Deploying Velocriptor in AWS using CloudFormation — Scaling forensic acquisition
One of the biggest challenges in Digital Forensics and Incident Response is evidence acquisition. Commonly asked questions usually revolve around this such as “Where is the server located?”, “How can we plugin an SSD/HDD drive for memory and disk acquisition?” or scenarios like “The incident is in Australia but IR Specialist is located in UK — we need to book our Incident Handler a flight to acquire images”. There are solutions like F-Response for remote acquisition, but there’s an open source/enterprise grade player in town called Velociraptor (I’ve heard people calling it “Velo” for short which I will be using here as well) — developed by Michael Cohen and was recently acquired by Rapid7.
For those that want to get started and can’t be bothered to read my use case for this implementation — please go here.
I decided to write this blog mainly because I enjoy working with open source products and Velociraptor is such an awesome tool to use due to the ease of forensic artefact collection. Velo is actually not just for forensic acquisition but it also has EDR and Threat Hunting capabilities.
The main use cases I have for this project are:
- I won’t be collecting images on a daily basis, so I need a server that can be decommissioned when not needed and can be quickly deployed when responding to an incident. AWS CloudFormation
- Deploying the collection server only takes a few minutes, ideally <5mins. AWS EC2
- Server is cloud based so clients can be deployed in any part of the world. AWS EC2
- Forensic collection process is fast and is scalable. — Velociraptor!
There are 6 main parts to this blog
1. Creating the Velo config files
2. Creating a CloudFormation Template
3. Uploading config files in AWS S3 and Elastic IP
4. Deploying the Velo server via CloudFormation
5. Installing Velociraptor clients
6. Sample Artefact Collection
LETS START!
I. Creating the Velo config files
Velo team did a wonderful job on the tool’s quick deployment (Not like other Open source tools where configuring the server is such a puzzle! **Ahem Elastic EDR**). I did the the demo on Windows for this section but it can also be done on Linux (exactly the same commands with the ELF file). Download the latest binary from github, open powershell create a directory, change to that directory and run the commands:
PS> $ProgressPreference = ‘SilentlyContinue’ #this removes the progress bar for faster downloadPS> Invoke-WebRequest -Uri "https://github.com/Velocidex/velociraptor/releases/download/v0.6.3/velociraptor-v0.6.3-windows-amd64.exe" -OutFile ".\velociraptor-v0.6.3-windows-amd64.exe"PS> .\velociraptor-v0.6.3-windows-amd64.exe config generate -i
***or you can just download the binary from the Github page directly and change directory to folder location and run the last command above
Generator questions (screenshot below):
- What OS will the server be deployed on? linux (we will be deploying in an EC2 instance)
- Path to datastore directory? press enter for the default (/opt/velociraptor). Ideally in an AWS production setting an additional EBS volume is mounted on the EC2 instance where Velo’s datastore is located.
- For the purpose of this demo we’ll be using a self-signed certificate. But in a production setting where hundreds to thousands of clients connecting to it — a Lets Encrypt verified certificate is a minimum which can be selected as well (getting your own domain is needed). Select “Self Signed SSL”.
- What is the public DNS name of the Master Frontend (e.g. www.example.com):? Ideally you have registered a domain name, but creating an elastic IP in AWS EC2 and use its public DNS would also work (which is what Idid). For example if Elastic IP is 5.6.7.8 and located in ap-southeast-2 (Sydney), enter ec2–5–6–7–7.ap-southeast-2.compute.amazonaws.com. Otherwise you can proceed with default localhost and we can edit config file later with the actual public DNS name tied to server.
- Enter the frontend port to listen on. (default is 8000) I entered 80 as most enterprise setting only allows outbound 443 and 80.
- Enter the port for the GUI to listen on. (default is 8889) I entered 443.
- Are you using Google Domains DynDNS? N
- GUI username or email address to authorize (empty to end): velocloudformation (for demo use)
- Enter password
**There is an option to more users. steps 8 and 9 will repeat until an empty username is entered. - Path to the logs directory (/opt/velociraptor/logs). you can hit enter for the default or type in /var/log which is the standard location for logs in Linux (this is useful if you are point your SIEM/log collector in /var/log)
- Where should I write the server/client config file? hitting enter twice will write both files on current directory.
***optional***
In an enterprise setting an outbound http proxy is commonly used. The proxy key is not in the current client config file — good thing I’m part of the Velo discord channel and asked Michael how to configure a proxy settings on the client. He responded and sent me this link.
II. Uploading config files in AWS S3 and Elastic IP
After generating the config files we need to create a bucket in AWS S3 and upload the server.config.yaml file. The reason behind is when we deploy the Velo server the EC2 instance, having a S3 ReadOnly role, will pull the config file. ,
!!!make sure bucket is not publicly accessible.
In addition, while it is not recommended by the Velo team, lets update bind address in the server.config.yaml under the GUI section from 127.0.0.1 to 0.0.0.0 so the server is globally reachable. In a production environment a compensating control is to use EC2 security group to limit access.
Remember the bucket name where the server.config.yaml is uploaded, we need in the next section for Cloudformation template.
Uploading the server.config.yaml will look like this
III. Creating the CloudFormation Template
I’ve uploaded the CloudFormation template in Github, but lets run through the different parts of the template.
- Parameters (starting letter p)
- pSshKeyName: when deployed, it will ask what Public Key do you want to use to ssh into the EC2 instance
- pVpcID: what VPC do you want to deploy the EC2 instance
- pSubnetID: what subnet under the VPN do you want to deploy the EC2 instance
- pInstanceType: the type or size of the EC2 Instance. Choices are t2.nano, t2.micro, t2.small and t2.medium. Velo docs mentioned a t2.large for 10k endpoints, but main use case is forensic collection so a t2.small would suffice, t2.micro is there mainly for testing. You can update the yaml file to include t2.large if needed. - Resources (starting letter r)
- rPublicAccessSecurityGroup: This creates the EC2 security group to allow inbound 22 (SSH), 443 (HTTPS) for WebUI, and 80 (HTTP) for client frontend.
- rVelociraptorInstanceRole: this will create a new IAM role, under it is the AssumeRole Policy that allows the EC2 instance to assume a role which is in this case the rVelociraptorPolicy below.
- rVelociraptorInstanceProfile: The Instance profile for the IAM role.
- rVelociraptorPolicy: The IAM policy attached to the IAM role for the EC2 instance. s3:ListBucket(Allow) is to allow EC2 instance to list the bucket contents inside velocloudformation bucket, and s3:GetObject(Allow) is to allow reading all the objects inside the velocloudformation bucket. ***This is important as we want the Velo EC2 to only have a ReadOnly role on specified bucket and not on other buckets within the account.***
- rVelociraptor: The EC2 resource creation for the Velo server. The key content here is the “User Data” where a bash script is run. In summary — create a velociraptor folder copy config from s3, download Velo binary from github (or you can put it in S3 and copy from there), create a Velo daemon and register and run it.
- rElasticIP: I’ve created an Elastic IP prior and hard coded the AllocationID — this way I wont have a mistake on attaching a wrong elastic IP because the clients are configured to connect to this IP/public DNS. - Outputs
- VelociraptorHostname: output is the public DNS of the elastic IP.
IV) Deploying the Velo server via CloudFormation
Download the CF template yaml file and save it on your local machine, update the variables such as the bucket name where the server.config.yaml is located and the elastic IP AllocationId (eipalloc-xxxxxx)
Go to CloudFormation service and select create stack — with new resources (standard).
upload the velo_cf.yaml
Click Next 2 times, tick “I acknowledge that AWS CloudFormation might create IAM resouces” and then click “Create stack”
In less than 2mins, Velo server is provisioned.
Open the output DNS in a new tab with the HTTPS protocol (443). You should get an HTTPS warning (bec. self-signed) and the after proceeding you should get a HTTP auth login.
After logging in you will be welcomed by our shielded friend!
V) Installing Velociraptor clients
Windows installation — straightforward and installed as a service.
PS > .\velociraptor-v0.6.3-windows-amd64.exe --config client.config-80.yaml service installLinux (rpm - mainly for AL2)
last 2 lines are for the installation of the client, the whole code block is for the user data when you deploy an AL2 instance (update bucket name when you plan on using this). See screenshot below:
#!/bin/bash
sudo mkdir /opt/velociraptor
sudo aws s3 cp s3://velocloudformation/client.config.yaml /opt/velociraptor
sudo wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.3/velociraptor-v0.6.3-linux-amd64 -P /opt/velociraptor/
sudo chmod +x /opt/velociraptor/velociraptor-v0.6.3-linux-amd64
sudo /opt/velociraptor/velociraptor-v0.6.3-linux-amd64 --config /opt/velociraptor/client.config.yaml rpm client
sudo rpm -i velociraptor_0.6.3_client.rpm
Afterwards you should be seeing agents checking in!
To be continued -
VI) Sample Artefact Collection
References