Matt's DFIR blog

/home

/posts

/about

/projects

Home > Projects

Projects

20 Nov 2023

DEATHcon2023: Practical DEATH by Velociraptor

Workshop link

DEATHcon Velociraptor workshop was held November 2023. I covered practical break down of Velociraptor and VQL, incorporated into real world scenarios.

  1. Brief introduction to Velociraptor and lab setup
  2. Available data / VQL accessors
  3. VQL Performance and Yara.
  4. ATT&CK Detection use case: RDP patching
  5. UEFI BlackLotus
  6. LNK Analysis

13 Sep 2023

Content Management Like a Boss!

Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.

Presentation

5 Nov 2022

DEATHcon 2022 Velociraptor workshop

DEATHcon Velociraptor workshop was held November 2022. We cover some basic VQL use cases including NTFS, Event Logs, Yara and memory artifacts.

The workshop was implemented with Velociraptor 0.6.6 although the data generation can be applied to any version.

Data generation scripts

Workshop slides

Workshop introduction

17 Sep 2022

Notebook and VQL - data munging your way to victory!

Velociraptor notebook is a feature that supercharges analysis and speeds up many components of incident response. New users are often intimidated by advanced VQL and don’t know where to start. This talk aims to shed some light on data manipulation in VQL and provide some practical examples that can be taken away for better artifacts and analysis.

Presentation slides

Presentation

26 Jun 2019

Endpoint Hunting in an AntiEDR World

With the proliferation of EDR we have seen attackers at all levels upping their game to bypass brittle (and not so brittle) endpoint detection. This talk showcases the background to EDR technology and some practical real world examples of detection bypasses.

Download slides

Originally presented at a local SANs and community event (modification with additional presentations since).

14 Jan 2018

Invoke-LiveResponse

Invoke-LiveResponse is a Powershell module I put together to enable raw disk collections over WinRM and local script execution. Leveraging Powerforensics via a custom Powershell function it enabled collections of key forensic artefacts and stdout of script results typical for live response tasks.

See Invoke-LiveResponse on Github