Velociraptor Incident Response and Monitoring | Setup and Configuration
Abstract:
In the ever-evolving world of cybersecurity, incident response and monitoring tools have become indispensable for organizations of all sizes to effectively identify, investigate, and remediate security incidents. Velociraptor, an open-source incident response platform, stands out as a powerful and versatile tool that can be tailored to meet the specific needs of any organization.
Target Audiences:
This blog post is specifically geared towards two primary audiences:
1. Small and startup organizations or DFIR teams who do not have enough budget to buy commercial tools with the same use cases. Velociraptor offers a cost-effective and feature-rich alternative to expensive commercial solutions, making it an ideal choice for resource-constrained teams.
2. DFIR practitioners who are looking for a robust and customizable incident response platform to enhance their investigative capabilities and streamline their workflow.
Key Takeaways:
· Velociraptor is a versatile and powerful incident response platform that can be used to manage investigations, gather evidence, and remediate security incidents across multiple platforms.
· Velociraptor’s open-source nature allows for extensive customization and integration with other tools, making it a flexible solution for a wide range of organizations.
· Velociraptor’s scalability makes it suitable for both small and large organizations, with the ability to manage hundreds or even thousands of endpoints.
Overview of the Velociraptor Incident Response and Monitoring Tool:
Velociraptor is a comprehensive incident response and monitoring platform that provides a centralized repository for collecting, storing, and analysing event data. It utilizes a distributed architecture that allows it to gather data from endpoints and cloud environments, enabling organizations to gain a holistic view of their security posture.
Velociraptor’s key features include:
· Artifact Collection: Velociraptor can collect a wide range of artifacts from endpoints, including files, registry entries, and network traffic.
· Evidence Analysis: Velociraptor provides powerful tools for analysing collected artifacts, enabling investigators to identify and interpret potential security threats.
· Incident Response Automation: Velociraptor can automate incident response workflows, streamlining the process of identifying, investigating, and remediating security incidents.
· Integrations: Velociraptor seamlessly integrates with a variety of other tools, including SIEMs, EDRs, and threat intelligence platforms.
BLUF (Bottom Line Upfront):
Velociraptor stands as a compelling incident response and monitoring solution for organizations of all sizes. Its open-source nature, scalability, and versatility make it an attractive choice for those seeking a cost-effective, powerful, and customizable tool to enhance their security posture.
Technical Guide | Unleash the Power of Velociraptor
Velociraptor can be deployed on both Linux and Windows systems. This guide will walk you through the process of installing and configuring Velociraptor on both platforms.
Part 1: Server Installation and Configuration of Velociraptor (Kali)
1. Create a folder for Velociraptor in the /opt Linux directory named vraptor using the command mkdir vraptor.
2. Change the directory into vraptor with cd vraptor.
3. Download the Velociraptor executable Version 0.6.9 from GitHub using the command:
Ø wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.9/velociraptor-v0.6.9-linux-amd64.
4. Rename the downloaded file to vraptor for convenience.
5. Make the file executable using the command chmod +x vraptor.
6. Generate a configuration file using the command vraptor config generate and store it in /etc/velociraptor.config.yml.
Ø ./vraptor config generate > /etc/velociraptor.config.
7. Update the configuration file with your IP addresses using nano /etc/velociraptor.config.yml. You need to change the IP address in four places: the server URL, the API, the GUI, and the monitoring host.
8. Allow self-signed certificates when using HTTPS by adding the line use_self_signed_ssl: true below the server URL () in the configuration file.
9. Create a strainer admin user with the command. /vraptor — config /etc/velociraptor.config.yaml user add strainer — role administrator. Set the password as a “strainer”.
Ø ./vraptor — config /etc/velociraptor.config.yml user add strainer — role administrator
10. Start Velociraptor using the command:
Ø ./vraptor — config /etc/velociraptor.config.yml frontend -v
11. Access the frontend through Port 8889 (https://192.168.84.163:8889/) and log in with your credentials.
12. Change the IP to your own address.
13. Create a service definition file /etc/systemd/system/vraptor.service and set the Unit, Service, and Install sections accordingly.
[Unit]
Description=Velociraptor IR
After=network.target
[Service]
Type=simple
User=root
ExecStart=/opt/vraptor/vraptor — config /etc/velociraptor.config.yml frontend -v
[Install]
WantedBy=multi-user.target
14. Enable the service with sudo systemctl enable vraptor.
Ø systemctl enable vraptor
Ø Created symlink /etc/systemd/system/multi-user.target.wants/vraptor.service → /etc/systemd/system/vraptor.service.
Please replace 192.168.84.163 with your actual IP address and the username also. Ensure that you have the necessary permissions to execute these commands.
Ping me on LinkedIn if you need further assistance! 😊
Part 2: Connecting Linux hosts to Velociraptor (Debian OS Client)
1. Generate a client configuration file on your Velociraptor server using the command vraptor — config /etc/velociraptor.config.yaml config client > client.config.yaml.
Ø └─# ./vraptor — config /etc/velociraptor.config.yml config client > client.config.yaml
2. Open a web server to download the executable and configuration files to your clients. If Velociraptor is running, stop it with systemctl stop vraptor and then restart the server using start.
Ø systemctl stop vraptor
Ø systemctl start vraptor
3. On your client machine (e.g., web01), create a `vraptor` folder with mkdir vraptor and change directory into it with cd vraptor.
Ø mkdir /opt/vraptor
Ø cd /opt/vraptor/
4. Download the binary and configuration files from the server using
Ø Option 1: Download directly from the server with “wget” command
o wget http://192.168.84.163:8000/vraptor
o wget http://192.168.84.163:8000/client.config.yaml.
Ø Option 2: Manually download the 2 files from the server then upload them in the client.
5. Set up the client to automatically start on reboot. Create a service definition file /etc/systemd/system/vraptor.service and set the Unit, Service, and Install sections accordingly.
6. vi /etc/systemd/system/vraptor.service
[Unit]
Description=Velociraptor Agent
After=network.target
[Service]
Type=simple
User=root
ExecStart=/opt/vraptor/vraptor — config /opt/vraptor/client.config.yaml client -v
[Install]
WantedBy=multi-user.target
7. Start the Velociraptor agent. First, make it executable with sudo chmod +x vraptor, then enable and start the service with sudo systemctl enable vraptor — now and sudo systemctl start vraptor.
Ø systemctl daemon-reload
Ø systemctl enable vraptor
Ø systemctl start vraptor
8. Verify the connection. Go back to your Velociraptor server, start it up, and check the home screen to see if your client is now connected.
9. Repeat the process for other hosts.
Please replace 192.168.84.163 with your actual server IP address and /opt/vraptor with your actual home folder. Also, ensure that you have the necessary permissions to execute these commands.
Ping me on LinkedIn if you need further assistance! 😊
Part 3: Connecting Windows hosts to Velociraptor (Client)
1. Download the Velociraptor MSI file from the Releases · Velocidex/velociraptor (github.com).
Ø velociraptor-v0.7.1–1-windows-amd64.msi
2. Install Velociraptor by double-clicking the downloaded MSI file. The installation is quick, and you’ll find Velociraptor under Program Files\Velociraptor.
3. Replace the placeholder configuration file with your own. Copy your client.config.yaml file from your server (or wherever it’s stored) and replace the client.config.yaml in Program Files\Velociraptor.
4. Open a command shell and navigate to the Velociraptor directory with cd \Program Files\Velociraptor.
5. Set up Velociraptor as a service using the command Velociraptor — config client.config.yaml service install.
Ø C:\Program Files\Velociraptor>Velociraptor.exe config client.config.yaml service install
6. Check your services files to confirm that Velociraptor is installed and running.
7. Restart the service to activate your new configuration.
8. Verify the connection. It may take a while for the dashboard to update, but eventually, you should see your connected clients when you check the ‘search clients’ dropdown and select ‘show all’.
Please ensure that you have the necessary permissions to execute these commands.
Ping me on LinkedIn if you need further assistance! 😊
About the Author
Mike Art Rebultan is a seasoned IT and OT security professional with over 20 years of experience in the industry. He has been a digital forensics and incident response specialist in different ICS/OT organizations for 12 years, leveraging his expertise in IT and OT security, offensive security, and cyber threat intelligence to protect critical infrastructure. He works with a few cyber security organizations, the government sector, data center, bpo, retail, OT/IIoT, swiss bank, semi-conductor, academe, and more — he is currently an adjunct cybersecurity professor in a few colleges/university in Toronto, Canada.
He holds a master’s degree in IT with a concentration in E-Commerce Security. He has further supplemented his education with a Professional Graduate Diploma in Digital Forensics and Cyber Security. This demonstrates his commitment to staying at the forefront of his field and his dedication to providing his clients with the highest level of expertise and knowledge.
With a focus on computer forensics, network intrusion, data breach, cybercrime investigation, malware analysis, and reverse engineering, Mike Art Rebultan has established himself as a seasoned expert in the field. In addition to his professional work, Mike enjoys technical writing with the ISACA Blog portal and public speaking in RSA, HITB, FOSS Asia, and more. He has discovered eight zero-day malware during IoC extractions as part of threat-hunting activities and managed at least 12 cyber breaches which demonstrates his deep understanding of the industry.