#
Velociraptor
Lifted from Velociraptor quick start guide. Nice sample hunt in about an hour by Eric Capuano, and a gist to go along with it!
#
Install quick temporary server (Debian-based server with Windows clients)
- Download velociraptor excutable
- Run
chmod +x velociraptor - Generate server config:
./velociraptor config generate -i - Answer the questions, then fire up the server
sudo ./velociraptor gui --config ./server.config.yaml - Click Home and under Current Orgs download the client config file. Or do:
/velociraptor config client --org "root" --config server.config.yaml > client.root.config.yaml- Deploy to other systems with
velociraptor.exe --config client.config.yaml client -v
#
Install full server component (Debian-based)
#
Grab the server binary
Download from here.
#
Make it executable
chmod +x velociraptor
#
Generate server config file
./velociraptor config generate -iTips:
- Make the local address of
server_urlsto be the local IP and notlocalhost(public_urlis for proxying the GUI to a different URL) - When the config file is generated, edit it so that
frontend bind_addressis also 0.0.0.0
#
Install
sudo dpkg -i nameoffile.deb
#
Login to your Velociraptor Web UI
Fire up https://yourip:8889.
#
Generate server OS client installs
- Go to Hamburger icon > Server Artifacts.
- Click the +
- Search for the word
MSI- click Server.Utils.CreateMSI in the search results - In the menu that appears to the right, click the appropriate MSI file
- Click Launch tab in the lower right
- A new menu will pop up with the MSI build process. When done, click the artifact, click Uploaded Files and then download the MSI file.
#
Generate workstation OS installs
- Click the Home icon
- Scroll down and you should see a file like
client.root.config.yamlto download
#
Edit the config file (optional)
If you're going to run client instances in agentless mode, in client.root.config.yaml change writeback_windows: $TEMP\\velociraptor.writeback.yaml
#
Deploying agentless clients
#
Run client instance standalone
velociraptor.exe --config client.root.config.yaml client --mutant ninja --verbose--verbose is handy because I've had some client instances never check into the server, and the verbose flag helped identify issues (cert expiration, time sync issue, etc.)
#
Deploy via GPO
This covers it pretty well, but key information in the setup to remember when making an immediate task (at least Windows 7):
#
General tab
- Give the task a name
- Run as
NT AUTHORITY\SYSTEM(I found it easier to just type this in, not try to resolve it) - Tick Run whether user is logged on or not
- Tick Run with highest privileges
- Tick the Hidden box
#
Actions tab
- Click New...
- Under Action, choose Start a program
- Under Program/script enter a UNC path where the
velociraptor.exelives, such as\\dc-ac\share\velociraptor.exe - In the Add arguments(optional) field, enter
--config \\dc-ac\share\name.of.your.config.file client --mutant ninja --verbose
The client install documentation notes:
"In our experience GPO deployments are not very reliable - we often find the Velociraptor client will be launched multiple times on the endpoint. It is highly recommended that you use the --mutant flag to specify a mutant preventing the client from starting multiple times."
#
Settings tab
- Tick If the task fails, restart every: 1 minute
- Tick Stop the task if it runs longer than: 3 days
- If task is already running, then the following rule applies: Do not start a new instance