Incident Response and Threat hunting using Velociraptor — Pt.1

Welcome to Part -1 of our three-part series delving into threat hunting using Velociraptor. Keep an eye out for updates and check the link at the end of the document for additional parts relating to this blog.

Introduction:

Velociraptor is an open-source tool for collecting host-related information using The Velociraptor Query Language (VQL) queries.

Installation guide:

For this lab, I have referred to following GitHub repo for installation: IntroLabs/IntroClassFiles/Tools/IntroClass/Velociraptor/Velociraptor.md at master · strandjs/IntroLabs · GitHub

It is fairly simple to implement and very briefly explained on how to set up the velociraptor server and clients.

Velociraptor web interface :

Clients installed:

1 X Windows 10 Machine

In order to generate some artifacts to hunt, we will be detonating some funny stuff on our client machine(s)

Architecture:

Stay tuned for more insightful content :)