Starting with Velociraptor Incident Response
Вставка
- Опубліковано 25 тра 2024
- Velociraptor IR (Incident Response) is an open-source endpoint visibility tool. You can monitor many clients across networks, conduct hunts on all clients, or define subsets of relevant systems based on tags. Use Velociraptor IR for client monitoring, threat hunting, response tasks, and digital forensic triage.
We talk about how to set up Velociraptor IR in a test environment to familiarize you with its layout and features. Specifically, how to add, monitor, and hunt with clients.
Thank you to our Members and Patrons, but especially to TheRantingGeek, Kuek Dekuek, Wilson L, Steven Lorenz, Steffen Luithardt, pjs, Lorie Hermesdorf, Carlos E Gallo Monteiro, Roman! Thank you so much!
00:00 Velociraptor Incident Response
00:44 WARNING
01:02 Downloading Velociraptor IR
02:36 Verify Velociraptor IR binaries (IMPORTANT)
03:17 Download Velociraptor IR developer key
04:53 Setting binary run permissions in Linux
05:32 Velociraptor IR first run
06:33 Creating a client a server config
12:42 Client config file - set server local IP address
13:36 Copy client config to clients
14:01 Start the Velociraptor IR server GUI
14:54 Velociraptor IR interface first run
15:25 Start and enroll the Velociraptor IR client
18:17 Velociraptor IR search clients
20:04 Velociraptor IR add client labels
21:45 Velociraptor IR client management interface
22:01 Velociraptor IR client - Interrogate
22:22 Velociraptor IR client - Virtual File System (VFS)
24:34 Velociraptor IR client - Collected
24:57 A quick look at Velociraptor data store structure
26:14 Velociraptor IR client - Quarantine Host
26:51 Velociraptor IR client - Overview
26:55 Velociraptor IR client - VQL Drilldown
27:11 Velociraptor IR client - Shell
28:05 Left Menu Feature Tour
28:20 Hunts
28:35 Create a hunt
30:46 Select hunt artifacts
31:01 Velociraptor IR Artifact Exchange
31:33 Linux.Search.FileFinder
32:41 Configure artifact parameters
33:18 Regular expressions
36:34 Specify Resources
37:21 Review
37:31 Launch hunt
38:10 View hunt results
39:59 View/Edit Artifacts
40:48 Server Events
41:33 Create a new server monitor
42:07 Server Artifacts
42:13 Notebooks
43:03 Host Information
43:13 Host Specific Options
43:26 Host Monitoring
43:36 Create a new client monitor
46:01 Main Features Review
46:49 Where to find more resources
48:17 Thank you for your support!
🚀 Full Digital Forensic Courses → learn.dfir.science
Links:
* Velociraptor IR Docs: docs.velociraptor.app/
* Download Velociraptor IR: github.com/Velocidex/velocira...
* Velociraptor IR Blog: velociraptor.velocidex.com
Related book:
* Incident Response in the Age of Cloud (amzn.to/3QsY7cf)
* Cybersecurity Masters Guides (amzn.to/3B207CL)
#incidentresponse #forensics #velociraptor #dfir #infosec
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing. - Наука та технологія
Outstanding walkthrough, can’t wait for the rest of the series in addition to explanation on implementation and operation within a working environment.keep the awesome work up, folks you are a true legends.
A great presentation! Thank you.
Glad it was helpful!
Nice information
Thank you this was awesome! Assuming you enable port forwarding for clients outside of your network, which ip should you use in the configuration.yml?
how to perform installation of configuration file on windows machine , Please ?
if your server is linux and your client is windows, can you create the client config file on the linux server and copy the config file to the windows device and execute the windows binaries with the linux built client config file/
how can i buy your course?