17.4.5. Collect with Velociraptor

You can deploy the Cyber Triage Collector tool with Velociraptor. This allows you to use Velociraptor to scope out a full network and then dive deeper into a subset of hosts using Cyber Triage.

Cyber Triage uses automated analysis to score artifacts as Bad or Suspicious and provides a UI to allow you to quickly investigate hosts for intrusions.

17.4.5.1. Velociraptor Basics

Velociraptor has agents that give you the ability to query and execute commands on remote hosts.

  • Velociraptor has the Windows.KapeFiles.Targets Artifact , which collects files from the endpoint. It produces a KAPE-like collection that can be directly imported into Cyber Triage (KAPE). But, that collection will not have as many executable files as ours because it is a static collection (see our blog.

  • Velociraptor has a plug-in framework where you can install artifacts. There is a Cyber Triage-specific artifact that you will install. It is minimal and relies on the Cyber Triage Deployer script to launch the Collector. We’ll talk about that later on this page.

  • The Cyber Triage Deployer script will download and run the Cyber Triage Collector.

17.4.5.2. Configure Velociraptor for Collections

There are three main steps to deploy the Collector using Velociraptor:

  1. Download and configure the Deployer Powershell script.

  2. Add the custom Cyber Triage artifact

  3. Add the Deployer script to Velociraptor.

17.4.5.2.1. Download and Configure Cyber Triage Deployer Script

You will use the Cyber Triage Deployer script with your Velociraptor integration. This is the same Powershell script that is used with many EDRs.

You will need to download the script and may need to make some changes based on your use case.

Refer to Configure the Collector Deployer Powershell Script for getting and configuring the script.

You’ll add it to the Velociraptor server when you add the artifact.

17.4.5.2.2. Download and Configure the Cyber Triage Velociraptor Artifact

There is a CyberTriage.Collector artifact in the Velociraptor Artifact Exchange.

By default, the artifact will: - Copy the Deployer Powershell Script from the Velociraptor server - Run the Deployer script - Copy data back to the Velociraptor server

You will only need to make changes to it if you save the results to cloud storage or use custom file rules.

  • If you use cloud storage, then make sure the artifact will copy the files and you comment out the final section of the artifact that will copy results back to the server.

  • If you use custom file collection rules, then make sure the that file gets copied.

To make any of those changes, search the artifact YAML file for the word “TODO”.

17.4.5.2.3. Add the Cyber Triage Artifact

The CyberTriage.Collector artifact is in the Exchange. You can import into your server, by running the Server.Import.ArtifactExchange artifact.

Or, you can manually import it: * Choose “View Artifacts” * Choose “Add Artifact” and copy and paste in the artifact text. * Press “Save”

Regardless of how it got there, you should see “CyberTriage.Collector in the list of artifacts.

../../_images/integ_velo_add_select.png

  • Select the artifact so that it can be configured.

  • If you need to edit it (only if you need to add configuration files or change the output), then:

    • Press the pencil icon

    • Give it a new name

    • Make the needed changes were it says TODO

  • Scroll down to the Tools section and choose “deploy_cyber_triage_collector”. It will open a dialog where you can navigate to your edited copy of the deploy_cyber_triage_collector.ps1 Cyber Triage Deployer script (from the previous section).

../../_images/integ_velo_add_deploy.png

  • Once you’ve chosen the file, select “Click to upload file” to upload the file to the Velociraptor server.

  • If you configured the artifact to also use cloud storage or custom file rules, then repeat the process for those two files.

17.4.5.3. Run the Collector Artifact

When you need to collect from an endpoint, then perform the following:

  1. Select the client that you want to collect from

  2. Go to the “View Artifacts” area and select “CyberTriage.Collector”.

../../_images/integ_velo_run_select.png

  1. Then select the “Collect Artifact” button on the left side. This will add it to a set of artifacts that will run. You can add others if you’d like.

  2. The next screen, “Configure Parameters”, will show some parameters for the Collector script, but you should not change any of them.

  3. Similarly with the resources page. The Artifact file already requests lots of resources to make sure it will finish.

  4. You can then Launch it.

You can track progress under the “Artifact Collection” tab on the client. The “Log” tab will give additional information.

../../_images/integ_velo_run_log.png

Once it is complete and if you kept the default so that the output was sent back to the Velociraptor server, then you can download it from the “Uploaded Files” section.

../../_images/integ_velo_run_download.png