zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/incident-response/ir-velociraptor/SKILL.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

334 lines
12 KiB
Markdown
Raw Blame History

---
name: ir-velociraptor
description: >
Endpoint visibility, digital forensics, and incident response using Velociraptor
Query Language (VQL) for evidence collection and threat hunting at scale. Use when:
(1) Conducting forensic investigations across multiple endpoints, (2) Hunting for
indicators of compromise or suspicious activities, (3) Collecting endpoint telemetry
and artifacts for incident analysis, (4) Performing live response and evidence
preservation, (5) Monitoring endpoints for security events, (6) Creating custom
forensic artifacts for specific threat scenarios.
version: 0.1.0
maintainer: SirAppSec
category: incident-response
tags: [forensics, incident-response, endpoint-detection, threat-hunting, vql, dfir, live-response, evidence-collection]
frameworks: [MITRE-ATT&CK, NIST]
dependencies:
tools: [velociraptor]
references:
- https://docs.velociraptor.app/
- https://github.com/Velocidex/velociraptor
- https://docs.velociraptor.app/artifact_references/
---
# Velociraptor Incident Response
## Overview
Velociraptor is an endpoint visibility and forensics platform for collecting host-based state information using Velociraptor Query Language (VQL). It operates in three core modes: **Collect** (targeted evidence gathering), **Monitor** (continuous event capture), and **Hunt** (proactive threat hunting).
**When to use this skill**:
- Active incident response requiring endpoint evidence collection
- Threat hunting across enterprise infrastructure
- Digital forensics investigations and timeline analysis
- Endpoint monitoring and anomaly detection
- Custom forensic artifact development for specific threats
## Quick Start
### Local Forensic Triage (Standalone Mode)
```bash
# Download Velociraptor binary for your platform
# https://github.com/Velocidex/velociraptor/releases
# Run GUI mode for interactive investigation
velociraptor gui
# Access web interface at https://127.0.0.1:8889/
# Default admin credentials shown in console output
```
### Enterprise Server Deployment
```bash
# Generate server configuration
velociraptor config generate > server.config.yaml
# Start server
velociraptor --config server.config.yaml frontend
# Generate client configuration
velociraptor --config server.config.yaml config client > client.config.yaml
# Deploy clients across endpoints
velociraptor --config client.config.yaml client
```
## Core Incident Response Workflows
### Workflow 1: Initial Compromise Investigation
Progress:
[ ] 1. Identify affected endpoints and timeframe
[ ] 2. Collect authentication logs and suspicious logins
[ ] 3. Gather process execution history and command lines
[ ] 4. Extract network connection artifacts
[ ] 5. Collect persistence mechanisms (scheduled tasks, autoruns, services)
[ ] 6. Analyze file system modifications and suspicious files
[ ] 7. Extract memory artifacts if needed
[ ] 8. Build timeline and document IOCs
Work through each step systematically. Check off completed items.
**Key VQL Artifacts**:
- `Windows.EventLogs.RDP` - Remote desktop authentication events
- `Windows.System.Pslist` - Running processes with details
- `Windows.Network.NetstatEnriched` - Network connections with process context
- `Windows.Persistence.PermanentWMIEvents` - WMI-based persistence
- `Windows.Timeline.Prefetch` - Program execution timeline
- `Windows.Forensics.Timeline` - Comprehensive filesystem timeline
### Workflow 2: Threat Hunting Campaign
Progress:
[ ] 1. Define threat hypothesis and IOCs
[ ] 2. Select or create custom VQL artifacts for detection
[ ] 3. Create hunt targeting relevant endpoint groups
[ ] 4. Execute hunt across infrastructure
[ ] 5. Monitor collection progress and errors
[ ] 6. Analyze results and identify positive matches
[ ] 7. Triage findings and escalate confirmed threats
[ ] 8. Document TTPs and update detections
Work through each step systematically. Check off completed items.
**Common Hunt Scenarios**:
- Lateral movement detection (PsExec, WMI, remote services)
- Webshell identification on web servers
- Suspicious scheduled task discovery
- Credential dumping tool artifacts
- Malicious PowerShell execution patterns
### Workflow 3: Evidence Collection for Forensics
Progress:
[ ] 1. Document collection requirements and scope
[ ] 2. Create offline collector with required artifacts
[ ] 3. Deploy collector to target endpoint(s)
[ ] 4. Execute collection and verify completion
[ ] 5. Retrieve collection archive
[ ] 6. Validate evidence integrity (hashes)
[ ] 7. Import into forensic platform for analysis
[ ] 8. Document chain of custody
Work through each step systematically. Check off completed items.
```bash
# Create offline collector (no server required)
velociraptor --config server.config.yaml artifacts collect \
Windows.KapeFiles.Targets \
Windows.EventLogs.Evtx \
Windows.Registry.Sysinternals.Eulacheck \
--output /path/to/collection.zip
# For custom artifact collection
velociraptor artifacts collect Custom.Artifact.Name --args param=value
```
## VQL Query Patterns
### Pattern 1: Process Investigation
Search for suspicious process execution patterns:
```sql
-- Find processes with unusual parent-child relationships
SELECT Pid, Ppid, Name, CommandLine, Username, Exe
FROM pslist()
WHERE Name =~ "(?i)(powershell|cmd|wscript|cscript)"
AND CommandLine =~ "(?i)(invoke|download|iex|bypass|hidden)"
```
### Pattern 2: Network Connection Analysis
Identify suspicious network connections:
```sql
-- Active connections with process context
SELECT Laddr.IP AS LocalIP,
Laddr.Port AS LocalPort,
Raddr.IP AS RemoteIP,
Raddr.Port AS RemotePort,
Status, Pid,
process_tracker_get(id=Pid).Name AS ProcessName,
process_tracker_get(id=Pid).CommandLine AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"
AND Raddr.IP =~ "^(?!10\\.)" -- External IPs only
```
### Pattern 3: File System Forensics
Timeline suspicious file modifications:
```sql
-- Recent file modifications in suspicious locations
SELECT FullPath, Size, Mtime, Atime, Ctime, Btime
FROM glob(globs="C:/Users/*/AppData/**/*.exe")
WHERE Mtime > timestamp(epoch=now() - 86400) -- Last 24 hours
ORDER BY Mtime DESC
```
### Pattern 4: Registry Persistence
Hunt for registry-based persistence:
```sql
-- Common autorun registry keys
SELECT Key.Name AS RegistryKey,
ValueName,
ValueData
FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
WHERE ValueData =~ "(?i)(powershell|cmd|wscript|rundll32)"
```
For comprehensive VQL patterns and advanced queries, see [references/vql-patterns.md](references/vql-patterns.md)
## Custom Artifact Development
Create custom VQL artifacts for specific investigation needs:
```yaml
name: Custom.Windows.SuspiciousProcess
description: |
Detect processes with suspicious characteristics for incident response.
parameters:
- name: ProcessNameRegex
default: "(?i)(powershell|cmd|wscript)"
type: regex
- name: CommandLineRegex
default: "(?i)(invoke|download|bypass)"
type: regex
sources:
- query: |
SELECT Pid, Ppid, Name, CommandLine, Username, Exe, CreateTime
FROM pslist()
WHERE Name =~ ProcessNameRegex
AND CommandLine =~ CommandLineRegex
```
Save artifacts in YAML format and import via Velociraptor UI or command line.
**For artifact development guidance**, see [references/artifact-development.md](references/artifact-development.md)
## Security Considerations
- **Sensitive Data Handling**: VQL queries can collect credentials, PII, and sensitive files. Implement data minimization - only collect necessary evidence. Use encryption for evidence transport and storage.
- **Access Control**: Velociraptor server access provides significant endpoint control. Implement RBAC, audit all queries, and restrict administrative access. Use client certificates for authentication.
- **Audit Logging**: All VQL queries, hunts, and collections are logged. Enable audit trail for compliance. Document investigation scope and approvals.
- **Compliance**: Ensure evidence collection follows organizational policies and legal requirements. Document chain of custody for forensic investigations. Consider data sovereignty for multi-region deployments.
- **Operational Security**: Velociraptor generates significant endpoint activity. Plan for network bandwidth, endpoint performance impact, and detection by adversaries during covert investigations.
## Common Investigation Patterns
### Pattern: Ransomware Investigation
1. Identify patient zero endpoint
2. Collect: `Windows.Forensics.Timeline` for file modification patterns
3. Collect: `Windows.EventLogs.Evtx` for authentication events
4. Hunt for: Lateral movement artifacts across network
5. Hunt for: Scheduled tasks or services for persistence
6. Extract: Ransomware binary samples for malware analysis
7. Build: Timeline of infection spread and data encryption
### Pattern: Data Exfiltration Detection
1. Collect network connection history: `Windows.Network.NetstatEnriched`
2. Identify large outbound transfers to unusual destinations
3. Correlate with process execution and file access
4. Hunt for: Compression tools or staging directories
5. Examine: Browser downloads and cloud sync activities
6. Review: DNS queries for tunneling or C2 domains
7. Document: Data classification and breach scope
### Pattern: Insider Threat Investigation
1. Collect: User authentication and logon events
2. Track: USB device connections and file transfers
3. Monitor: Sensitive file access patterns
4. Review: Email and browser history (with authorization)
5. Analyze: Print spooler activity for document printing
6. Examine: Cloud storage access and uploads
7. Build: User activity timeline with behavioral anomalies
## Integration Points
- **SIEM Integration**: Export VQL results to Splunk, Elastic, or other SIEM platforms for correlation
- **Threat Intel Platforms**: Enrich IOCs with TIP integrations via VQL plugins
- **SOAR Platforms**: Trigger automated Velociraptor hunts from SOAR playbooks
- **Forensic Suites**: Import Velociraptor collections into X-Ways, Autopsy, or EnCase
- **EDR Interoperability**: Complement EDR with custom VQL detections and forensic depth
## Troubleshooting
### Issue: High CPU Usage During Collection
**Solution**:
- Limit concurrent VQL queries using `rate()` function
- Reduce glob scope to specific directories
- Use `--ops_per_second` limit when creating offline collectors
- Schedule resource-intensive hunts during maintenance windows
### Issue: Client Not Reporting to Server
**Solution**:
- Verify network connectivity and firewall rules (default: TCP 8000)
- Check client logs: `velociraptor --config client.config.yaml logs`
- Validate client certificate and enrollment status
- Ensure server frontend is running and accessible
### Issue: VQL Query Returns No Results
**Solution**:
- Test query in local notebook mode first
- Verify filesystem paths use correct syntax (forward slashes)
- Check plugin availability on target OS
- Use `log()` function to debug query execution
- Review client event logs for permission errors
## Bundled Resources
### Scripts (`scripts/`)
- `vql_query_builder.py` - Generate common VQL queries from templates
- `artifact_validator.py` - Validate custom artifact YAML syntax
- `evidence_collector.sh` - Automate offline collector deployment
### References (`references/`)
- `vql-patterns.md` - Comprehensive VQL query patterns for common IR scenarios
- `artifact-development.md` - Guide to creating custom forensic artifacts
- `mitre-attack-mapping.md` - MITRE ATT&CK technique detection artifacts
- `deployment-guide.md` - Enterprise server deployment and architecture
### Assets (`assets/`)
- `artifact-template.yaml` - Template for custom artifact development
- `hunt-template.yaml` - Hunt configuration template with best practices
- `offline-collector-config.yaml` - Offline collector configuration example
## References
- [Velociraptor Documentation](https://docs.velociraptor.app/)
- [VQL Reference](https://docs.velociraptor.app/vql_reference/)
- [Artifact Exchange](https://docs.velociraptor.app/exchange/)
- [GitHub Repository](https://github.com/Velocidex/velociraptor)
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
Reference in New Issue View Git Blame Copy Permalink