Hack.Sydney 2020

02 - 08 Nov Sydney, Australia
Australia's premium InfoSec Training Event
Offensive and Defensive Cyber Streams
Enterprise Hunting and Incident Response with Velociraptor
By Mike Cohen

Course: Enterprise Hunting and Incident Response with Velociraptor

Trainer: Mike Cohen

Training Duration: 3-days

Audience Level: Intermediate

$5000 AUD {BONUS: 1 x HCKSYD 2020 Conference Ticket included}

Register Now

This 3 day course is an introduction to forensic analysis and incident response for information security professionals. We use a new open source endpoint visibility tool called Velociraptor, developed by Velocidex Enterprises.
Velociraptor is a powerful endpoint tool – you can hunt for artifacts in minutes across thousands of endpoints and perform advanced forensic analysis on the endpoint, rapidly and at scale. Welcome to the future of DFIR!


* This syllabus is subject to change at the discretion of the instructor.

Installation and Introduction to the UI

The old way of performing in-depth forensic analysis and incident response with your existing tools is clearly not adequate or scalable to many endpoints. It is just too time consuming to analyze many machines, acquire large disk images, and memory, let alone actively hunt for indicators of compromise across your entire network.

You heard that Velociraptor, an advanced open source endpoint visibility tool, is the ideal tool for effectively investigating, hunting and monitoring your endpoints with minimal fuss.

You are excited to install Velociraptor and deploy it to your entire infrastructure. This module is for you! In this module we will deploy Velociraptor and gain an introduction to the basic operation of the tool. We will learn the architecture and the unique mindset behind the tool.

- Installing a typical secure Velociraptor server on a cloud VM.
- Deploy Velociraptor clients on a typical Windows network using group policy.
- Introduction to the Velociraptor Query Language (VQL). It is the workhorse behind the tool and mastering VQL will provide you with the flexibility you need to adapt to rapidly changing challenges.

Interactive forensic investigation

Velociraptor puts the power of experienced digital forensic investigators at your finger tips!
This module will cover at a high level the basics of modern forensic analysis techniques.
You will now be able to apply these techniques to answer many questions – from determining evidence of malware execution, detecting persistent malware to uncovering malicious user activity and determining ex-filtration of proprietary data.

Basics of Windows Forensics
Armed with an understanding of what forensic artifacts are typically left on a compromised system you will be able to proactively hunt for these and identify compromise easily.

- NTFS Overview
- Data Streams and the $MFT
- Recovering evidence of deleted files from $MFT and $I30 carving

- What is the windows Registry?
- Inspecting user hives and user profiles.
- Common registry based malware persistent mechanisms

Windows Management Instrumentation (WMI)
- What is WMI and what information is exposed with it?
- Lateral movement and privilege escalation using WMI – an attacker’s favorite!
- WMI persistence mechanisms (Filter/consumer bindings)

System Resource Usage Monitor (SRUM)
- The SRUM database can help us determine evidence of past executions, connected networks, bytes sent/received and much more.

Windows Event Logs are the cornerstone of windows auditing
- How are event logs structured?
- What are event Ids and how do they relate to messages?
- Some examples of common event log messages: lateral movement, powershell abuse etc.

Interactive investigation – collecting artifacts
Throughout this module we will use Velociraptor to gain experience in analysis and searching for the discussed artifacts.

Triage and data collection – collecting data without an agent

A remote user is suspected of being compromised. The user is on the NBN and therefore due to limited bandwidth, can not upload vast amounts of data quickly. You need to triage their system to determine if they are comprised. You would like to acquire memory, critical files and capture as much of system state as possible. Unfortunately, the user is not command line savvy – but luckily they are really good at double clicking a binary!

In this module we learn how to perform offline collection with Velociraptor. We prepare an automatic collection package which simply acquires system state when double clicked.

- Process listing, VADs, Mutants, DLLs loaded
- Full memory capture
- Collect file sets – registry, $MFT etc.
- Configuring autoexec Velociraptor for simple double click execution.

Lateral movement and hunting

You have discovered evidence of compromise on some of your systems. Your boss wants to know if the attackers have laterally moved through your network and the extent of compromise. You would like to hunt for the indicators.

- Hashes and file pattern based searches (Using $MFT analysis and directory walking).
- Yara and Signature based searching. Searching both files and memory for patterns
- Performance management of endpoints

Monitoring for events

You have learned so much in this course about how to detect malware, lateral movement and compromise. But so far, everything was reactive – we were looking at forensic evidence left behind after the fact. What you really want is to design monitoring and alerting that will let you know when evidence of compromise are found in real time. Luckily Velociraptor is a complete endpoint monitoring and response tool!

- Introduction to Velociraptor’s event monitoring framework
- Windows Event Log forwarding and classification. Event log enrichment and prioritization.
- Monitoring for changes in system state: New file executions and High risk files such as office macros and remote PowerShell

Integrating Velociraptor with external systems

In this module we will use Velociraptor as part of a larger system. We configure and install Elastic and Kibana then forward monitored events to elastic.

Configure log forwarding of critical events - Event log forwarding on the endpoint, Include enrichment which is only possible on the endpoint like hashing and obtaining copies of critical files.
- Building Kibana dashboards for monitoring collected events.
- Writing alerting rules for escalations.

The proposed course will be an extended course from our usual 2 day course that we offer.
We will provide a deep dive into how to use Velociraptor in realistic scenarios.
NOTE: our course is very hands on and teach actionable information.
Our company provides support (on an hourly basis). Delegates will receive a 2 hour support credit by attending the course.
They will also receive access to the online version of the course (which is not as extensive as the 3 day course but contains videos and reference material useful to revise the content).

Register Now


Mike is a renowned digital forensic researcher and senior software engineer. He's developed and supported leading open-source DFIR projects for over 2 decades.

Mike is our "Digital Paleontologist" and brings his years of expertise to the role of principal developer of Velociraptor.


Sponsors & Partners

Want to become a sponsor? Get in touch!