Velociraptor - Dig Deeper
2021-08-06, 10:45–11:45, Main Track

The recent increase in network compromises and sophistication of attackers has underscored the need to rapidly identify and remediate attacks at a large scale across the enterprise. Having the ability to rapidly collect, detect and remediate across a network is a game changer for any Digital Forensics and Incident Response (DFIR) team. It provides unprecedented visibility into the state of the endpoint and the ability to tailor responses as the investigation evolves. Having this capability in an open-source tool that allows for truly surgical collection – at speed, at scale and free – is a triple bonus.


Velociraptor is fast becoming the standard DFIR tool for hunting at scale. Featuring a powerful query language called VQL, allowing for rapidly adapting to fluid DFIR introsions, Velociraptor places unprecedented reach, flexibility and power in the hands of responders.

Unlike more traditional remote forensic tools which collect large amounts of raw data for offline processing, VQL allows defenders to perform analysis directly on the endpoint. This new approach allows defenders to collect only high value, tactical information to affect their response, and leverage current state of the art digital forensic analysis techniques into detection.

This talk will provide some examples of Velociraptor's use in typical DFIR scenarios, such as compromise assessment, wide spread remediation and rapid response. Specifically, we examine the process of going from a detection idea, writing the VQL to detect it and then hunting a large network (10k+ hosts) to identify the compromised hosts in minutes. Finally we illustrate how these custom detections can be elevated to real time monitoring rules (also implemented by VQL) to allow the endpoint to autonomously detect future compromises even while being offline!

Velociraptor is the open source DFIR tool the industry has been crying out for - making large scale DFIR fast, efficient and surgical!

Presentation outline

Problem statement

Have you ever tried to hunt a large network to quickly identify and remediate an ongoing attack on your network? You probably found that traditional DFIR techniques, such as parsing the ntfs filesystem for evidence of deleted files, parsing prefetch files for evidence of past program execution or yara scanning large numbers of files simply do not scale to many thousands of endpoints.

Introducing Velociraptor - deployment architecture and overview

This talk introduces the new standard in opensource DFIR investigations - Velociraptor. This tool simplifies and streamlines many of the common tasks in traditional DFIR investigation - dealing efficiently with scale.

Example of simple - pre packaged detections - 1 -2 slides

Would you like to hunt executions of lolbins (living off the land binaries) within a certain time window and in short succession? No problem - Velociraptor can query all your endpoints and will answer within minutes.

What makes this work? VQL introduction

Velociraptor is driven by a unique query language called VQL. This language underpins all Velociraptor's features and allows users to customize their investigations by applying VQL to both control Velociraptor and to adapt to detecting new adversary tools and techniques.

The real game changer with Velociraptor is enabling defenders to go from a blog post, or some research about a new vulnerability or attack technique to a high quality detection, and then proceed to hunt across a vast network in minutes.

Case studies walk through (each case about 10 min)

This talk will walk though some of these examples (specific examples may change/revise before the talk):

Scan the NTFS USN journal for webshell install activity within the past days
Build a dynamic file parser in VQL for a new file format just presented by a blog post (e.g. powershell readline history file https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html or a similar example)

The talk will go through the process of building a query from scratch - reading public information about a detection technique, writing some VQL to identify the IOC on a compromised system, then running a hunt on 10k+ machines to identify the compromised hosts. All this will be done using open source tools and freely available resources!

Post hunt analysis - post processing with VQL

We then tour the Velociraptor GUI and see how to quickly examine the compromised endpoints for further triage and remediation. We can interactively collect files, registry keys and raw NTFS artifacts directly through a familiar GUI.

VQL event monitoring - unique on host detection (2-3 slides)

Finally we discuss VQL's unique real time monitoring capabilities. Unlike other query languages in endpoint tools, the VQL query does not need to have a finite run time. Instead it is possible to write a query which monitors for new events permanently. These "Event Monitoring Queries" can be used to build real time detections for future events.

This novel approach really changes the current state of the art in detection and response. Currently, EDR tools forward events from the endpoint to a central SIEM with backend automated detections raising escalations for operators to manually go back and try to collect additional information from the endpoint or remediate it. This leads to long OODA loop times and increases the time between compromise and response.

VQL event monitoring queries are powerful queries that bring the response to the end point. Once installed, the query codes a "response plan" whereby the endpoint already knows what to do if a certain condition is met, even if the endpoint is offline! We term this an autonomous response plan.

Follow through to implement the above examples as monitoring queries (2 slides per example)

In the talk, we will follow through some of these examples into the next logical step, which is to deploy event monitoring queries on all endpoints to prevent future compromise. That is, we go from a detection query that tells us when run if the EP is compromised to an event query that will automatically respond in the future when the EP becomes compromised with the same vector! This is unprecedented!

Conclusion and call to action

Velociraptor is an open source DFIR tool bursting on the scene in 2019 (we initially presented it at the SANS 2019 DFIR summit) but since then, there have been many features added and the tool is now quickly becoming the standard DFIR tool to use for triage, detection and remediation.

Dr. Mike Cohen has over 20 years of experience in applying and developing novel incident response and digital forensics tools and techniques. He has previously worked in the Australian Department of Defence as an information security specialist, at the Australian Federal Police specialising in digital forensics, network and memory forensics, and spent 8 years in Google developing tools such as GRR and Rekall. In 2018, Mike founded the Velociraptor project, an advanced open source DFIR framework. Mike has recently joined Rapid7 to promote and further develop Velociraptor into a fully featured enterprise DFIR toolkit.