Rapid7 is excited to announce the release of version 0.6.6 of Velociraptor – an advanced, open-source digital forensics and incident response (DFIR) tool that enhances visibility into your organization’s endpoints. After several months of development and testing, we are excited to share its powerful new features and improvements.
The largest improvement in the 0.6.6 release by far is the introduction of organizational division within Velociraptor. Velociraptor is now a fully multi-tenanted application. Each organization is like a completely different Velociraptor installation, with unique hunts, notebooks, and clients. That means:
When looking at the latest Velociraptor GUI you might notice the organizations selector in the User Setting
page.
The latest User Settings page
This allows the user to switch between the different organizations they belong in.
Let’s go through a quick example of how to create a new organization and use this feature in practice.
Multi-tenancy is simply a layer of abstraction in the GUI separating Velociraptor objects (such as clients, hunts, notebooks, etc.) into different organizational units.
You do not need to do anything specific to prepare for a multi-tenant deployment. Every Velociraptor deployment can create a new organization at any time without affecting the current install base at all.
By default all Velociraptor installs (including upgraded ones) have a root organization which contains their current clients, hunts, notebooks, etc. (You can see this in the screenshot above.) If you choose to not use the multi-tenant feature, your Velociraptor install will continue working with the root organization without change.
Suppose a new customer is onboarded, but they do not have a large enough install base to warrant a new cloud deployment (with the associated infrastructure costs). We want to create a new organization for this customer in the current Velociraptor deployment.
To create a new organization, we simply run the Server.Orgs.NewOrg
server artifact from the Server Artifacts
screen.
Creating a new organization
All we need to do is give the organization a name.
New organization is created with a new OrgId and an Admin User
Velociraptor uses the OrgId internally to refer to the organization, but the organization name is used in the GUI to select the different organizations. The new organization is created with the current user being the new administrator of this org.
Since all Velociraptor agents connect to the same server, there has to be a way for the server to identify which organization each client belongs in. This is determined by the unique nonce
inside the client’s configuration file. Therefore, each organization has a unique client configuration that should be deployed to that organization.
We will list all the organizations on the server using the Server.Orgs.ListOrgs
artifact. Note that we are checking the AlsoDownloadConfigFiles
parameter to receive the relevant configuration files.
Listing all the organizations on the server
The artifact also uploads the configuration files.
Viewing the organization’s configuration files
Now, we go through the usual deployment process with these configuration files and prepare MSI, RPM, or Deb packages as normal.
We can now switch between organizations using the organization selector.
Switching between orgs
Now the interface is inside the new organization.
Viewing an organization
Note the organization name is shown in the user tile, and client IDs have the org ID appended to them to remind us that the client exists within the org.
The new organization is functionally equivalent to a brand-new deployed server! It has a clean data store with new hunts, clients, notebooks, etc. Any server artifacts will run on this organization only, and server monitoring queries will also only apply to this organization.
By default, the user which created the organization is given the administrator role within that organization. Users can be assigned arbitrary roles within the organization – so, for example, a user may be an administrator in one organization but a reader in another organization.
You can add new users or change the user’s roles using the Server.Utils.AddUser
artifact. When using basic authentication, this artifact will create a user with a random password. The password will then be stored in the server’s metadata, where it can be shared with the user. We normally recommend Velociraptor to be used with single sign-on (SSO), such as OAuth2 or SAML, and not to use passwords to manage access.
Adding a new user into the org
View the user’s password in the server metadata screen. (You can remove this entry when done with it or ask the user to change their password.)
View the new user password in the server metadata screen
You can view all users in all orgs by collecting the Server.Utils.ListUsers
artifact within the root org context.
Viewing all the users on the system
Although Velociraptor respects the assigned roles of users within an organization, at this stage this should not be considered an adequate security control. This is because there are obvious escalation paths between roles on the same server. For example, currently an administrator
role by design has the ability to write arbitrary files on the server and run arbitrary commands (primarily this functionality allows for post processing flows with external tools).
This is currently also the case in different organizations, so an organization administrator can easily add themselves to another organization (or indeed to the root organization) or change their own role.
Velociraptor is not designed to contain untrusted users to their own organization unit at this stage – instead, it gives administrators flexibility and power.
The 0.6.6 release introduces a number of other GUI improvements.
Usually Velociraptor is deployed in production using SSO such as Google’s OAuth2, and in this case, users manage their passwords using the provider’s own infrastructure.
However, it is sometimes convenient to deploy Velociraptor in Basic
authentication mode (for example, for on-premises or air-gapped deployment). Velociraptor now lets users change their own passwords within the GUI.
Users may update their passwords in the GUI
Previously, notebooks could be shared with specific other users, but this proved unwieldy for larger installs with many users. In this release, Velociraptor offers a notebook to be public
– this means the notebook will be shared with all users within the org.
Sharing a notebook with all users
The experimental process tracker is described in more details here, but you can already begin using it by enabling the Windows.Events.TrackProcessesBasic
client event artifact and using artifacts just as Generic.System.Pstree
, Windows.System.Pslist
, and many others.
A new context menu is now available to allow sending any table cell data to an external service.
Sending a cell content to an external service
This allows for quick lookups using VirusTotal
or a quick CyberChef
analysis. You can also add your own send to items in the configuration files.
If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open-source license.
As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing [email protected]. You can also chat with us directly on our Discord server.
Learn more about Velociraptor by visiting any of our web and social media channels below:
Get the latest stories, expertise, and news about security today.
Subscribe
Additional reading: