Velociraptor - Platform Setup

Written By Bizarre Binary

Velociraptor is an interesting and powerfull tool well worth a look if you haven't already. It can be used for a multitude of different tasks including endpoint monitoring, hunting, digital forensics and incident response. My goal over the next few posts is to tackle a few interesting tasks you can do with Velociraptor producing content along the way that may also be useful to others.

A few topics I’ll cover in upcoming posts:

  • Equivalent artifact acquisition

  • Memory Artifact Acquisition

  • Artifact to Timeline

Seeing as its going to be a few posts in this series I thought it could be a good idea to do a really quick primer on how to get Velociraptor running (for testing, not production!) and a little bit about my setup for those interested. I wont go into to much detail as Velociraptor setup has been widely documented, this is more for context to support upcoming posts.

Please be aware that if you are going to deploy this into a production environment you should consider a more robust architecture including additional security controls and redundancy.

Check out Velociraptor here: https://docs.velociraptor.app/

TL;DR - Velociraptor setup in AWS, Clients running on Windows VMs hosted on an ESXi server locally

The Setup

The environment I’ve setup is fairly basic and I’ve thrown together a brief diagram depicted below. Velociraptor has been deployed in AWS on a t2.micro (for testing), its been assigned an Elastic IP, had a domain setup for it using Route 53 and security groups adjusted accordingly.

A few Windows 10 test clients have been spun up with the Velociraptor agent installed on them.

Figure 1: Velociraptor Environment Setup Diagram


AWS Configuration

You can setup AWS compute on the cheap using a t2.micro instance with an additional 30GB EBS volume. It goes without saying but please keep in mind this wont be suitable for a production environment. This is purely for testing.

OS is your preference, I used the Amazon Linux 2023 AMI.

Figure 2: EC2 Instance

I dropped this EC2 instance in the default VPC and gave it an Elastic IP for external access. Security groups were setup only allowing access from my IP address over 80, 443 and 22 as all the Velociraptor clients and management hosts are sitting on-prem at the one location. You may need to allow 443 from anywhere for LetsEncrypt can automint the certificates, keep this in mind.

To finish off the AWS setup I created a domain creating a DNS record pointing it towards the public IP of the EC2 instance (associated Elastic IP).

Base OS Setup

In addition to the above check out this guide https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html It will help you attach the EBS volume.

Key pairs were setup for initial SSH access into the EC2 instance.

Velociraptor Setup

First step is to download Velociraptor from their Github repo https://github.com/Velocidex/velociraptor/releases and allow appropriate permissions by running the commands below.

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.8-2/velociraptor-v0.6.8-2-linux-amd64
chmod +x velociraptor-v0.6.8-2-linux-amd64

Once complete we can run the Velociraptor setup to generate the necessary config files and provision a cert with LetsEncrypt.

./velociraptor-v0.6.8-2-linux-amd64 config generate -i

Figure 3: Velociraptor Setup

Things to note with the above setup:

  • The data store path isn’t default (/data), its been changed to the attached EBS volume. Run through the AWS doco to get this working.

  • Username will come up multiple times to add multiple users,. leave this blank to end.

  • Domain I used has been left out, this was registered at the time of setup.

  • LetsEncrypt was selected for cert generation

Once setup has been completed it should just be a matter of starting Velociraptor using the below command. Throughout this guide I’ve used the latest release available at the time, as the Velociraptor team release newer version commands used will have to be adjusted slightly.

sudo ./velociraptor-v0.6.8-2-linux-amd64 --config server.config.yaml frontend -v


Navigate to the domain you setup and login with the credentials nominated during configuration.

Additionally, Velociraptor has dark mode! find it in the user settings.

Figure 4: Velociraptor Dashboard

Check out https://docs.velociraptor.app/docs/deployment/cloud/ if you run into any issues.

Client Installation

There are a few options for Velociraptor installation, I choose to create an MSI for deployment on my endpoints. To do this, grab the latest binary from https://github.com/Velocidex/velociraptor/releases and build an MSI with the config file associated with your installation using the following commands.

wget https://github.com/Velocidex/velociraptor/releases/download/v0.6.8-2/velociraptor-v0.6.8-windows-amd64.msi 
./velociraptor-v0.6.8-2-linux-amd64 config repack --msi velociraptor-v0.6.8-windows-amd64.msi client.config.yaml vr-install.msi

With the above completed you should be ready to get started. Over the next few posts we will explore what Velociraptor has to offer and how it can assist us as investigators, threat hunters and defenders.

Stay Tuned.

Resources

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html
https://docs.velociraptor.app/
https://github.com/Velocidex/velociraptor/releases
https://docs.velociraptor.app/docs/deployment/cloud/

Bizarre Binary
Previous

Velociraptor - Hunting for MOVEit IOCs
Next

TeamSpy - MemProcFS