries
  1. DFIR
  2. Tools

Velociraptor

PreviousToolsNextKAPE

Last updated 2 years ago

Overview

Velociraptor is an opensource tool designed for the collection of forensic artefacts on live machines running the Microsoft Windows or Linux operating systems.

Velociraptor relies on Velocidex Query Language (VQL) queries to collect artefacts. Velociraptor notably implements a KAPE "Targets" collection mode which uses glob expressions defined in the to collect files (with out any post processing).

While Velociraptor can be deployed in an server / clients mode for continuously collecting endpoint events, it can also be used as a standalone binary to conduct one-time collection. For instance, artefacts retrieved this way can be parsed latter using, among others, Kape.

.

System drive independent collect

The following command can be used to collect the KAPE default triage artefacts and the anti-virus logs of a number of products. The artefacts are collected on the system drive (retrieved from the system environment variable).

.\velociraptor.exe artifacts collect -v Windows.KapeFiles.Targets --output "$(hostname).zip" --args Device=$($Env:SystemDrive) --args KapeTriage=Y --args Avast=Y --args AviraAVLogs=Y --args Bitdefender=Y --args ESET=Y --args FSecure=Y --args HitmanPro=Y --args Kaseya=Y --args Malwarebytes=Y --args McAfee=Y --args McAfee_ePO=Y --args Kaseya=Y --args SentinelOne=Y --args Sophos=Y --args Symantec_AV_Logs=Y --args TeamViewerLogs=Y --args TrendMicro=Y --args VIPRE=Y --args WindowsDefender=Y

Offline collector binaries

Standalone collector binary can be executed, without any argument, to conduct the artefacts collection on a live system.

The pre-compiled released Velociraptor binaries may be used to generate the collector binary, which will collect the artefacts as defined in the provided configuration file:

velociraptor.exe config repack <CONFIG_YAML> <COLLECTOR_BINARY.exe>

[Windows] Standard collection - no autoruns

The following configuration file will collect the artefacts defined in the KapeFiles.Targets as well as a number of other targets (web browsers logs, remote admins tools logs, anti-virus logs for around 20 solutions, ...) for the specified drive and its associated VSS volumes. The RecycleBin artefact can be removed to better control the resulting collection file.

Note that the MFT will not be collected from the VSS. To collect the MFT from the VSS, refer to the more advanced configuration below.

The collected files will be placed in a ZIP file <HOSTNAME>.zip.

# Build standalone collector binary:
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_light.yaml velo_light.exe
autoexec:
  argv: ["artifacts", "collect", "-v", "Windows.KapeFiles.Targets",
         "--output", "$COMPUTERNAME.zip", "--password", "<PASSWORD>",
         "--args", "Device=C:",
         # Run the collection across all VSS and collect only unique changes.
         "--args", "VSSAnalysis=Y",
         # Kape default triage.
         "--args", "KapeTriage=Y",
         # In completion to KapeTriage
         # The RecycleBin artefact can be removed to better control the resulting collection file.
         "--args", "RecycleBin=Y",
         "--args", "_MFTMirr=Y",
         "--args", "PowerShellConsole=Y",
         "--args", "RDPCache=Y",
         "--args", "ScheduledTasks=Y",
         "--args", "StartupFolders=Y",
         "--args", "CloudStorage_Metadata=Y",
         "--args", "CombinedLogs=Y",
         # Web browsers history, bookmarks, ...: Edge, Chrome, Firefox, and Internet Explorer
         "--args", "WebBrowsers=Y",
         "--args", "InternetExplorer=Y",
         # Remote admin tools.
         "--args", "RemoteAdmin=Y",
         # Windows Firewall Logs
         "--args", "WindowsFirewall=Y",
         # USB devices log files: Setupapi.log XP, Setupapi.log Win7+
         "--args", "USBDevicesLogs=Y",
         # Anti-virus logs
         "--args", "Antivirus=Y",
         # Transfer tools.
         "--args", "BITS=Y",
         "--args", "CertUtil=Y",
         # Webservers logs.
         "--args", "WebServers=Y",
         # Exchange server related logs.
         "--args", "Exchange=Y",
         "--args", "ExchangeClientAccess=Y",
         # WSL files.
         "--args", "WSL=Y",
         "--args", "LinuxOnWindowsProfileFiles=Y",
         # Windows text editors apps.
         "--args", "MicrosoftOneNote=Y",
         "--args", "MicrosoftStickyNotes=Y",
         "--args", "Notepad__=Y",
         # MS SQL ErrorLogs : MS SQL Errorlog, MS SQL Errorlogs
         "--args", "MSSQLErrorLog=Y"
        ]

[Windows] Standard collection - with autoruns & MFT VSS

The following configuration file can be used to additionally:

  • Execute autoruns to produce JSON / CSV output files for persistence entries.

  • Collect all the MFT (even duplicate ones) from the VSS.

It is however advised to generate the collector directly from the velociraptor server so the autoruns binaries will be embedded in the binary (otherwise autoruns will be downloaded at runtime, requiring internet access on the collected system).

The collected files will be placed in a ZIP file Collection-<HOSTNAME>-<OS>-<TIMESTAMP>.zip.

# Build standalone collector binary:
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_light_autoruns.yaml velo_light_autoruns.exe
autoexec:
  argv:
  - artifacts
  - collect
  - Collector
  - --logfile
  - Velociraptor_collect.log
  - -v
  - --require_admin
  artifact_definitions:
  - name: Collector
    parameters:
    - name: Artifacts
      default: |-
        [
         "Windows.KapeFiles.Targets",
         "Windows.Search.FileFinder",
         "Windows.Sysinternals.Autoruns",
         "Windows.Forensics.ProcessInfo"
        ]
      type: json_array
    - name: Parameters
      default: |-
        {
         "Windows.KapeFiles.Targets": {
           "VSSAnalysis": "Y",
           "_MFTMirr": "Y",
           "Antivirus": "Y",
           "BITS": "Y",
           "CertUtil": "Y",
           "CloudStorage_Metadata": "Y",
           "CombinedLogs": "Y",
           "Exchange": "Y",
           "ExchangeClientAccess": "N",
           "InternetExplorer": "Y",
           "KapeTriage": "Y",
           "LinuxOnWindowsProfileFiles": "Y",
           "MSSQLErrorLog": "Y",
           "MicrosoftOneNote": "Y",
           "MicrosoftStickyNotes": "Y",
           "Notepad__": "Y",
           "PowerShellConsole": "Y",
           "RDPCache": "Y",
           "RecycleBin": "Y",
           "RemoteAdmin": "Y",
           "ScheduledTasks": "Y",
           "StartupFolders": "Y",
           "USBDetective": "Y",
           "WSL": "Y",
           "WebBrowsers": "Y",
           "WebServers": "Y",
           "WinDefendDetectionHist": "Y",
           "WindowsFirewall": "Y"
         },
         "Windows.Search.FileFinder": {
          "Upload_File": "Y",
          "SearchFilesGlob": "*\\$MFT",
          "Accessor": "ntfs"
         }
        }
      type: json
    - name: Template
    - name: Password
      default: <PASSWORD>
    - name: Level
      default: "5"
      type: int
    - name: Format
      default: csv
    - name: OutputPrefix
    - name: CpuLimit
      default: "0"
      type: int
    - name: ProgressTimeout
      default: "0"
      type: int
    - name: Timeout
      default: "0"
      type: int
    - name: target_args
      default: |-
        {
         "bucket": "",
         "GCSKey": "",
         "credentialsKey": "",
         "credentialsSecret": "",
         "region": "",
         "endpoint": "",
         "serverSideEncryption": ""
        }
      type: json
    sources:
    - query: |
        // Add all the tools we are going to use to the inventory.
        LET _ <= SELECT inventory_add(tool=ToolName, hash=ExpectedHash)
         FROM parse_csv(filename="/inventory.csv", accessor="me")
         WHERE log(message="Adding tool " + ToolName)

        LET baseline <= SELECT Fqdn FROM info()

        // Make the filename safe on windows but we trust the OutputPrefix.
        LET filename <= OutputPrefix + regex_replace(
            source=format(format="Collection-%s-%s",
                          args=[baseline[0].Fqdn,
                                timestamp(epoch=now()).MarshalText]),
            re="[^0-9A-Za-z\\-]", replace="_")

        LET _ <= log(message="Will collect package " + filename)
        LET report_filename <= if(condition=Template, then=filename + ".html")
        SELECT * FROM collect(artifacts=Artifacts, report=report_filename,
            args=Parameters, output=filename + ".zip", template=Template,
            cpu_limit=CpuLimit,
            progress_timeout=ProgressTimeout,
            timeout=Timeout,
            password=Password, level=Level, format=Format)
  - name: Generic.Utils.FetchBinary
    parameters:
    - name: SleepDuration
      default: "0"
      type: int
    - name: ToolName
    - name: ToolInfo
    - name: IsExecutable
      default: "Y"
      type: bool
    sources:
    - query: |
        LET RequiredTool <= ToolName

        LET matching_tools <= SELECT ToolName, Filename
        FROM parse_csv(filename="/inventory.csv", accessor="me")
        WHERE RequiredTool = ToolName

        LET get_ext(filename) = parse_string_with_regex(
              regex="(\\.[a-z0-9]+)$", string=filename).g1

        LET temp_binary <= if(condition=matching_tools,
        then=tempfile(
                 extension=get_ext(filename=matching_tools[0].Filename),
                 remove_last=TRUE,
                 permissions=if(condition=IsExecutable, then="x")))

        SELECT copy(filename=Filename, accessor="me", dest=temp_binary) AS FullPath,
               Filename AS Name
        FROM matching_tools

[Windows] More comprehensive collection - OST/PST + memory dump files + users files

The following configuration file will collect the artefacts, in the system drive, defined in the KapeFiles.Targets as well as anti-virus logs, web browsers artefacts, web servers logs, users files (C:\Users\*), Outlook PST and OST files, etc. Depending on the triaged machine usage and I/O performance, collection may requires several hours and generate a resulting archive of multiple gigabytes.

The collected files will be placed in a ZIP file <HOSTNAME>.zip.

# Build standalone full collector binary
# .\velociraptor-v0.6.6-2-windows-amd64.exe config repack velo_full.yaml velo_full.exe
autoexec:
  argv: ["artifacts", "collect", "-v", "Windows.KapeFiles.Targets",
         "--output", "$COMPUTERNAME.zip", "--password", "<PASSWORD>",
         "--args", "Device=C:",
         # Run the collection across all VSS and collect only unique changes.
         "--args", "VSSAnalysis=Y",
         # Kape default triage.
         "--args", "KapeTriage=Y",
         # In completion to KapeTriage
         # The RecycleBin artefact can be removed to better control the resulting collection file.
         "--args", "RecycleBin=Y",
         "--args", "_MFTMirr=Y",
         "--args", "PowerShellConsole=Y",
         "--args", "RDPCache=Y",
         "--args", "ScheduledTasks=Y",
         "--args", "StartupFolders=Y",
         "--args", "CloudStorage_Metadata=Y",
         "--args", "CombinedLogs=Y",
         # Web browsers history, bookmarks, ...: Edge, Chrome, Firefox, and Internet Explorer
         "--args", "WebBrowsers=Y",
         "--args", "InternetExplorer=Y",
         # Remote admin tools.
         "--args", "RemoteAdmin=Y",
         # Windows Firewall Logs
         "--args", "WindowsFirewall=Y",
         # USB devices log files: Setupapi.log XP, Setupapi.log Win7+
         "--args", "USBDevicesLogs=Y",
         # Anti-virus logs
         "--args", "Antivirus=Y",
         # Transfer tools.
         "--args", "BITS=Y",
         "--args", "CertUtil=Y",
         # Webservers logs.
         "--args", "WebServers=Y",
         # Exchange server related logs.
         "--args", "Exchange=Y",
         "--args", "ExchangeClientAccess=Y",
         # WSL files.
         "--args", "WSL=Y",
         "--args", "LinuxOnWindowsProfileFiles=Y",
         # Windows text editors apps.
         "--args", "MicrosoftOneNote=Y",
         "--args", "MicrosoftStickyNotes=Y",
         "--args", "Notepad__=Y",
         # MS SQL ErrorLogs : MS SQL Errorlog, MS SQL Errorlogs
         "--args", "MSSQLErrorLog=Y",
         # Files collection.
         # Users folders files.
         "--args", "LiveUserFiles=Y",
         # Memory dump files: hiberfil.sys, pagefile.sys, swapfile.sys
         "--args", "MemoryFiles=Y",
         # Current Group Policy Enforcement: Local Group Policy INI Files, Local Group Policy Files - Registry Policy Files, Local Group Policy Files - Startup/Shutdown Scripts
         "--args", "GroupPolicy=Y",
         # Managed Object Format (MOF) files
         "--args", "MOF=Y",
         # Outlook PST and OST files: PST XP, OST XP, PST, OST - may generate a lot of data
         "--args", "OutlookPSTOST=Y",
         # Windows explorer-like utilities.
         "--args", "FileExplorerReplacements=Y"
        ]

[Windows] Offline collector build process

The process to generate the collector from the velociraptor server web interface is as follow:

- Server Artifacts -> Build offline collector
    -> Select `Windows.KapeFiles.Targets`, `Windows.Search.FileFinder`,
       `Windows.Forensics.ProcessInfo`, and `Windows.Sysinternals.Autoruns`.

       -> `Windows.KapeFiles.Targets` configuration:
          -> Check "If set we run the collection across all VSS and collect only unique changes."

          -> Modules for standard collection: `_MFTMirr`, `Antivirus`, `BITS`,
             `CertUtil`, `CloudStorage_Metadata`, `CombinedLogs`, `Exchange`,
             `InternetExplorer`, `KapeTriage`, `LinuxOnWindowsProfileFiles`,
             `MSSQLErrorLog`, `MicrosoftOneNote`, `MicrosoftStickyNotes`,
             `Notepad__`, `PowerShellConsole`, `RDPCache`, `RecycleBin`,
             `RemoteAdmin`, `ScheduledTasks`, `StartupFolders`, `USBDetective`,
             `WSL`, `WebBrowsers`, `WinDefendDetectionHist`, `WindowsDefender`,
             `WindowsFirewall`.

          -> Modules for the more comprehensive collection:
             `FileExplorerReplacements`, `GroupPolicy`, `LiveUserFiles`,
             `MemoryFiles`, `MOF`, `OutlookPSTOST`.

       -> `Windows.Search.FileFinder` configuration:
          -> "SearchFilesGlob": `*\$MFT`
          -> "Accessor": `ntfs`
          -> Check "Upload_File"

    -> Configure collection:
       -> "Password": <PASSWORD>
       -> "Output format": "CSV and JSON"

    -> Launch
KapeFiles repository
Pre-compiled released Velociraptor binaries are available on GitHub