Mass Digital Forensics & Incident Response with Velociraptor

Рет қаралды 14,814

Күн бұрын

This is the 1st video of 2 separate videos -- in the next video, Matt will showcase hunting malware with Velociraptor! MASSIVE thank you to Mike Cohen and Matt Green for joining me for this video! / scudette || / mgreen27
Thanks to @iamkingsage8571 for contributing timestamps!
00:00 Introduction
01:08 Velociraptor VFS
04:05 Artifacts & Automation w/ VQL
06:16 Sigma Rule matching w/ Hayabusa
07:20 Waiting on Hayabusa to finish scan.
09:20 How does Hayabusa compare to Chainsaw?
10:40 Parsing Hayabusa Findings
13:40 PsTree Attempt 1 w/PsList
17:55 PsTree Attempt 2 w/Velociraptor Process Tracker
19:50 Velociraptor Process Tracker
22:35 PSExec Change in v2.30 & How to look for the usage of PSExec
25:25 Why this is useful and example use case'
26:10 PowerShell Artifacts
27:30 Bits Transfer Artifact
28:50 How to hunt for multiple compromised machines.
30:40 Parsing the Results using VQL
33:20 Demo Conclusion
🔥 KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Пікірлер: 20

@iamkingsage8571 Жыл бұрын

0:00 Introduction 1:08 Velociraptor VFS 4:05 Artifacts & Automation w/ VQL 6:16 Sigma Rule matching w/ Hayabusa 7:20 Waiting on Hayabusa to finish scan. 9:20 How does Hayabusa compare to Chainsaw? 10:40 Parsing Hayabusa Findings 13:40 PsTree Attempt 1 w/PsList 17:55 PsTree Attempt 2 w/Velociraptor Process Tracker 19:50 Velociraptor Process Tracker 22:35 PSExec Change in v2.30 & How to look for the usage of PSExec 25:25 Why this is useful and example use case' 26:10 PowerShell Artifacts 27:30 Bits Transfer Artifact 28:50 How to hunt for multiple compromised machines. 30:40 Parsing the Results using VQL 33:20 Demo Conclusion

@_JohnHammond Жыл бұрын

You're a rockstar, huge thanks!!

@christophertharp7763 5 ай бұрын

That new psexec...key with the source is HUGE

@Love-yv1fc Жыл бұрын

John, please use time stamps, it will be helpful😊

@_JohnHammond Жыл бұрын

Big thanks to @iamkingsage8571, they knocked them out for us!

@Jason-c1b3r Жыл бұрын

Not only that but under the section that pops up when you click 'more' you see the chapters which are time stamped

@KenPryor Жыл бұрын

I recently set up a Velociraptor server at home and installed agents on all my virtual machines. I still have much to learn, but I love it so far. Still have to dive in to VQL so I can do my own artifacts.

@mindtropy Жыл бұрын

I always wanted to try out Velociraptor but did not have a chance, thank you! I normally use Binalze AIR for mass DFIR, I will watch this with my full attention 😊

@user-fx8er8ex2i Жыл бұрын

Hi guys, awsome demo and product! It would be so great to see you guys working together with the opensource tool Elastic in order to integrate with each other!

@HitemAriania Жыл бұрын

used the tool for a long time, its amazing! unfortunately i dont do hunts anymore - which i would love to get back to :)

@dominiksabat Жыл бұрын

Such a great demo!

@squid13579 Жыл бұрын

Time stamps would be better. But amazing video 🔥.

@_JohnHammond Жыл бұрын

Big thanks to @iamkingsage8571, they knocked them out for us!

@bbelsito Жыл бұрын

Clever girl

@ericmoore4515 7 ай бұрын

Hello. Have you experienced small customers installing Velociraptor? I'm asking because we did a POC for a start-up company and now they wish to deploy it in production.

@jirayahatake Жыл бұрын

Can you consider making a updated "setup a hacking lab"? Pros and cons with virtual machines on a local hypervisor vs for instance VPS and cloud vms etc

@Yorak404 Жыл бұрын

I wanna learn about digital forensics in MacOS & malware analysis does anyone know any good courses (freee) or cheap certs & courses & or resources please?