Last time: Part 1
Shortly after I wrote about getting started with the endpoint hunting/monitoring tool Velociraptor a new release came out that introduced some GUI improvements, more windows deployment options (and probably most importantly some improved artefact handling — but we’re not ready for that yet). This post will show you how to upgrade your deployment and run the server as a service on Linux and the client as a service on Windows.
Upgrading the Velociraptor server
I’m going to gloss over some of the detail because Part 1 has getting started blow-by blow:
wget https://github.com/Velocidex/velociraptor/releases/download/v0.3.1/velociraptor-v0.3.1-linux-amd64mv velociraptor velociraptor.old.v0.3.0
mv velociraptor-v0.3.1-linux-amd64 velociraptor
chmod +x velociraptor
This time we are going to deploy it as a service so it comes back to life if the box is rebooted. Velociraptor can produce a .deb perfect for installing onto a linux based box.
./velociraptor --config ../etc/server.config.yaml debian server
sudo dpkg -i velociraptor_0.3.1_server.debsudo systemctl status velociraptor_server.service
One of the signature improvements of this v0.3.1 release is the inclusion of a signed windows installer, which promises to improve the deployment experience for Windows shops (I didn’t have any issues with the.exe, but I also did not deploy it at scale, nor using a sensible security model, nor into a corporate environment).
Let’s test out the new .msi to make sure it can walk the talk.
- Get velociraptor-v0.3.1-windows-4.0-amd64.msi onto your victim (Windows host)
- . Put the
2. Run velociraptor-v0.3.1-windows-4.0-amd64.msi
Did it work?
Yes — but the GUI seems to perform better in Chrome. Experience has taught me that if you’re getting aggravated, thinking this is way worse then before they updated it, try testing it with a browser that developers actually support.
I had a few issues getting the client to connect, make sure you follow the instructions for generating a
client.config.yaml then actually have it in the right spot. Open it and check to make sure the configuration options are correct. Check network connectivity between your server and client, run the client interactively
C:\Program Files\Velociraptor\velociraptor.exe --config client.config.yaml frontend -v with the -v for verbose output to spot any errors. I could not write to
velociraptor.writeback.yaml and had to manually create the file.
We’ve caught back up to the release cycle and have successfully upgraded our deployment. Before my next post I aim to enrol the rest of my endpoints so we can test out some actual hunting techniques.