Explore the powerful open-source DFIR framework Velociraptor in this 46-minute conference talk from linux.conf.au 2022. Dive into Velociraptor's flexible query language VQL and learn how to implement novel detection methods, hunt for compromises, and automate response needs across large enterprise networks. Discover techniques for investigating and monitoring Linux host security, including hunting for SSH keys, detecting webshells through process analysis, and building sophisticated alerting systems for process execution chains and network connections. Gain insights into real-time endpoint monitoring, bash instrumentation, and scalable incident response strategies. Perfect for security professionals and system administrators looking to enhance their Linux security toolkit and incident response capabilities.
Overview
Syllabus
Introduction
Overview
What is Velociraptor
What Velociraptor looks like
Velociraptor efficiency
VQL
VQL artifacts
Example
SSH logs
Grog
Notebook
Recap
Artifact
Hunt
Unsecured Search Keys
Parse Private Keys
Binary Format
Parser
Search
Carving
Event Monitoring
Streaming Queries
Event Queries
Watch syslog
Sysmon
Taught by
linux.conf.au
