Velociraptor - Dig Deeper in Linux
Kia Ora Theatre | Sun 16 Jan 1:30 p.m.–2:15 p.m.
Presented by
-
Mike Cohen
@velocidex
https://docs.velociraptor.app/
Mike is a renowned digital forensic researcher and senior software engineer. Mike is the founder and creator of Velociraptor - an advanced open source digital forensic and incident response (DFIR) framework supporting Linux, MacOS and Windows. In 2020, Mike joined Rapid7 to continue developing Velociraptor as a vibrant open source project and community and make Velociraptor the premier choice for endpoint monitoring, response and visibility
Mike Cohen
@velocidex
https://docs.velociraptor.app/
Abstract
Velociraptor is the new open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can!
This talk will introduce Velociraptor and cover specifically the recent capabilities investigating and monitoring the security of Linux hosts. Velociraptor's superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.
Velociraptor is the new open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can! This talk will introduce Velociraptor and cover specifically the recent capabilities investigating and monitoring the security of Linux hosts. Velociraptor's superpower is its flexible and powerful query language called VQL. Using VQL we can implement novel detection, hunt for compromise and automate all our response needs. We cover some common use cases such as hunting for ssh keys across large networks or automatic escalation when suspicious events are discovered. We also cover real time monitoring of the endpoint (for example webshell detection via process parent/child analysis) and how VQL can be used to build sophisticated alerting around process execution chains, network connections and even bash instrumentation of the command line, all done at scale with the click of a few buttons.