-
Notifications
You must be signed in to change notification settings - Fork 28
Rapid Endpoint Investigations ‐ Wiki Home
Welcome to the rapid-endpoint-investigations wiki, clearly (and perpetually!) a work in progress! Keep scrolling for the general workflow or click a specific topic link below:
-
REI Workflow - AWS Setup & Config for Offline Collector Upload
-
VR Artifact: Windows Hashes for Executable Content in World-Writable Dirs
This repo contains scripts and notes for performing rapid Windows/Linux endpoint "tactical triage" and investigations with Velociraptor, UAC, PowerShell and KAPE.
First, acquire and stage the tooling:
- Velociraptor (download): https://docs.velociraptor.app/downloads/ (tested with 0.75.4 - Current at the time of this writeup)
- KAPE (register, download, support the project!): https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape
Executables for KAPE Modules (download and copy to KAPE\Modules\bin):
- NirSoft BrowsingHistoryView: https://www.nirsoft.net/utils/browsing_history_view.html (SAVE TO: ..KAPE\modules\bin\browsinghistoryview.exe
- NirSoft Browser Downloads View: https://www.nirsoft.net/utils/web_browser_downloads_view.html (SAVE TO: ..KAPE\modules\bin\browserdownloadsview.exe)
- ObsidianForensics Hindsight: https://github.com/obsidianforensics/hindsight (SAVE TO: ..KAPE\modules\bin\hindsight.exe)
- Hayabusa: https://github.com/Yamato-Security/hayabusa/releases (Install/Unzip Hayabusa, then COPY all of the installation-directory contents to a "hayabusa" directory AND rename the hayabusa-2.x.x-win-x64.exe to "hayabusa.exe": ..KAPE\modules\bin\hayabusa)
NOTE: You will need to run the !!ToolSync module (now included in the rapid triage script) or launch Gkape and click the "sync with github" button at the bottom before running the script!
"Invoke-KAPE" PowerShell Script (download and copy to the root of your KAPE directory, e.g. C:\Tools\KAPE)
Custom EvtxECmd Module:
- Download !EvtxECmd.mkape from this repo, save to your KAPE\Modules\!Local directory
Documentation References:
- Velociraptor: https://docs.velociraptor.app/blog/2025/2025-08-30-release-notes-0.75/
- KAPE: https://ericzimmerman.github.io/KapeDocs/#!index.md
Other Requirements:
- PowerShell 7.x
- S3 with user/IAM policies, if desired for Velociraptor Offline Collector Upload (notes coming soon!)
- Microsoft Excel (OpenOffice/LibreOffice Calc can be used for Analysis, but the scripted/consolidated output requires the Excel executable.)
Acquire Artifacts {point of impact} - Using Velociraptor Offline Collector
Analyze Artifacts {start from event context} - Using KAPE and Invoke-KAPE to parse
Identify IOCs {m...i...n...d} - Filter out "normal" & focus on meaningful impact (Memory-Identity-Network-Disk)
Expand Context {find attack extents}
Contain {from attack extents}
NOTE: See the "Incident Response Capabilities Matrix Model" for more details - https://securecake.com/f/incident-response-capabilities-matrix-model---preamble?blogcategory=IRCMM
Download and execute current, stable version of Velocraptor (see link above for download and documentation):
velociraptor-v0.75.4-windows-amd64.exe gui
Default web browser should open automatically (click through cert warnings) to the VR Welcome Screen. Click on "Import Extra Artifacts" below "Welcome to Velociraptor!" You don't need to configure any option, just click the "Launch" tab at the bottom. Be patient while the import runs (shows "Scheduled" in status but is running). Once the status changes to a "check mark" (complete), process with the next steps.
Click on "Server Artifacts" (left-hand flyout menu), "Build Offline Collector" (paper airplane icon), then search and "click to add" artifacts:
- Windows.Network.NetstatEnriched (NOTE: Change ProcessNameRegex to = “.”)
- Windows.System.Pslist
- Windows.Triage.Targets (the Artifacts formerly known as KAPE)
- Windows.Sysinternals.Autoruns
- Windows.System.Services
- Windows.System.DNSCache
Click the "Configure Parameters" tab and change/configure the following:
- Windows.Network.NetstatEnriched [Change the ProcessNameRegEx to = "."]
- Windows.Triage.Targets
- HighLevelTargets: Select _KapeTriage
- Devices: Click the "+" to add Drive Values (if desired), e.g. D:, E:, F:
Configure "Collection" - local/no-upload (ZIP) or local/with-upload (S3)
- [Option #1] Collection Type: ZIP
- Output Format: CSV and JSON
- Filename Format: (change if desired)
- Set Collector Name: company-no-upload-win64-vr0754.exe (something clear/descriptive)
- [Option #2] Collection Type: AWS Bucket (See "AWS Collection Upload Configuration" NOTES below)
- S3 Bucket: your-triage-upload-bucket-name (no "/")
- Credentials Key: copy/paste your AWS IAM Access Key here (remove any trailing space!)
- Credentials Secret: copy/paste your AWS IAM Secret Key here (remove any trailing space!)
- Region: us-east-1 (edit according to your desired region)
- File Name Prefix: your-case-specific-folder-name/ (include trailing "/")
- Output Format: CSV and JSON
- Click Launch then Download Collector (after collection type configuration):
- Click the "Launch" Tab...wait until VR check, etc., followed by job State = Completed (check mark icon)
- Click the top (most recent) job, "Server.Utils.CreateCollector"
- Click the "Uploaded Files" tab, then click the collector filname under "vfs_path", e.g. "company-no-upload-win64-vr0754.exe" (whatever you named it in the previous steps!)
- If you receive browser warnings, click "keep" and "keep anyway" and "I'm serious, keep the dang file!" and download.
If you want to use automatic upload to S3 for your Velociraptor Offline Collector, click HERE for details.
NOTE: I highly recommend you test your offline collector prior to deployment!
Copy the offline collector executable to the system/s you are investigating. If you chose "ZIP" collection type, a ZIP file and log file will be created in the directory where the collector is saved. At completion, "Press the Enter Key to end" (may have to press "Enter" twice!).
If you chose "AWS Bucket" collector, a log file will be created in the directory where the collector is saved and a ZIP file will be uploaded to your Bucket and saved in the directory where the collector was saved/executed. "Press the Enter Key to end"(may have to press "Enter" twice!)
IMPORTANT: Run the collector as ADMINISTRATOR
Stage your ZIP file/s and edit the Kape_Rapid_Triage_Excel Latest Rev Here script to match your drive and folder structure:
I use an EC2 Windows 2022 instance, creating an OS Volume (C: - 120 GB) and a Case/Data Volume (D: - 1 to 2 TB, mostly for IOPs but also to accommodate numerous collections). I'll then create a "case folder," eg D:\cases\2023-11-1-abc, with a "triage_data" subdirectory, and copy one or more ZIP files into that subdirectory. You can manually unzip the ZIP files, if there are only one or two, or you can use the "expand-archive-triage-data-rev3.ps1" script (requires PoSh 7.x) to unzip all ZIP files in your "triage_data" folder, automatically creating unique subfolders for each ZIP-file output.
NOTE: I store all of my tools on the OS Volume (C:\Tools..) and then delete and re-create the Case/Data Volume for each Case.
Next, review the Kape_Rapid_Triage_Excel script and change variables to match your setup: NOTE: I use Visual Studio Code to open/edit/run the Script
- In your Terminal, navigate to the directory where you installed KAPE ("Invoke-Kape.ps1" should be in the same directory):
- eg C:\Tools\KAPE
- Edit the case directory variables:
- $casename = '2023-11-1-abc'
- $triage_data_directory = "D:\cases\$casename\triage_data"
- $kape_destination_directory = "D:\cases\$casename\kape_output"
- Edit the EVTX triage variables:
- $startdate = '2023-11-01'
- $includedevents = (add/delete as desired!)
- $csvf = (this is the output file name, change as desired)
- Edit the MFT File Listing file extensions, as desired (line 29):
- Example - Add file extension: ...ps1") -or ($_.Extension -eq ".7z")} [Recently UPDATED to add a few common malicious indicators.]
- Run the script! Upon completion, you should have three directories, several CSV files and one XLSX file for each Triage Collection under your Case Folder\kape_output:
- eg D:\cases\2023-11-1-abc\kape_output\Workstation01 (original ZIP collection files)
- eg D:\cases\2023-11-1-abc\kape_output\Workstation01-evtx (processed EVTX files)
- eg D:\cases\2023-11-1-abc\kape_output\Workstation01-mft-filelisting (processed MFT files)
- eg D:\cases\2023-11-1-abc\kape_output\Workstation01\Workstation01-mft_filelisting_executable_files.csv (MFT filtered on specified File Extensions)
- eg D:\cases\2023-11-1-abc\kape_output\Workstation01\Workstation01-web-and-exe.evtx.xlsx (combined output from "triage" EVTX, Hayabusa, Web and Execution artifacts)
NOTE: You should have a CSV for several Velociraptor "parsed" artifacts for each Triage Collection (Autoruns, Netstat, PSlist, Services, DNSCache)
You have some context already or you wouldn't be here, doing this! Start with that: date/timestamp, process name, user account, filename, etc. This process is designed for expedient, actionable intelligence, not minutae! I'd start with:
- The "-web-and-exe-evtx.xslx" workbok and with Hayabusa "high/critical" findings
- Check "Nestat Enriched" and "PSList" (NOTE: these are NOW located in the kape_output folder, named for each Triage Collection/host)
- After that, I'll usually pivto to MFT file listing, looking for files of interest based on "date/timestamp" (noted below)
Once you identify a date/timestamp, use that intelligence to narrow your review of other artifacts:
- Start with "concurrent" (what happened at or about the same time?)
- Expand your date/timestamp scope to look for "antecedent" indicators (what happend right after?)
- Expand your date/timestamp scope to look for "precedent" indicators (what happend right before?)
- Take whatever "clues" (aka IOC's) and search for "attack extents" (the end of indicators on the endpoint, other endpoints, all endpoints in your environment)
NOTE: Don't forget that you have the unfiltered versions of parsed EVTX and MFT available for follow-up/deeper analysis (D:\cases\2023-11-1-abc\kape_output\Workstation01-mft-filelisting\Filesystem ... and Workstation01-evtx\EventLogs)