Mike Cohen

It was awesome to be at the @AusCERT conference this year - What an amazing event and I learned so much! See you all next year!

At @AusCERT conference we presented "Sigma and Detection Engineering with @velocidex Velociraptor". Learn how to implement real time Sigma detection with forensic enhancements. Full presentation youtube.com/watch?v=3EBrpF… and slides docs.velociraptor.app/presentations/…

Looking forward to speaking on a panel at the @rapid7 Take Command Summit. Register for free below as we talk about between pen testing, red teaming and the benefits of running regular security exercises. rapid7.brighttalk.com/?utm_source=re…

Velociraptor release 0.73 is now available for testing! Read about all the cool new features here docs.velociraptor.app/blog/2024/2024… . An exciting new feature is built in timelining capability. Check the blog post here docs.velociraptor.app/blog/2024/2024…

We just re-published a cool blog post, on the Velociraptor Blog, by Chris Hayes from @RelianceCyber . The post illustrates the process of setting up Velociraptor using external certificates. docs.velociraptor.app/blog/2024/2024… Original post reliancecyber.com/secure-velocir…

Great example of VQL automation!

The incident started with a compromised server. When we extended the hunting to the entire network, we found traces of the "WayBack" campaign on a computer, which @yoroisecurity documented almost exactly three years ago [1]. We also found the exact same code as in the blog on the corresponding client in the customer's network. For three years, this and other code could have gone unnoticed in the network. Another reason for regular compromise assessments and hunting in the internal network. [1] yoroi.company/en/research/th…

I was so excited about the new 0.72 release of Velociraptor I just could not wait to make a quick video to show you all the new features! #velociraptor #dfir #digitalforensics Check it out here youtube.com/watch?v=FwmFYm…

Version 0.7.2 of @velocidex is now fully available for download! Learn what's new 👉 r-7.co/3WliUVJ

@Coles new shrinkflation ?

Only a few days left to secure your early bird for our Velociraptor training in Singapore. This is a rare opportunity to learn about Velociraptor and how to deploy it effectively, develop VQL artifacts and actively hunt for adversaries. #digging-deeper-with-velociraptor-35856" target="_blank" rel="nofollow noopener">blackhat.com/asia-24/traini…

@DebugPrivilege Excellent! Really looking forward to reading your full article. Thanks for the great content!

@DebugPrivilege Indeed, the act of passing this environment variable is a very strong signal in itself. I wrote about this approach here #detecting-etw-subversion" target="_blank" rel="nofollow noopener">docs.velociraptor.app/blog/2021/2021…

@DebugPrivilege This provider can be easily switched off with the COMPlus_ETWEnabled=0 environment variable blog.xpnsec.com/hiding-your-do…

#100daysofyara targeting QuasarRAT via namespace strings observed in process memory and decompiled code. #R7Labs @velocidex Windows.Detection.Yara.Process only returns one hit per process here as I added some groupings to minimise any FPs github.com/rapid7/Rapid7-…

Another #100daysofyara post - #R7Labs Source a couple of samples: bazaar.abuse.ch/browse/tag/Soc… Running @velocidex Windows.Detection.Yara.Process in should detect on a running final payloads. I have focused on simple network connection & config filename strings. github.com/rapid7/Rapid7-…

Thought I would make some posts for #100daysofyara. Not sure how often i'll post but good chance to test some triage workflow and build some pratical Velociraptor rules for automation :) In the example below I grabbed a NanoCore sample from MalwareBazaar - bazaar.abuse.ch/sample/6ff9daa… if folks want to test. Good rules dont need to be complex rules with good targeting. This sample injects an unbacked pe file with rwx permissions. In this example I have targeted unbacked xrw permisssions. I have also included -rw permissions to cover .NET reflection as NanoCore is a .net binary. Due to targeting, this query should also be quite performant. github.com/mgreen27/Detec…

@chadtilbury @sansforensics @velcidex Velociraptor can parse leveldb out of the box docs.velociraptor.app/vql_reference/… . This is used in looking in to Chrome Session Storage which can be interesting docs.velociraptor.app/artifact_refer…

We need more tools capable of parsing LevelDB! LevelDB Recon has shown a lot of promise in my testing.

We're incredibly thankful to our wonderful community of contributors, testers and enthusiasts! Without you, Velociraptor wouldn't be what it is. To all of you, your family and friends, HAPPY THANKSGIVING!

Want a sneak peek at the upcoming Velociraptor v0.7.1? With awesome new capabilities like built in Sigma integration and enhanced notebook functionality, you will want to download the release candidate today and test it out. Be sure to log any bugs or issues through GitHub. docs.velociraptor.app/blog/2023/2023…