Skip to main content

Velociraptor Offline Collector

This is a living document and may be incomplete.

  • Updated 1DEC2023

Locating Evidences of Execution using Prefetch, Velociraptor, and Zimmerman’s PECmd

Prefetch is a common Windows artifact used for determining the first and last incidences of a program being executed. This file is a binary blob stored at $:\Windows\Prefetch and consists of a series of files named APPLICATION-GUID.pf. These files contain the name of the executable, the last n run date time groups a hash of the executable and path, and a list of files accessed by the .exe in the first few seconds of loading.

  • Get-ZimmermanTools.ps1
  • Velocidex/Velociraptor
  • KAPE - note, it’s necessary to provide the vendor with your email to obtain KAPE but it will make your life much much easier.

Using Velociraptor to collect forensic artifacts from a Live System

  1. Download Velociraptor and from an admin/sudo command prompt/CLI run velociraptor gui
  2. A browser will pop up, Accept and Continue when warned about the missing certificates.
  3. From the Common Tasks menu, choose Build an Offline Collector
  4. In the top left, select the paper plane icon with a tool tip of Build Offline Collector below the search bar.
  5. On the Create Offline collector: Select artifact to collect page, choose Windows.KapeFiles.Targets and click Configure Parameters in the bottom left.
  6. On the Configure artifact parameters page, click the wrench icon and ensure the following parameters are set:
    a. search for _SANS_Triage and ensure the check box is checked. You may review the triage to ensure the desired artifacts are available or choose to only collect the prefetch files individually.
    b. Ensure the correct drive letters are present in the Device: setting. E.g.; C:,D:
  7. Choose Configure Collection and if desired provide additional inputs. Notably the Encryption Scheme may be modified to provide a password protected file or the Collection type may be directed to an AWS S3 bucket, Azure Storage Blob, or GoogleDrive of your choosing. Choose Specify Resources to continue
  8. On the Specify Resources page you may modify the following:
    a. CPU Limit Percent - this is beneficial for performing forensics on live systems that may not be removed from production or without users knowledge.
    b. Max Execution Time in Seconds - this has a default value of 10 minutes/600 seconds. This value may not be appropriate for systems with large file systems or a long history of use.
    c. Max Idle Time in Seconds - this may be set to prevent the collector from hanging during collection. This is again for live/user systems.
  9. Choose Launch and the window will close.
  10. From the collection list above, select Server.Utils.CreateCollector
  11. Click the Uploaded Files tab and select the file under heading vfs_path. This will usually look like \Collector-velociraptor-v0.7.0-3-windows-amd64.exe. Note the version number will depend on your velociraptor executable.
  12. From here, the file may be transferred to a USB drive or placed using EDR/MDM software and executed using an admin command prompt.

Using PEcmd.exe from ZimmermanTools to identify evidence of execution

  1. Unzip the Velociraptor collection and locate the uploads folder and note the path to the windows\prefetch folder.
  2. In an admin command prompt, locate the PEcmd.exe executable within the Zimmerman tool set.
  3. Run the following command PEcmd.exe -d c:\path\to\windows\prefetch\identified\above --csv c:\path\to\velociraptor\collection\results\ --csvf name_of_output_file.csv
  4. This output file can be viewed most effectively with the TimelineExplorer.exe file in the same named folder in Zimmerman tools.

TODO:
Write up how to use KAPE Modules EZ on Velociraptor collection.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr
Read more

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open infosec.exchange , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza
Read more

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.
Read more