Endpoint Detection and Response using - Velociraptor
Velociraptor is a sophisticated digital forensic and incident response tool that improves visibility into endpoints. It was developed by DFIR professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints.
Velociraptor Query Language gives Velociraptor power and flexibility. VQL is a framework for creating highly customized artifacts, which allows you to collect, query, and monitor almost any aspect of an endpoint, groups of endpoints, or an entire network. It can also be used to create continuous monitoring rules on the endpoint, as well as automate tasks on the server. (source: https://docs.velociraptor.app/docs/overview/)
From an incident response perspective, it is necessary for the responder to have the ability and skill to quickly triage to patient zero without performing an interactive logon. This is also because during an incident, multiple endpoints might be involved and performing an interactive logon on each of these endpoints is not an ideal response for any responder.
Let’s dive into Velociraptor and what’s the one cool thing about it? It’s called Artifacts.
What are Artifacts? Artifacts are mini-programs which are composed of VQL queries. This allows Velociraptor users to search for the query by name or description and simply run the query on the endpoint without necessarily needing to understand or type the query into the UI. (source: https://docs.velociraptor.app/docs/vql/artifacts/)
Velociraptor has an artifact named Windows.Memory.Acquisition which function is to acquire the live memory to its client using the WinPmem tool, which gives a responder the ability to triage the system’s volatile data.
#note: This may take a while depending on the resources on your system you’re working on.