Introduction:

Velociraptor is an advanced open-source endpoint monitoring, digital forensic and cyber response tool that enhances your visibility into your endpoints and supporting threat hunting efforts.

It uses client endpoint software to collect and report information on multiple platforms (Windows, macOS and Linux systems). This agent can be run as a service, as a background task, at scheduled intervals or in an offline mode.

Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches [1]:

Reconstruct attacker activities through digital forensic analysis

Hunt for evidence of sophisticated adversaries

Investigate malware outbreaks and other suspicious network activities

Monitory continuously for suspicious user activities, such as files copied to USB devices

Discover whether disclosure of confidential information occurred outside the network

Gather endpoint data over time for use in threat hunting and future investigations

Velociraptor allows to interrogate client devices to collect information useful for threat hunting and incident response.

This includes access to registry data, and the ability to run remote Bash, Command Prompt, and PowerShell commands.

This access use Velociraptor agent to run queries using the Velociraptor Query Language (VQL).

Tasks:

Deploy Velociraptor tool in a virtualized environment as follows: Create 3 virtual machines:

1 virtual machine (VM-1) contains Velociraptor server that collects information from other 2 virtual machines

2 virtual machines (VM-2, VM-3) as clients (endpoints)

Make sure all 3 VMs are in the same network and have connectivity

Install Velociraptor in VM-1 then connect the other 2 VMs to it

In VM-1, you should have visibility on VM-2 & VM-3

From the Velociraptor server dashboard (VM-1), you want to collect some information from the other 2 VMs:

List all the user accounts in VM-2 and VM-3

List all running processes in VM-2 and VM-3

List all start-up apps in VM-2 and VM-3

Launch an attack against VM-2 or VM-3

Then make sure you hunt/detect this attack in the Velociraptor server.

(The detection is any artifact that confirm the infection of the VM.)

You may get help from Velociraptor documentation at this link [2] :

Your project report should include the following sections:

Your virtual network architecture

Installation and configuration for the server and clients.

Tasks (as required in section B.): include the queries you have used in the Velociraptor server

Alternatives: choose two alternatives to Velociraptor and compare them with Velociraptor in terms of: cost, maximum number of clients that can be connected, and any 3 key features.

Submission in Blackboard.

Form a group of 3 or 4 members

Each group should appoint one member (group representative) to submit the names of the group members by 31 December 2022 inside the group section in Blackboard.

Each group member will get 1 point after I receive the names of the group members

The same person who has submitted the names should also submit the project report (one submission only is required from the group representative)

Due date for submitting this project is 5 February 2023 @ 11 PM

Prepare for a presentation (not more than 10 minutes) on Week 10/11

Submission should be in PDF format.

[1] https://docs.velociraptor.app/docs/overview/

[2] https://docs.velociraptor.app/training/