Great intro to Velociraptor. I've been using it in my homelab for quite a while and finally convinced my boss a few months ago to let me set it up at work. It's been so great having it for investigative as well as general IT purposes.
@@MyDFIR I'm currently working as the IT guy at a small community college and I've been using it for lots of stuff. Our managed risk provider was showing a lot of machines at risk of a certain CVE, so I wrote a Powershell script and pushed it out to all our machines via the Powershell hunt on Velociraptor and it worked perfectly. Such an amazing tool and unbelievably it's free.
Another great video, thank you MyDFIR! Keep it up, really appreciate what you are doing and how it helps me in my learning and path into the Cyber Security :) Happy holidays to you!
Are you watching my studies in my classes? It seems you keep putting out videos on stuff I am learning about or things I just covered. I just wrote about using velociraptor. FYI next class next semester is security scripting. Any videos on this topic? Would be appreciated if so.
Yes I am! Haha can you imagine?! Security scripting is quite vague and honestly not something I can super great at but the general guidelines I would use is to find a use case for the script, go to chatgpt and ask it to help build a base then edit and rinse & repeat.
@@MyDFIR I believe you did make a vid about that. The class description is pretty vague too. I think it's focused on python and tool automation scripts. Hopefully it's to help work with SOAR tools. I'll pop in and update you when i know more as well as the other classes. Unless you already know them 😁 Thank you for your input and assistance.
@@MyDFIR Hello, which command? is that in windows is "sudo ./velociraptor-v0.72.0-linux-amd64 config repack --exe velociraptor-v0.72.0-windows-amd64.exe /opt/velociraptor/client.config.yaml velociraptor. exe" and for linux "sudo ./velociraptor-v0.72.0-linux-amd64 --config /opt/velociraptor/server.config.yaml debian server --binary velociraptor-v0.72.0-linux-amd64" but on mac how would the creation of this binary go?
hello sir .. why did you add a newly repacked executable 'DFIR' in the minute 10:30 ...is it necessary .. or the windows machine will not work well if we didn't do this step..i just didn't understand what is the purpose of that thanks in advance ❤
Great question, yeah I am essentially recreating an EXE with the valid client config. That way once I execute that on my client PC, it knows how to connect back to my velo server
@@MyDFIR I have subscribe your channel and also work as a SOC analysis. I watched this video and like it very much. I wonder if you can explain the VQL more in details.
Bro how to add more then one clients and we have to add our vm ip or regular ip address. I have send that exe file to my friend to run in powershell but in velociraptor it not showing as a client
This is where network fundamentals come in - if it is on a different network and your velociraptor server is on your home network you will need to do some configuration to allow communication between the two
I'm pulling my hair out trying to figure out why my test client isn't reaching the test server I just deployed. I went into /opt/velociraptor and ran the following command: [sudo velociraptor --config client.config.yaml client -v]. Though for some dang reason, it refuses to show online within the server. I tried logging in/out of the test server, and even rebooted the server. Same results of the client not showing within the server. I made sure that the Velociraptor service is running within the test Windows client, but same results. I'm at a loss of what to do because it seems like I'm doing something wrong.
@@MyDFIR Yes, I can ping the test server to client and vice versa with 100% 0 packet loss. I've tried using ufw allow ports 8889 and 8000 with the test client's IP address. B any chance, do you know what other ports that may need be to opened for client's to work?
Is it possible to deploy Velociraptor instead of Wazuh? The company I'm working for assigned me to test Wazuh and other tools like Pritunl Zero. I still have quite hard time that Wazuh's out of the box rules are giving out so many alerts, which then when I talk with dev team, it is to be considered normal (yet they won't allow me to whitelist these alerts) I'm still very much new (less than a month learning Cybersecurity) and when there are alerts / suspicious events, it's still overwhelming of what to do next (they don't have playbook here yet) I came across Velociraptor from one of Tryhackme's room, and wondering if this will fit my office more. What is your opinion? Is it too redundant to run both? I'm starting your Wazuh-TheHIVE series today as well. Thank you so much for all these well done videos.
It depends on your use case IMO - Velociraptor is neat however I see it being used as a post compromise tool vs detection tool if that is what you are trying to do.
DFIR I can’t access velociraptor through my web browser. I entered the same public DNS name of the Master frontend as you i.e. 192.168.100.247 Please how do I fix it?
hi sir i got an error when i put the ip address you put on gui bind_ipaddress : 192.168.100.247. error is velociraptor[13564]: [ERROR] 2023-12-25T05:03:00Z GUI Server error: listen tcp 192.16. what should i put ip address where did you setup this on this youtube video? Thank you Sir
@@MyDFIR Hi, I have windows and in windows virtual box i have linux ubuntu. so which ip will i use while configuring server on linux (windows ip or linux IP)?
DFIR teaching disciples yet again
Happy to help ❤️
Great intro to Velociraptor. I've been using it in my homelab for quite a while and finally convinced my boss a few months ago to let me set it up at work. It's been so great having it for investigative as well as general IT purposes.
Thanks! I absolutely love velociraptor and used it in real world environments. I am happy you convinced your boss because this tool is awesome!!
@@MyDFIR I'm currently working as the IT guy at a small community college and I've been using it for lots of stuff. Our managed risk provider was showing a lot of machines at risk of a certain CVE, so I wrote a Powershell script and pushed it out to all our machines via the Powershell hunt on Velociraptor and it worked perfectly. Such an amazing tool and unbelievably it's free.
Another great video, thank you MyDFIR! Keep it up, really appreciate what you are doing and how it helps me in my learning and path into the Cyber Security :) Happy holidays to you!
Great to hear! Will do ❤️
Are you watching my studies in my classes? It seems you keep putting out videos on stuff I am learning about or things I just covered. I just wrote about using velociraptor. FYI next class next semester is security scripting. Any videos on this topic? Would be appreciated if so.
Yes I am! Haha can you imagine?! Security scripting is quite vague and honestly not something I can super great at but the general guidelines I would use is to find a use case for the script, go to chatgpt and ask it to help build a base then edit and rinse & repeat.
@@MyDFIR I believe you did make a vid about that. The class description is pretty vague too. I think it's focused on python and tool automation scripts. Hopefully it's to help work with SOAR tools. I'll pop in and update you when i know more as well as the other classes. Unless you already know them 😁 Thank you for your input and assistance.
Great video! Thanks for this!
Glad you liked it!
Wohoooh!! Thank you MyDFIR
My pleasure!
thanks MyDFIR
Thanks for watching ❤️
Thanks great video, but I have a question samples the client configuration for a Windows as would be the client configuration for a macOS?
Honestly I haven’t had the need to create one for macOS but I would believe so - download the macOS version and run the same command
@@MyDFIR Hello, which command? is that in windows is "sudo ./velociraptor-v0.72.0-linux-amd64 config repack --exe velociraptor-v0.72.0-windows-amd64.exe /opt/velociraptor/client.config.yaml velociraptor. exe" and for linux "sudo ./velociraptor-v0.72.0-linux-amd64 --config /opt/velociraptor/server.config.yaml debian server --binary velociraptor-v0.72.0-linux-amd64" but on mac how would the creation of this binary go?
@MyDFIR can i use velociraptor with wazuh , thehive , cortex and misp ?
Absolutely! Try it out 💪💪 you got this
@@MyDFIR but i think is hard to integrate velociraptor with wazuh because both uses notion agents
make a video for integration between wazuh and velociraptor 😁
Great 👍
Thank you! Cheers!
hello sir ..
why did you add a newly repacked executable 'DFIR' in the minute 10:30 ...is it necessary .. or the windows machine will not work well if we didn't do this step..i just didn't understand what is the purpose of that
thanks in advance ❤
Great question, yeah I am essentially recreating an EXE with the valid client config. That way once I execute that on my client PC, it knows how to connect back to my velo server
@@MyDFIR
clear sir !
thank you very much ❤
Hi, I have windows and in windows virtual box i have linux ubuntu. so which ip will i use while configuring server on linux (windows ip or linux IP)?
If I understood your question, you would put the linux ip as your server
Can you talk about more about velociraptor?
Sure, anything specific that you’re looking for?
@@MyDFIR I have subscribe your channel and also work as a SOC analysis. I watched this video and like it very much. I wonder if you can explain the VQL more in details.
Can this all be done on virtualbox? My guess is yee
Yup! In fact, what you are seeing is simply a VM on VMWare but you can always switch it for VirtualBox
@@MyDFIR Thank you I'll try it out
Bro how to add more then one clients and we have to add our vm ip or regular ip address. I have send that exe file to my friend to run in powershell but in velociraptor it not showing as a client
This is where network fundamentals come in - if it is on a different network and your velociraptor server is on your home network you will need to do some configuration to allow communication between the two
I'm pulling my hair out trying to figure out why my test client isn't reaching the test server I just deployed. I went into /opt/velociraptor and ran the following command: [sudo velociraptor --config client.config.yaml client -v]. Though for some dang reason, it refuses to show online within the server.
I tried logging in/out of the test server, and even rebooted the server. Same results of the client not showing within the server.
I made sure that the Velociraptor service is running within the test Windows client, but same results. I'm at a loss of what to do because it seems like I'm doing something wrong.
Gotta ask, can you ping the server from the client? Do double check your firewall rules as that tends to be overlooked
@@MyDFIR Yes, I can ping the test server to client and vice versa with 100% 0 packet loss. I've tried using ufw allow ports 8889 and 8000 with the test client's IP address. B any chance, do you know what other ports that may need be to opened for client's to work?
@@MyDFIR Sorry for the late update. I was able to get the issue resolved! Thank you for the help and the guide!
Fellow ethical hackers. Hehe
👀👀❤️
Is it possible to deploy Velociraptor instead of Wazuh? The company I'm working for assigned me to test Wazuh and other tools like Pritunl Zero. I still have quite hard time that Wazuh's out of the box rules are giving out so many alerts, which then when I talk with dev team, it is to be considered normal (yet they won't allow me to whitelist these alerts)
I'm still very much new (less than a month learning Cybersecurity) and when there are alerts / suspicious events, it's still overwhelming of what to do next (they don't have playbook here yet)
I came across Velociraptor from one of Tryhackme's room, and wondering if this will fit my office more. What is your opinion? Is it too redundant to run both?
I'm starting your Wazuh-TheHIVE series today as well. Thank you so much for all these well done videos.
It depends on your use case IMO - Velociraptor is neat however I see it being used as a post compromise tool vs detection tool if that is what you are trying to do.
DFIR I can’t access velociraptor through my web browser. I entered the same public DNS name of the Master frontend as you i.e. 192.168.100.247
Please how do I fix it?
Can’t really say much without seeing your setup. Are you on the same network? Are ports opened?
hi sir i got an error when i put the ip address you put on gui bind_ipaddress : 192.168.100.247. error is velociraptor[13564]: [ERROR] 2023-12-25T05:03:00Z GUI Server error: listen tcp 192.16. what should i put ip address where did you setup this on this youtube video? Thank you Sir
Be sure to add your private IP address and restart the service if running on-prem.
@@MyDFIR Hi, I have windows and in windows virtual box i have linux ubuntu. so which ip will i use while configuring server on linux (windows ip or linux IP)?