The Velociraptor provider

Velociraptor driver documentation

The Velociraptor data provider can read Velociraptor offline collection log files (see Velociraptor Offline Collection) and provide convenient query functions for each data set in the output logs.

The provider can read files from one or more hosts, stored in in separate folders. The files are read, converted to pandas DataFrames and grouped by table/event. Multiple log files of the same type (when reading in data from multiple hosts) are concatenated into a single DataFrame.

The query provider query functions will ignore parameters and do no further filtering. You can use pandas to do additional filtering and sorting of the data, or use it directly with other MSTICPy functionality.

Note

The examples used in this document were from data provided by Blue Team Village at Defcon 30. You can find this data at the Project-Obsidian-DC30 GitHub and more about Project Obsidian here.

Velociraptor Configuration

You can (optionally) store your connection details in msticpyconfig.yaml, instead of supplying the data_paths parameter to the QueryProvider class.

For more information on using and configuring msticpyconfig.yaml see msticpy Package Configuration and MSTICPy Settings Editor

The Velociraptor settings in the file should look like the following:

DataProviders:
    ...
    Velociraptor:
        data_paths:
            - /home/user1/sample_data
            - /home/shared/sample_data

Expected log file format

The log file format must be a text file of JSON records. An example is shown below

{"Pid":1664,"Ppid":540,"Name":"spoolsv.exe","Path":"C:\Windows\System32\spoolsv.exe","CommandLine":"C:\Windows\System32\spoolsv.exe","Hash":{"MD5":"c111e3d38c71808a8289b0e49db40c96","SHA1":"e56df979d776fe9e8c3b84e6fef8559d6811898d","SHA256":"0ed0c6f4ddc620039f05719d783585d69f03d950be97b49149d4addf23609902"},"Username":"NT AUTHORITY\SYSTEM","Authenticode":{"Filename":"C:\Windows\System32\spoolsv.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002ed2c45e4c145cf48440000000002ed","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows","Timestamp":null,"Trusted":"trusted","_ExtraInfo":{"Catalog":"C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_6350_for_KB5007192~31bf3856ad364e35~amd64~~10.0.1.8.cat"}},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49697,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:45Z"}
{"Pid":548,"Ppid":416,"Name":"lsass.exe","Path":"C:\Windows\System32\lsass.exe","CommandLine":"C:\Windows\system32\lsass.exe","Hash":{"MD5":"93212fd52a9cd5addad2fd2a779355d2","SHA1":"49a814f72292082a1cfdf602b5e4689b0f942703","SHA256":"95888daefd187fac9c979387f75ff3628548e7ddf5d70ad489cf996b9cad7193"},"Username":"NT AUTHORITY\SYSTEM","Authenticode":{"Filename":"C:\Windows\System32\lsass.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002f49e469c54137b85e00000000002f4","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49722,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:54Z"}
{"Pid":540,"Ppid":416,"Name":"services.exe","Path":"C:\Windows\System32\services.exe","CommandLine":"C:\Windows\system32\services.exe","Hash":{"MD5":"fefc26105685c70d7260170489b5b520","SHA1":"d9b2cb9bf9d4789636b5fcdef0fdbb9d8bc0fb52","SHA256":"930f44f9a599937bdb23cf0c7ea4d158991b837d2a0975c15686cdd4198808e8"},"Username":"NT AUTHORITY\SYSTEM","Authenticode":{"Filename":"C:\Windows\System32\services.exe","ProgramName":"Microsoft Windows","PublisherLink":null,"MoreInfoLink":"http://www.microsoft.com/windows","SerialNumber":"33000002a5e1a081b7c895c0ed0000000002a5","IssuerName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011","SubjectName":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher","Timestamp":null,"Trusted":"trusted","_ExtraInfo":null},"Family":"IPv4","Type":"TCP","Status":"LISTEN","Laddr.IP":"0.0.0.0","Laddr.Port":49728,"Raddr.IP":"0.0.0.0","Raddr.Port":0,"Timestamp":"2022-02-12T19:35:57Z"}

The columns in each JSON will be used to create the pandas DataFrame columns.

Using the Velociraptor provider

To use the Velociraptor provider you need to create an QueryProvider instance, passing the string “VelociraptorLogs” as the data_environment parameter. If you have not configured data_paths in msticpyconfig.yaml, you also need to add the data_paths parameter to specify specific folders or files that you want to read.

Calling the connect method triggers the provider to register the paths of the log files to be read (although the log files are not read and parsed until the related query is run - see below).

Listing Velociraptor tables

Until you run connect no queries will be available. After running connect you can list the available queries using the list_queries

qry_prov.list_queries()
['velociraptor.Custom_Windows_NetBIOS',
'velociraptor.Custom_Windows_Patches',
'velociraptor.Custom_Windows_Sysinternals_PSInfo',
'velociraptor.Custom_Windows_Sysinternals_PSLoggedOn',
'velociraptor.Custom_Windows_System_Services',
'velociraptor.Windows_Applications_Chrome_Cookies',
'velociraptor.Windows_Applications_Chrome_Extensions',
'velociraptor.Windows_Applications_Chrome_History',
'velociraptor.Windows_Applications_Edge_History',
'velociraptor.Windows_Forensics_Lnk',
'velociraptor.Windows_Forensics_Prefetch',
'velociraptor.Windows_Forensics_ProcessInfo',
'velociraptor.Windows_Forensics_Usn',
...]

Querying Velociraptor table schema

The schema of the log tables is built by sampling the first record from each log file type, so is relatively fast to retrieve even if you have large numbers and sizes of logs.

vc_prov.schema["Windows_Network_InterfaceAddresses"]
{'Index': 'int64',
'MTU': 'int64',
'Name': 'object',
'HardwareAddr': 'object',
'Flags': 'int64',
'IP': 'object',
'Mask': 'object'}

Running a Velociraptor query

Each query returns a pandas DataFrame retrieved from the logs of that type (potentially containing records from multiple hosts depending on the data_paths you specified).

qry_prov.vc_prov.velociraptor.Windows_Forensics_ProcessInfo()

Name

PebBaseAddress

Pid

ImagePathName

CommandLine

CurrentDirectory

Env

10

LogonUI.exe

0x95bd3d2000

804

C:Windowssystem32LogonUI.exe

“LogonUI.exe” /flags:0x2 /state0:0xa3b92855 /state1:0x41c64e6d

C:Windowssystem32

{‘ALLUSERSPROFILE’: ‘C:\ProgramD..

11

dwm.exe

0x6cf4351000

848

C:Windowssystem32dwm.exe

“dwm.exe”

C:Windowssystem32

{‘ALLUSERSPROFILE’: ‘C:\ProgramD..

12

svchost.exe

0x6cd64d000

872

C:WindowsSystem32svchost.exe

C:WindowsSystem32svchost.exe -k termsvcs

C:Windowssystem32

{‘ALLUSERSPROFILE’: ‘C:\ProgramD..

13

svchost.exe

0x7d18e99000

912

C:WindowsSystem32svchost.exe

C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted

C:Windowssystem32

{‘ALLUSERSPROFILE’: ‘C:\ProgramD..

14

svchost.exe

0x5c762eb000

920

C:Windowssystem32svchost.exe

C:Windowssystem32svchost.exe -k LocalService

C:Windowssystem32

{‘ALLUSERSPROFILE’: ‘C:\ProgramD..