Incident response with Velociraptor
The Hunter
From the IT department's point of view, it always makes sense to have an overview of your company's IT infrastructure – or at least be able to create one in a timely manner. In the immediate aftermath of an IT security incident, you need information quickly about which systems an attacker may have accessed and which systems are still operational. Department staff can then look specifically for indicators of compromise (IoCs) with the help of Velociraptor [1].
The developers cite two well-known tools as the basic idea for their own software: the GRR Rapid Response (GRR) [2] incident response tool and the OSQuery [3] monitoring tool. GRR lets you hunt for IoCs and run them over a period of time on all clients connected to your network. The reports are sent to a centralized server where they are available to admins. OSQuery, on the other hand, lets you query information from your clients in a language similar to SQL. The tool provides information in more than 275 tables – from CPU data to network settings (e.g, DNS or static routes) to installed Chrome extensions – you can find out pretty much everything about your systems.
Velociraptor now aims to combine the capabilities of GRR and OSQuery into one tool, while being faster, smaller, more scalable, and easier to install. Like GRR and OSQuery, the software works independent of the selected operating system and comes with virtually no dependencies. Beyond the functionality of GRR and OSQuery, it is possible for defined events to trigger queries and to use the Velociraptor Query Language (VQL), both to execute queries in the sense of OSQuery and to transfer files, modify systems and settings, and control the entire client-server infrastructure.
Quick Install
The architecture of a Velociraptor installation is simple: A centralized server maintains a permanent command and control connection to all the devices (clients) in your IT infrastructure. The entire installation is controlled over a web interface, which is where you configure settings, define and start hunts, and document and edit incidents.
To test Velociraptor, first install the server in a Docker container with the Compose tool. Prepared files are available online [4]. Clone the repository and adapt the ENV file to your environment. The web interface in the Docker container is accessible over port 8889. After opening it in the browser, you can accept the certificate self-signed by Velociraptor and enter the credentials stored in the ENV file for authentication. The default combination is admin / admin . Of course, you will want to change these credentials for production systems.
To install, simply use the appropriate binary for your operating system from the container. The ./velociraptor/clients
folder is included in the container to help, and binaries with the corresponding certificates and configuration are created and stored at startup. For Microsoft systems, an MSI file lets you distribute to your clients by Active Directory.
For Linux systems, copy the ./velociraptor/clients/linuxvelociraptor_ client
and ./velociraptor/client.config.yaml
files into a standard directory (e.g., /tmp
). For macOS or Windows, look for the appropriate binary. Next, look into the configuration file and check the specified server URL and the settings that start with writeback_
. Your local user must have write permissions to the directory configured there. If necessary, adjust the path (e.g., to /tmp/etc/velociraptor.writeback.yaml
on Linux) and then create the /tmp/etc/
folder with appropriate permissions.
Now start the client with the command
./velociraptor_client --config client.config.yaml client -v
which passes the configuration file with --config
and activates the detailed output in the terminal with -v
.
Watch the client start up and then check the web browser to see whether the client is connected. If you cannot see the client directly in the display, use the search function at the top of the page. Just click on the magnifying glass without entering a search string, and you should get a list of connected clients. After clicking on the ID of the client, you are taken to the detailed view with further information, such as when and with which IP address the client logged in.
You will also see the operating system, hostname, and architecture of the system. If you click >_Shell in the upper right corner, you can execute commands on the system if it is connected at the time. Try the commands
uname -a id
and look at the return values by clicking on the eye icon. Clicking on the Logs link highlighted in green will take you to detailed information of the runtime.
Velociraptor Query Language
VQL is based on SQL and is used to control the entire environment. You can use it to query information from the clients, control monitoring and automated response technologies on the clients, and control the Velociraptor server itself. Because of space limitations, I only allow myself to request simple information. As before, you could send queries to a client in >_Shell ; instead, select VQL from the drop-down list next to the input field and execute the query
SELECT * FROM info()
In the resulting table, you will see information for your client system. Instead of an asterisk (*
), you can specify single fields or multiple fields separated by commas, as in SQL. Unlike SQL, however, you will not be using tables; rather, plugins present the information to you as a table. In this example, the query uses the info
plugin. If you first enter a ?
in the input line instead of a plugin name, you will see a list of available plugins from which to choose. You can specify arguments in the parentheses of info()
if the plugin requires additional information.
As with SQL, you can use a filter expression with WHERE
to further narrow the results. VQL also supports aliases or subqueries, as well as constructs such as if
-then
-else
or foreach
. In this way, even complex queries can be displayed in a simple, structured manner.
Gone Hunting
The Hunt Manager in the sidebar is where you create hunts in a guided dialog; you might already be familiar with this procedure from GRR. After entering a short description and setting the selection criteria for the clients, select one or more artifacts, configure parameters for the hunt, and specify any runtime constraints, such as a share of processor time or a maximum runtime on individual clients. After you have checked your JSON-formatted search once again, launch it by clicking Launch Hunt and Start .
To search for the preselected artifacts and leverage the power of VQL at the same time, select Generic.Client.VQL as the artifact. You can enter arbitrary queries in the Configure Parameters item by clicking on the wrench icon. In the hunt overview you can then monitor the progress of your hunts and view the results.
If you're working on a recent incident, you will want to do more than run individual queries; in fact, you will probably want to document them systematically. Velociraptor offers notebooks for this purpose. Select the appropriate item in the left menu and create a new notebook by clicking the plus symbol (+ ). Notebooks consist of various cells, such as Markdown cells for documentation and VQL cells for query definition. The queries are executed directly. When combined with the information from the Markdown cells, you can create complete reports for your investigation in next to no time – and always with up-to-date results. Notebooks can also be shared with multiple users.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.