VQL
20 Nov 2023
DEATHcon2023: Practical DEATH by Velociraptor
DEATHcon Velociraptor workshop was held November 2023. I covered practical break down of Velociraptor and VQL, incorporated into real world scenarios.
- Brief introduction to Velociraptor and lab setup
- Available data / VQL accessors
- VQL Performance and Yara.
- ATT&CK Detection use case: RDP patching
- UEFI BlackLotus
- LNK Analysis
13 Sep 2023
Content Management Like a Boss!
Content management is one of the most under rated Velociraptor capabilities used by mature users. This talk will walk through some basics of content management, introduce automation and hopefully leave you with actionable ideas on how to do Velociraptor Content like a boss.
Presentation
5 Nov 2022
DEATHcon 2022 Velociraptor workshop
DEATHcon Velociraptor workshop was held November 2022. We cover some basic VQL use cases including NTFS, Event Logs, Yara and memory artifacts.
The workshop was implemented with Velociraptor 0.6.6 although the data generation can be applied to any version.
Workshop introduction
17 Sep 2022
Notebook and VQL - data munging your way to victory!
Velociraptor notebook is a feature that supercharges analysis and speeds up many components of incident response. New users are often intimidated by advanced VQL and don’t know where to start. This talk aims to shed some light on data manipulation in VQL and provide some practical examples that can be taken away for better artifacts and analysis.
Presentation
9 Nov 2021
Cobalt Strike Payload Discovery And Data Manipulation In VQL
Velociraptor’s ability for data manipulation is a core platform capability that drives a lot of the great content we have available in terms of data parsing for artifacts and live analysis. After a recent engagement with less common encoded Cobalt Strike beacons, and finding sharable files on VirusTotal, I thought it would be a good opportunity to walk through some workflow around data manipulation with VQL for analysis. In this post I will walk though some background, collection at scale, and finally talk about processing target files to extract key indicators.
23 Jul 2020
Windows IPSEC for endpoint quarantine
This post is going to talk about using Windows IPSec for a quarantine use case. Im going to explain the background, how to configure a policy and some of the design decisions as I was initially looking at building an endpoint based containment capability.
8 Dec 2019
Local Live Response with Velociraptor ++
In this post im going to talk about a live response use case leveraging the Velociraptor project worth sharing. Specifically, live response with ancillary collection by third party tools embedded to minimise user impact. As usual, im going to provide some background and walk through the steps then share the code.
10 Nov 2019
Live response automation with Velociraptor
This post is going to talk about the Velociraptor project. Specifically, live response and automation I have built for my own engagements. Im going to provide some background and walk through a proof of concept, then share the code.