# Velociraptor Lifted from [Velociraptor quick start guide](https://docs.velociraptor.app/docs/deployment/quickstart/). Nice [sample hunt in about an hour](https://www.youtube.com/watch?v=Q1IoGX--814) by Eric Capuano, and a [gist](https://gist.github.com/ecapuano/daee6f3704273c2c8b527f522c1725db) to go along with it! ## Install quick temporary server (Debian-based server with Windows clients) 1. Download velociraptor excutable 2. Run `chmod +x velociraptor` 3. Generate server config: `./velociraptor config generate -i` 4. Answer the questions, then fire up the server `sudo ./velociraptor gui --config ./server.config.yaml` 5. Click **Home** and under *Current Orgs* download the client config file. Or do: ``` /velociraptor config client --org "root" --config server.config.yaml > client.root.config.yaml ``` 6. Deploy to other systems with `velociraptor.exe --config client.config.yaml client -v` ## Install full server component (Debian-based) ### Grab the server binary Download from [here](https://docs.velociraptor.app/downloads/). ### Make it executable ``` chmod +x velociraptor ``` ### Generate server config file ``` ./velociraptor config generate -i ``` Tips: * Make the local address of `server_urls` to be the local IP and not `localhost` (`public_url` is for proxying the GUI to a different URL) * When the config file is generated, edit it so that `frontend bind_address` is also 0.0.0.0 ### Install ``` sudo dpkg -i nameoffile.deb ``` ## Login to your Velociraptor Web UI Fire up https://yourip:8889. ## Generate server OS client installs 1. Go to **Hamburger icon > Server Artifacts**. 2. Click the **+** 3. Search for the word `MSI` - click **Server.Utils.CreateMSI** in the search results 4. In the menu that appears to the right, click the appropriate MSI file 5. Click **Launch** tab in the lower right 6. A new menu will pop up with the MSI build process. When done, click the artifact, click **Uploaded Files** and then download the MSI file. ## Generate workstation OS installs 1. Click the **Home icon** 2. Scroll down and you should see a file like `client.root.config.yaml` to download ### Edit the config file (optional) If you're going to run client instances in agentless mode, in `client.root.config.yaml` change `writeback_windows: $TEMP\\velociraptor.writeback.yaml` ## Deploying agentless clients ### Run client instance standalone ``` velociraptor.exe --config client.root.config.yaml client --mutant ninja --verbose ``` !!!tip `--verbose` is handy because I've had some client instances never check into the server, and the verbose flag helped identify issues (cert expiration, time sync issue, etc.) !!! ### Deploy via GPO [This](https://docs.velociraptor.app/blog/html/2019/03/02/agentless_hunting_with_velociraptor/) covers it pretty well, but key information in the setup to remember when making an *immediate* task (at least Windows 7): #### General tab * Give the task a name * Run as `NT AUTHORITY\SYSTEM` (I found it easier to just type this in, not try to resolve it) * Tick **Run whether user is logged on or not** * Tick **Run with highest privileges** * Tick the **Hidden** box #### Actions tab * Click **New...** * Under *Action*, choose **Start a program** * Under *Program/script* enter a UNC path where the `velociraptor.exe` lives, such as `\\dc-ac\share\velociraptor.exe` * In the *Add arguments(optional)* field, enter `--config \\dc-ac\share\name.of.your.config.file client --mutant ninja --verbose` !!!tip The [client install](https://docs.velociraptor.app/docs/deployment/clients/) documentation notes: "In our experience GPO deployments are not very reliable - we often find the Velociraptor client will be launched multiple times on the endpoint. It is highly recommended that you use the `--mutant` flag to specify a mutant preventing the client from starting multiple times." !!! #### Settings tab * Tick **If the task fails, restart every: 1 minute** * Tick **Stop the task if it runs longer than: 3 days** * If task is already running, then the following rule applies: **Do not start a new instance**