Security Operations with Velociraptor

thank you [Applause] um you know share screen interview teams sure yeah of course yeah um [Applause] you let myself in that's awesome [Music] look at that time decided to restart it I had to restart the client okay now sure there it is [Applause] thank you okay great yeah thanks so much all right everyone thank you for your patience um here today we have Eric and Whitney they are the co-founders of readmon and today they'll be seven of us awesome thanks a lot [Applause] thanks so much folks um really appreciate you all showing up uh to catch this talk especially right after lunch or even actually during lunch yeah depending on what time you eat um uh really appreciate besides Tampa crew for having us out here um they reached out actually not that long ago it's kind of a last minute uh plan for us to come out here uh they reached out because they wanted us to run our dfir CTF I said I'd love to um and so we said well we're already going to be here let's do our best to submit a talk and see if uh if folks want to hear about this really awesome tool that uh that's near and dear to our hearts um so uh I'll give a a quick round of introductions and then I'm going to explain a little bit about uh what Velociraptor is um because even if you've heard of it which many of you probably have at this point um I'm hoping that this talk is going to shed some light on things that maybe you didn't know it was also very capable of so um let's dive into those intros so a little bit about me my name is Eric capuano I'm the CTO and one of the co-founders of Recon MS which is a managed detection and response provider out of Austin Texas so simply way to put that is we are a sock as a service everything on the defensive side of security operations we handle from threat hunting detection containment eradication all of the above effectively um so we are blue team at heart we are Defenders um and that's that's kind of where our our passion lies I also teach digital forensics instant response for Sam's for those of you that are familiar with stance um and we've both taught uh for several years now at black hat so if you go out to Vegas in the summertime um you can actually catch us out there teaching live incident response um inside of a simulated corporate Network and that's a lot of fun um like many of my colleagues at Recon I'm a former Air Force and Air National Guard member supporting cyber warfare operations out of Lackland Air Force Base in San Antonio a lot of cool experiences there met a lot of really good people and convinced half of them to come and work with me at Recon so that was fun and uh and I had another previous experience standing up the first security operations center for the Texas Department of Public Safety which just like in the State of Florida right that's everything from State Police highway patrol all the way down to Driver's Licensing regulatory Services you name it so it's a mission critical Network you know 450 locations across the state of Texas and when I arrived there was no security capability At All by the time I left my team was publishing thread Intel back up to U.S cert so we had really kind of made a name for ourselves as a small underfunded State uh state agency we were doing really good work and I gotta say one of the one of the secrets that I picked up in that time was figuring out how to be highly effective at security operations with the shoestring budget and that's where you'll you'll quickly find out that open source is the magic answer it really is so you know hopefully you're in an organization that has an open mind to open source because if you don't you're missing out on some of the most powerful tools out there and I'm talking even comparing to those really expensive off-the-shelf tools that we trust so much for unknown reasons um so that's one of the things we like to we like to show off about open source is it can get a lot of good things done hopefully I didn't hit a nerve there all right uh but let me let me turn it over to uh Whitney who's actually kind of the superhero of our team she's the the lifter of many of the awesome things that we do you're gonna have to speak up though I'm not good at speaking up um I'm Whitney Champion as Eric mentioned I'm one of the co-founders and Elite architect at Recon infosec um formerly Red Hat who's Alan spay War my background is largely in Cloud security and large-scale uh security infrastructure Automation and orchestration um if you are familiar with the Defcon hacker tracker that was my my brainchild many many years ago um and if you see anything with Angry Eyebrows floating around the community that chances are it's my art as well you're welcome awesome so let me give a high level of agenda of what we uh we're hoping to cover in this this very very uh condensed 45 minute section session here so we're going to talk a little bit about what Velociraptor is for those of you that haven't heard of it prepare to be enlightened it's it's going to be one of your new most favorite tools it certainly is one of mine um then we're going to talk about some of the things that it can do like for instance and remember this is a secops talk so this you know Velociraptor is well known as an incident response tool and it is a phenomenal one but what a lot of folks don't know is that you could use this daily every day in your sock your it team could even get value out of a Velociraptor so I'm going to talk about things like deploying and managing your other security agents your EDR sysmon whatever Velociraptor can kind of be like the supervisor of those things right so there's a lot of cool things we can do there there's things that we can do with these scheduled hunts and server events to basically keep a constant watch on certain things in our environment with nothing but velociraptor in play um we'll also talk about how we can get real-time visibility into what's happening on our endpoints right which of course you probably know well that's what my seam does okay but not everybody can afford a seam right and even though there are open source seams that's a lot of elbow grease to stand that up so what if I told you Velociraptor is almost as good if you have nothing better to start getting real-time Telemetry and advancing of what's going on inside your network and even the ability to respond to those things right uh and then we're going to get into okay now what happens when it hits the fan you know bad guy breaks in starts trying to you know encrypt files whatever all right now can we get involved with Velociraptor and do something about it absolutely it's actually probably one of the things that shines at the best and that'll spill right into instant instant response containment and Remediation uh there at the end so let's talk about what it is now folks let me tell you even though it probably sounds like Velociraptor is going to be this wildly complex like who knows this is going to be really impossible to to stand up deploy and even use that could not be more uh opposite of the truth it is the most simple thing you will probably ever try to deploy even if you ever done anything like it before you pull down a single pay a single executable from GitHub and you deploy your server with it and then that same executable that's what all your clients are going to use it just runs with a slightly different configuration right so that's it a single executable and you now have a velociraptor server and you can have tens of thousands of velociraptor clients all connecting back to that server giving you a real time command and control capability of all your endpoints whether that's just getting visibility reaching into file systems and pulling back malware or responding to a threat actor that's actively you know wreaking havoc inside of that Network so it doesn't get any easier than this right for those of you that have been around long enough to remember a project called ger Google rapid response yep see a lot of heads shaking because girl made a dent in the open source IR Community because it was a very very powerful toolkit let me tell you this the the the one of the developers of ger was Mike Cohen who eventually you know branched out left Google and create created Velociraptor basically is a way of saying gur could have been a lot simpler than it was because one of the biggest complaints about gur was it's very powerful but who's got time to stand that thing up and keep it running and alive and all that stuff so basically he wrote Velociraptor to be the the predecessor um uh or I should say the successor of ger and he did a rock solid job at it um so um let me just kind of show you so imagining that you drop your Velociraptor server on a box and you got all your clients out there the agents are connecting back to the server you log into that server and you have a very very simple and intuitive web interface right so you're not dropping to a shell and running SQL commands here we can very easily pop into this list of clients here and I can see every one of my agents that are checking in I got a green light saying these are connected in real time so anything I want to do to any of these systems it's going to happen instantaneously and by the way that agent running on the box it runs as a system level service so there's no limit to what I can do I have I have god mode on that box right so anything under the sun I can do which yes for anybody thinking a little mischievous here would be detrimental in the wrong hands right so keep that in mind but that's true about any tools that we use security tooling especially right you would never want an adversary to get access to your EDR portal right well same thing here so you want to make sure that this is something you do with defensible architecture in mind but once I log in I take a peek at all these endpoints checking in I can drill into any one of these endpoints to get more information browse the file system I'm going to show you some of that here in just a bit I can also very smartly apply specific labels to subsets of my systems so for instance maybe I've got a pocket of systems that are critical right my domain controllers exchange or if I'm a law enforcement agency I probably got sieges systems if I'm a critical infrastructure I probably have scada ICS systems I can get in here and label and tag all those systems so that in the future I can run very targeted hunts hey I only want to hunt for this artifact on these subset of systems or these or the others right so so that's a pretty cool capability to have as well so let's say I decided I wanted to drill into one of these systems and take a deeper dive like I'm picking on this desktop device here it's running Windows 10 Pro okay got it um and we're going to click into it and see what we can do inside of the context of this system right so clicking into it I now have a summary of that endpoint right I've got its unique client ID some version information all that kind of good stuff some operating system full qualified domain name all that okay cool now there's a variety of options that I have access to in here and one thing I'm pointing out the reason this arrow is up here is because this is what's reminding me as I start clicking through some of these other menu items up here this is reminding me the context of what I where what I'm looking at so I'm looking at this system this desktop machine here now I'm going to do a deeper dive into some of these other functions and features but I'm going to go ahead and hand it off to Whitney to talk about how we can use Velociraptor to orchestrate our security agents of any kind right whether it's the small on or carbon black or whatever using Velociraptor to maintain full posture of those uh those agents all right so as Eric mentioned we use Velociraptor heavily for agent deployment and orchestration uh something we do a lot in our line of work um so whether it's this one or when logbeat or file beat um it could even be your EDR agent that may or may not be a headache to deploy well Velociraptor allows us to do that really quickly and really easily at Large Scale which is why we use it um and so Velociraptor comes with a lot of artifacts they're called artifacts and Velociraptor we'll get to that in a minute but it comes with a lot of artifacts out of the box and one of those is syswon so it's specifically built for deploying system on across all of your endpoints so in this case we're going to create a hunt Say Hey I want to take all my windows boxes and push this one to everything that's out there um so this is the windows.sys internals.sys monastery you may or may not be able to read that that's the name of the built-in artifact uh from Velociraptor to deploys this one and it uses something called tools inside a velociraptor so it's a tool inside of a tool basically um so if you see we've got two tools listed one is the six month binary and one is the sysmon config so what uh Mike Cohen has built into this is essentially a really simple way to deploy um binaries or config files or you name it um really smoothly because what it does is it uploads those files to Velociraptor so this does two things for us um this allows us to download um the binary or config file or whatever it is it downloads it to the Velociraptor server so now your endpoint no longer has to go and reach out to some third party it's just going to go reach out to Velociraptor and say hey give me this file because Velociraptor has already fetched it and stored it so you no longer have to have another communication that may or not be blocked on the network uh in that particular environment the other thing it does is it caches that file so if your system has to reuse it or grab it later on in the in the artifact it's already there the executable or the XML or whatever file it is you need so this is basically just going to pull down the sysmon binary in this case so we know how to deploy sysmon via a hunt but one of the things that we don't want to do all the time in all of our environments is go deploy this manually so one of the really powerful things about Velociraptor is this thing called client event monitoring and client event artifacts so essentially what we're going to do is say hey set it and forget it because we don't want to do this over and over again um we're going to use basically labels which are built into Velociraptor the name of the label is arbitrary but hey we want everything that's labeled Recon 99 to check in and get this artifact that is called Windows checks or the name doesn't matter but basically what it's going to do it's going to set up a job that runs constantly that goes and deploys this to everything labeled Recon 99. a really good use case of that is if you know you want 100 deployment rate of a certain agent like this month then this means that the second Velociraptor gets installed on this box and it checks in Velociraptor is going to push this on automatically without without delay so it's just a way to kind of know you've got that full coverage that you that you expect to have and and what it's going to do is depending on the time frame that you put on here it's not just going to run it when it checks in it's going to run when it checks in and then every x amount of time from there on out so it could be every five minutes it could be every five hours it could be every other day every month it doesn't matter but you can essentially set it and forget it and say Hey I want this thing to run indefinitely on all of these systems it could be by OS it could be by label whatever you need and in this case it's just everything that's windows it's going to pick up this artifact so this is the artifact that it's actually running behind it's an artifact there's an artifact or the artifacts all fun um if if this is also all vql which if you're not familiar is Velociraptor query language so get another query language to have fun with um basically what this is doing is this is going to go say hey is sysmon on the box yes or no well if it is cool if it's not go deploy if the pro if the service is there but it's not running go start it if it's running we're all good continue on and it doesn't do anything because what we don't want is it to keep redeploying and redeploying we just wanted to make sure it's there and make sure it's happy and move along so this is basically just for grins what it looks like on the back end when it does run it says Hey I've checked in every 10 minutes from here on out we're okay I'm not going to deploy anything um just basically to give you visibility into what's actually doing because because imagine I mean you might deploy syslaw into 10 000 endpoints but do you know every hour of every day that cislon is on those endpoints and is still running right that's essentially what this is doing every 10 minutes oh and if it stops running guess what we're going to start it right back up so even if you get an adversary you know in there for jacking around or a customer who wants their stuff turned off because we've all been there and it'll turn right back on and they won't even know so one of the really powerful things that um Velociraptor allows us to do is what we're doing here in server event monitoring so we can schedule hunts um we can schedule all kinds of things in here and this allows us to do a lot more with our endpoints and a lot more with our data does anybody in here use Velociraptor currently oh oh good one okay well we use it a whole lot in um in IRS in um in incidents to do Korea the triage Acquisitions of particular endpoints and so that requires going out Gathering a whole ton of data from a whole ton of endpoints and then doing something with that data so Velociraptor lets us do that very quickly very easily at scale um whenever we need to foreign that's at the end so stick around we'll talk about triage you bet so one of that's one of the things that's already built into Velociraptor is uh a artifact called Cape file so if anybody is familiar with uh Cape by somebody one person at least um it's familiar with cape it's a tool uh by Eric Zimmerman Cape is not open source but this particular uh list of files is and what that list of files is it's all the things that we should go collect when we're in the middle of an IR don't know what we need to get off a box so this list is built into one of the artifacts of velociraptor and we can go pick and choose the mft registry whatever we need to get off the Box endpoint logs um all that stuff will get pulled down and bundled up so this artifact is essentially going to sit here and monitor and wait for us to run that triage on any endpoint and then say hey what do you want to do with this data and in this particular instance we're going to say watch for us to run this cape artifact and when it's done take all those files zip them all up and then shoot them up to S3 but this doesn't necessarily have to be S3 it can be wherever you want your data to go which is what makes this really powerful because you can do lots of other things with data that would otherwise have been a royal pain in the butt to go gather this is a snippet of the artifact um the full oops what did I just push you're going forward I'm hitting the back button why am I hitting that you're hitting forward no but I hit back okay there we go there we go um so this is a snippet of the artifact um Eric and I did a talk a couple years ago um uh it was breeches be crazy it was on the sends D for Summit and so it was in this repo that we give you the full dump of all of that but that was also really useful so say you've got thousands of endpoints and you want to be able to gather all this data from all of your endpoints continuously um Velociraptor allows us to do that really easily because there's already all these artifacts bundled in it that go grab users go grab Network information go grab uh services t