DEATHcon2023: Practical DEATH by Velociraptor

DEATHcon Velociraptor workshop was held November 2023. I covered practical break down of Velociraptor and VQL, incorporated into real world scenarios.

1. Brief introduction to Velociraptor and lab setup
2. Available data / VQL accessors
3. VQL Performance and Yara.
4. ATT&CK Detection use case: RDP patching
5. UEFI BlackLotus
6. LNK Analysis

Content Management Like a Boss!

Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.

DEATHcon 2022 Velociraptor workshop

DEATHcon Velociraptor workshop was held November 2022. We cover some basic VQL use cases including NTFS, Event Logs, Yara and memory artifacts.

The workshop was implemented with Velociraptor 0.6.6 although the data generation can be applied to any version.

Data generation scripts

Notebook and VQL - data munging your way to victory!

Velociraptor notebook is a feature that supercharges analysis and speeds up many components of incident response. New users are often intimidated by advanced VQL and don’t know where to start. This talk aims to shed some light on data manipulation in VQL and provide some practical examples that can be taken away for better artifacts and analysis.

WMI Event Consumers: what are you missing?

WMI Eventing is a fairly well known technique in DFIR, however some tools may not provide the coverage you expect. This article covers WMI eventing visibility and detection including custom namespaces.

Cobalt Strike Payload Discovery And Data Manipulation In VQL

Velociraptor’s ability for data manipulation is a core platform capability that drives a lot of the great content we have available in terms of data parsing for artifacts and live analysis. After a recent engagement with less common encoded Cobalt Strike beacons, and finding sharable files on VirusTotal, I thought it would be a good opportunity to walk through some workflow around data manipulation with VQL for analysis. In this post I will walk though some background, collection at scale, and finally talk about processing target files to extract key indicators.

Endpoint Hunting in an AntiEDR World

With the proliferation of EDR we have seen attackers at all levels upping their game to bypass brittle (and not so brittle) endpoint detection. This talk showcases the background to EDR technology and some practical real world examples of detection bypasses.

Originally presented at a local SANs and community event (modification with additional presentations since).

Binary Rename 2

This is my second Binary Rename post, in this post I am focusing on static detection, that is assessing files on disk. I am going to describe differences between both Yara and Powershell based detections, then share the code.

Blue Team Hacks - Binary Rename

In this post I thought I would share an interesting proof of concept I developed to detect Binary Rename of commonly abused binaries. Im going to describe the detection, its limitations and share the code.