Velociraptor
Velociraptor is a digital forensics and incident response (DFIR) tool for interrogating endpoints.
Use Tenzir to conveniently speak with a Velociraptor server over the gRPC API.
Create a TLS certificate to communicate with Velociraptor
The velociraptor acts as client and establishes a connection to a Velociraptor
server via gRPC. All Velociraptor client-to-server communication is mutually
authenticated and encrypted via TLS certificates. This means you must provide a
client-side certificate, which you can generate as follows. (Velociraptor ships
as a static binary that we refer to as velociraptor-binary here.)
Create a server configuration
server.yaml:velociraptor-binary config generate > server.yamlCreate an API client:
velociraptor-binary -c server.yaml config api_client --name tenzir client.yamlCopy the generated
client.yamlto your Tenzir plugin configuration directory asvelociraptor.yamlso that the operator can find it:cp client.yaml /etc/tenzir/plugin/velociraptor.yamlCreate a user (e.g., an admin named
tenzir):velociraptor-binary -v -c server.yaml user add --role administrator tenzirRun the frontend with the server configuration:
velociraptor-binary -c server.yaml frontend
Examples
Run raw VQL
After you have created a TLS certificate, you can use the
from_velociraptor
operator to execute a Velociraptor Query Language
(VQL) query:
from_velociraptor query="select * from pslist()"
select Name, Pid, PPid, CommandLine
where Name == "remotemanagement"
Subscribe to forensic artifacts
You can also hunt for forensic artifacts, such as dropped files or specific
entries in the Windows registry, on assets connected to your Velociraptor
server. Every time a client reports back on an artifact that matches a given
Regex, e.g., Windows or Windows.Sys.StartupItems, the Velociraptor server
sends the result into the pipeline.
For example, run this pipeline to subscribe to an artifact collection of Windows startup items and import them into a node:
from_velociraptor subscribe="Windows.Sys.StartupItems"
import