Views: 5
We covered the deployment of Velociraptor Server and Client components in the first part of this series. You can read it here if you’re interested.
This part of the series will walk you through the capabilities and features of Velociraptor.
Exploring the Clients from the Server GUI
Searching for Clients
The option “Show All” displays all the clients that are already registered to the server.
| Online State | A green dot indicates the endpoint is online and communicating with the Velociraptor server. A yellow dot means the server hasn’t received any communication from the endpoint within a 24-hour time frame. A red dot means it’s been more than 24 hours since the server last heard from the endpoint. |
| Client ID | This is a unique ID assigned to the client by the Velociraptor server, and the server will use this client ID to identify the endpoint. A client ID always starts with the letter C. |
| Hostname | This is the hostname the client identifies itself to the Velociraptor server. Remember that hostnames can change, hence why Velociraptor uses the Client ID instead of identifying a client machine. |
| Operating System Version | The Velociraptor client can run on Windows, Linux, or MacOS. The details regarding the client operating system are displayed in this column. |
| Labels | Client machines may have multiple labels attached to them. This is useful to identify multiple clients as a group. |
Search syntax
The search bar allows for freeform text searches but you can also perform searches using defined search operators and terms. The search bar provides autocompletion to guide your choices.
The following search operators are available:
all: show all clientslabel: search clients by labelhost: search for hostnamesip: search based on last known IP addressmac: search based on recorded MAC addressesrecent: show clients your user has recently interacted with
Client Info, Labels and Metadata
Velociraptor maintains some basic information about the host, such as its hostname, labels, last seen IP, and last seen time. This is shown in the Overview and VQL Drilldown pages. Velociraptor gathers this information from the endpoint upon first enrollment and periodically thereafter through a process that we refer to as Interrogation . You can manually refresh this information at any time by clicking the Interrogate button.
Quarantining a host
You can quarantine a host using the Quarantine Host () button.
Quarantining a host will reconfigure the hosts’s network stack to only allow it to communicate with the Velociraptor server. This allows you to continue investigating the host remotely while preventing the host from making other network connections.
The VFS
With a client selected we can browse it’s filesystem using the Virtual FileSystem (VFS) viewer.
There are multiple options available, including:
- Refresh the current directory (sync its listing from the client)
- Recursively refresh this directory (sync its listing from the client)
- Recursively download this directory from the client
Shell
With the shell, commands can be executed remotely on the client machine. Commands can be run in PowerShell, CMD, Bash, or VQL. Depending on the target operating system will determine which the analyst will pick.
Collected
Here the analyst will see the results from the commands executed previously from Shell. Other actions, such as interacting with the VFS (Virtual File System), will appear here in Collected. VFS will be discussed later in upcoming tasks.
Results:
VQL Drilldown
In this view, there is additional information about the client, such as Memory and CPU usage over 24 hours timespan, the Active Directory domain if the client is a domain-joined machine and the active local accounts for the client.
Active Users on the Agent Machine:
Refer to the official Velociraptor documentation titled Inspecting Clients for additional information.
Click on the “Collect Artifact” and follow the steps as shown in the next screenshots,
Leave the default value for all the TABS and press LAUNCH
Articat Collection in Progress:
Collection progress completed,
We can see that this collectionadded 209 rows.
Let’s check the reults:
Although we can see the Scheduled Task “Launch Notepad”, it’s a cumbersome task to search and navigate out of the 209 rows. This is where the VQL helps us to improve the search and hunt for specific artifacts.
We will use the NOTEBOOKS feature combined with power of VQL to enrich our hunting and collections.
That’s the topic for the next article.