2024-11-09 –, Hochschule München - R1.006
Velociraptor is an open-source tool developed by Velocidex (now Rapid7) to conduct scalable forensic analyses for large infrastructures. The client-server system allows analysts to distribute forensic queries to many endpoints and provides notebooks for interactive reports. Analysts can use the integrated Velociraptor Query Language to create queries and extend Velociraptor.
This workshop provides an introduction to incident response with Velociraptor.
Cyber attacks are on the rise and affect companies of all sectors and sizes. The damage they cause can put companies in a difficult position. For this reason, security teams must carry out incident response efficiently and effectively to limit the damage and minimize downtime. However, the incident response team must recognize all evidence that could lead to attackers gaining access to the network again. For this purpose, Velocidex (now Rapid7) has developed the open-source tool Veolociaptor to conduct scalable forensic analyses for large infrastructures.
The developers initially designed Velociraptor according to the client-server principle. Agents are installed on the systems to be analyzed and establish a permanent connection to a server. An analyst can distribute jobs, so-called hunts, via this connection to all or only some connected agents. Analysts can also use notebooks to carry out analyses and generate interactive reports. The Velociraptor Query Language (VQL), a proprietary query language, can create your queries and adapt existing ones.
This workshop is not just about theory. We will dive into the practical aspects of using Velociraptor for incident response. We will start by getting to know the interface, performing simple hunts, and processing them in notebooks. Then, we will move on to the practical application of VQL, where you will learn to create your own queries.
To fully participate in this workshop, you will need to be able to run a virtual machine with Windows 10 (x64) provided as OVA on your own system. Please note that Apple Silicon is not supported. The virtual machine will also need an internet connection.
incident response, open-source, tools
Christian currently works as a Network Detection Engineer in the German finance sector. Previously, he worked as a forensic analyst and incident handler in international organizations and medium-sized German businesses. With more than ten years of experience in IT security, Christian knows the problems of all IT security types, from medium-sized companies to DAX30 corporations. Shortly, he will join a company doing Incident Response and Managed Detection & Response. Besides learning about new attacker tools and techniques, he tries desperately to reduce his ever-growing stack of articles and books in his spare time.