Incident Response Training Lab with Velociraptor

Description

This project simulates a real-world cybersecurity incident investigation using Velociraptor.

Environment Setup

Virtual Machines

Velociraptor Server: Ubuntu Server (4 GB RAM, 2 CPUs)
windows endpoint: Windows 10 Workstation (4 GB RAM, 2 CPUs)
Attack Machine: Kali Linux Machine (4 GB RAM, 2 CPUs)

Note: Set the VM’s Networking to NAT, so that the machines can ping each other or in the same network

Velociraptor Server

Download the Linux 64 binary from the Velociraptor Github page releases and continue with the setup. Sam’s Class has a good video that walks you through the steps. You can find it here. I will also include all the commands I used below.

>wget https://github.com/Velocidex/velociraptor/releases/download/v0.73/velociraptor-v0.73.1-linux-amd64
>chmod +x velociraptor-v0.73.1-linux-amd64
> ./velociraptor-v0.73.1-linux-amd64 config generate > velociraptor.config.yaml
#Change localhost to Server IP

>./velociraptor-v0.73.1-linux-amd64 --config velociraptor.config.yaml user add admin --role administrator
# Start the server 
>./velociraptor-v0.73.1-linux-amd64 --config velociraptor.config.yaml frontend -v

You can just browse to serverip:8889 and see the velociraptor server login. Log in using the new username and password.

Velociraptor Client Setup

Download the same version of Windows Exe from the Velociraptor Github page releases

#Add use_self_signed_ssl: true below  nonce, just at the end of public cert
>./velociraptor-v0.73.1-linux-amd64 --config velociraptor.config.yaml config client > client.config.yaml
# velociraptor-v0.73.1-windows-amd64.exe is downloaded  windows exe file  
> ./velociraptor-v0.73.1-linux-amd64 config repack --exe velociraptor-v0.73.1-windows-amd64.exe client.config.yaml veloceraptor-client-windows.exe
#Copy the client exe and run it in machine
.\veloceraptor-client-windows.exe service install

Once successfully installed, we will be able to see the velociraptor service running successfully in Windows services
Go to the server:8889 page and click search on the top bar, and we can see the host is connecting back and is in green(Active).

Velociraptor Overview

Type ALL in the search box and we would be able to see all clients. Velociraptor also allows good tagging, if we want to conduct multiple queries or commands on a set of machines. We have root access to the clients and can run Powershell and cmd commands on Windows clients.

Interrogate
Will give us a general overview of the system
VFS
It shows us the file system of that device. We can browse through the drives and even map out or download the folders or files that look interesting to investigate an incident. Click on Auto and refresh
Collected
It will show the recent actions we have done on that device
Quarantine
Will allow to Quarentine the host from the network
Tags
Allow us to add a tag or add a host to the existing tag
VQL drilldown
It shows the recent velociraptor queries
Shell
Gives us a root shell on the device. We can toggle it to PowerShell or cmd

Creating a Hunt in Velociraptor (Windows)

Let’s Create a new hunt for Windows devices. Velociraptor has prebuilt artifacts that can be used. We will be looking at RDP events to see whether there is any attack or password spray pattern on the device for any user. Velociraptor has a prebuilt artifcats named “Windows.EventLogs.RDPAuth” for this purpose.

Go to Hunt Manager > New Hunt > Give/Create a Tag > Description> Expiration Date and Time > We can add explicit condition if needed > We can ask it to only run in Windows devices > Once all is configured > Click “Select Artifacts” Select the “Windows.EventLogs.RDPAuth” Artifact and go to configure Parameters We can view and configure the Windows event logs path on the client machine here. Click Launch and we can run the hunt now. Once Completed, we can see the results in Notebook and even export the findings to a CSV or JSON.

!! We just got alerted that an Incident happened on a particular Windows Device. Let’s use Velociraptor to hunt and identify how they gained access to the environment !!

Live Triaging

Initially, we need to quarantine the host to prevent further Spread
Let’s see whether Velociraptor picked up some login attempts via RDP. Exported the search results to a CSV and started looking through the logins and whether there is a pattern. Upon investigation, we can see there is a lot of traffic from one IP
Finally, we see a lot of RDP enumeration from this IP and the threat actor got access using Alice’s weak password using the RDP Password Spray attack
Let’s see what the threat actor did once they gained access.
Created a new hunt looking for Process Creations (Windows/system32). Windows.Artifact.ProcessCreation and Windows.Attack.ParentProcess artefacts help us to see whether Alice has run any commands or started execution of an unwanted process\
We can see that Alice called the sethc.exe file continuously and a command shell popped up every time she called the sticky key binary. So she used the Sticky Key backdoor to elevate the access
After that, she disabled Defender real-time monitoring and used Mimikatz to export other user’s password hashes
We can see the evidence from Powershell command history Windows.System.Powershell.PSReadline and Windows Binary execution Windows.Detection.BinaryHunter history logs
Our login events suggested that the threat Actor logged out after this event!!\

Thanks for Reading!!.

Incident Response Training Lab with Velociraptor#

Description#

Environment Setup#

Virtual Machines#

Velociraptor Server#

Velociraptor Client Setup#

Velociraptor Overview#

Creating a Hunt in Velociraptor (Windows)#

!! We just got alerted that an Incident happened on a particular Windows Device. Let’s use Velociraptor to hunt and identify how they gained access to the environment !!#

Live Triaging#