Velociraptor — Open Source EDR (Must Explore)

Many companies including start-ups have started realizing the importance of Endpoint Security. However, making the right choice and budget allocation can be a very lengthy process.

So, its better to list down the requirements and have a proper vendor/product evaluation process.

As the first step, I would highly recommend to start with something small and then build your business requirements around it. Once you are able to show the value to business then it would be easy to look for potential upgrade.

EPP and EDR are both part of Endpoint Protection but the scope of this article will be limited to EDR.

EDR enables an extra layer of protection by detecting and containing the security incidents on vulnerable endpoints (Hosts). These detections can be custom rules or pre-packaged as part of EDR offering.

Velociraptor EDR

Velociraptor ASCII — Just for Fun!

It is an open source endpoint monitoring, digital forensic and incident response tool that provides an in-depth visibility of the endpoints.

If you love Osquery, then this is the way to go and you can still configure your Osquery deployment to be able to talk with the Velociraptor setup.

It also has it’s own query language known as Velociraptor Query Language (VQL) that allows to collect artifacts, query and monitor you endpoints.

Velociraptor Components & Architecture:

Velociraptor Components & Architecture: Representation by Ashish Bansal

I would be setting up Velociraptor in GCP environment, so just follow me along.

We would be performing the following steps:
1. Sign up Domain name. (To be done by you select any domain name)
2. Provision GCP instance (VM)and provide static IP. (Not showing it)
3. Create Cloud DNS and update Domain records.
4. Download Velociraptor binary, generate server and client config files.
5. Setup Velociraptor Server and create user.
6. Setup Velociraptor Client Ubuntu and Windows
7. Troubleshooting steps.

Detailed Steps:

Step 1st & 2nd needs to be performed by you, if any help is needed then please message.

• Provide Static IP to GCP Instance:

Search for VPC Network and then look for IP Addresses

Look for Instance IP

Go look for your instance name with access type as External and click RESERVE

Enable Allow Firewall rule for port 8000, 8001 and 8889.

Some of the ports required:

TCP/8000: Client-server Communication, TCP/8889: Velociraptor Server GUI and TCP/8001: API Access

GCP Firewall Rule

Create Cloud DNS and update Domain records:

1. Cloud DNS > DNS Zone > Add Zone Name > Add Domain Name in DNS Records > Add CNAME and A record.

Search for Cloud DNS

Create Zone: Provide Zone Name and DNS Name:

Create DNS Zone

-Now you would see 2 records created by default SOA and NS

Default Records

Add two new records for A and CNAME using Add Record SET

Use STATIC IP of your Velociraptor Instance. (My IPs might be different)

Create A Record and provide domain name

Create CNAME record: You can create subdomain if you want

Create CNAME Record

You are done with the DNS record update part on GCP but you will have to update the NS records from GCP to your domain provider.

Something like this:

GCP NS Records

Domain Provider Console:

Update Domain NS Names

If you want to test DNS entries then you can install NGINX on your GCP instance.

sudo apt-get update

sudo apt-get install nginx

NGINX Installation

Check your domain, if its loading welcome nginx

My suggestion would be to a break for 5 Min to avoid the exhaustion.

Setup Velociraptor Server: Download Velociraptor Binary

$ wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.6-1/velociraptor-v0.6.6-1-linux-amd64

Download Velociraptor Binary

Provide permissions: chmod +x velociraptor-v0.6.6-1-linux-amd64

chmod +x velo*

Try look for --help and --help-long to understand the options:

--help-long options

Other options

Generate Config files for Server and client that would be used for generating binary files for Server and Client.

./velociraptor-v0.6.6-1-linux-amd64 config generate -i

Refer to below screenshot for details after selecting OS

Velociraptor Config Generate

Update bind_address for GUI in server.config

Update Config - $ sudo vi .etc/velociraptor/server.config.yaml
- Change 127.0.0.1 under GUI to 0.0.0.0 (Access from any)

From:

/GUI in vi

To:

Save the changes

Let’s use the server file to generate the installation package. I am using Ubuntu so will choose debian for package.

$ ./velociraptor-v0.6.6–1-linux-amd64 — config server.config.yaml debian server — binary velociraptor-v0.6.6–1-linux-amd64

Debian package for server

Installation of Server package:

$ sudo dpkg -i velociraptor_0.6.6–1_server.deb

Velociraptor Server Installation

Check if Velociraptor service is running?

Status of Velo* service

You can add more user if you want using below command:

$ ./velociraptor-v0.6.6–1-linux-amd64 — config server.config.yaml user add <Change_User> –role <Change_Role>

Following roles are available by default in Velociraptor Server:

• Administrator: No limits of account actions.
• Reader: Read collected data and notebooks.
• API: Connect over the API
• Analyst: Reader permissions, can create bulk downloads and edit notebooks.
• Investigator: Has analyst permissions, can schedule new collections and hunts.
• artifact_writer: powerful role that allows the user to create and modify artifacts.

Now open your domain in the browser on 8889 port and login using created credentials.

Login Screen / Velociraptor Server

Load up Screen:

Landing Screen

Yey! Finally on Velociraptor Server

Our Server is up, now lets look at connecting our first client. We will use the client config file that was created during our server setup.

You can create this in GCP, AWS or Local. (I am using GCP Debian Machine)
$ ./velociraptor-v0.6.6–1-linux-amd64 — config client.config.yaml debian client

Client Config

Generated Client binary:

Using Client to Grep

Use File Download/Upload(GCP), Filezilla or SCP to transfer the client setup file to our client server.

Login to your client machine and execute the deb file.
$ sudo dpkg -i velociraptor_0.6.6–1_client.deb

Install client file

Now go to your Velociraptor Server and client magnifier glass to discover the newly added client.

Client Showing Up

You can add classification labels by clicking on Client ID (machine).

Tag Addition in Velociraptor

You can quarantine host using below option:

Quarantine Machine

I would highly suggest to try playing with other options as well.

Windows Client Installation and Setup: MSI and .exe

• Download & Install MSI package: This setup file installs the Velociraptor executable into C:\Program Files\Velociraptor\ then creates a new Windows service that points to this executable and starts automatically at boot time.

official release

• After Installation of MSI package: Copy your initially generated client configuration file i.e client.config.yaml to C:\Program Files\Velociraptor and rename it to Velociraptor.config.yaml.

Velociraptor will retry periodically to locate the configuration file, check your server to look for newly added Windows Client.

This process can be automated in a bigger environment using MDM or Windows GPO.

If you to scratch it furthermore, then after installation you check the velociraptor service via CMD > services.msc

Look for added service

Search for Velociraptor to see service details and executable path.

Velo* Service Details

Yay! we are done with the Windows Client setup and can start with our Hunt. But here, I will show another way to add Window Clients.

Check for connected Laptop

Download .exe file from release folder and open it in CMD >

Exploring options

$ velo* config generate -i

You can use this to create Windows Server

Run the config as per below: -v flag will also give you output on console.

client -v

You can use Task Scheduler to enable the service by adding -k flag, but my suggestion would be to go with recently released MSI installation method.

I haven't covered the Custom MSI package(Using Wix Toolset) and Agentless Deployment, so you may refer to the official documentation.

Time for another Break, relax for 5–10minutes. I am tired as well :-P

Time for Hunt :-P

I will showcase some basic functionality but you can create advance Scripts or VQL queries for the hunting purposes.

Open Hunt Manager and Click + to add new Hunts.

Open Hunt Manager

Name the Hunt, Select Artifact and Launch

Name the Hunt and provide description

Select Artifact and Launch:

Select Artifact via Search option

Check the status of Hunt

I got the parsed response for /var/log/auth.log

Run or Schedule your queries, you can also Bash, VQL or PowerShell commands via query console:

Bash/Powershell/VQL Queries

Check the response:

Response of ps -aux

Another one for discovering CRON jobs:

Crontab Output

Windows Query: Same responses for Windows —

Window Hunts

Keep trying different hunts, there are tons of OOB hunts available in Velociraptor.

Troubleshooting:

1. 'Netstat -ltpnd' - Check if ports are on listening mode and open to be accessed ":::".

2. Check Status of service: $ Systemctl service velociraptor_server status

3. check if frontend have any issues on velo* server.

$ sudo -u velociraptor bash
$ velociraptor frontend -v ##(Verbose mode lets you see output on terminal)

You can also try connecting with client config on Server:

4. If Client not connecting then look for the firewall rules, alternatively you can use following command to troubleshoot.

$ Curl -v <domain>:8000 ## Run this on client and Server both if no response then most probably the firewall rule.

Response looks something like this.

Yey! We are finally done with understanding Velociraptor EDR, its components and its capability.
I will also be posting the open source automation for Endpoint Management that can be useful for startups to manage the endpoint deployments. 
Hope it was helpful!

Feel free to provide your feedback and reach out for any help.

~Ashishsecdev