Last updated at Tue, 04 Oct 2022 15:03:06 GMT

Rapid7 is excited to announce the release of version 0.6.6 of Velociraptor –  an advanced, open-source digital forensics and incident response (DFIR) tool that enhances visibility into your organization’s endpoints. After several months of development and testing, we are excited to share its powerful new features and improvements.

Multi-tenant mode

The largest improvement in the 0.6.6 release by far is the introduction of organizational division within Velociraptor. Velociraptor is now a fully multi-tenanted application. Each organization is like a completely different Velociraptor installation, with unique hunts, notebooks, and clients. That means:

  1. Organizations can be created and deleted easily with no overheads.
  2. Users can seamlessly switch between organizations using the graphic user interface (GUI).
  3. Operations like hunting and post processing can occur across organizations.

When looking at the latest Velociraptor GUI you might notice the organizations selector in the User Setting page.

The latest User Settings page

This allows the user to switch between the different organizations they belong in.

Multi-tenanted example

Let’s go through a quick example of how to create a new organization and use this feature in practice.

Multi-tenancy is simply a layer of abstraction in the GUI separating Velociraptor objects (such as clients, hunts, notebooks, etc.) into different organizational units.

You do not need to do anything specific to prepare for a multi-tenant deployment. Every Velociraptor deployment can create a new organization at any time without affecting the current install base at all.

By default all Velociraptor installs (including upgraded ones) have a root organization which contains their current clients, hunts, notebooks, etc. (You can see this in the screenshot above.) If you choose to not use the multi-tenant feature, your Velociraptor install will continue working with the root organization without change.

Suppose a new customer is onboarded, but they do not have a large enough install base to warrant a new cloud deployment (with the associated infrastructure costs). We want to create a new organization for this customer in the current Velociraptor deployment.

Creating a new organization

To create a new organization, we simply run the Server.Orgs.NewOrg server artifact from the Server Artifacts screen.

Creating a new organization

All we need to do is give the organization a name.

New organization is created with a new OrgId and an Admin User

Velociraptor uses the OrgId internally to refer to the organization, but the organization name is used in the GUI to select the different organizations. The new organization is created with the current user being the new administrator of this org.

Deploying clients to the new organization

Since all Velociraptor agents connect to the same server, there has to be a way for the server to identify which organization each client belongs in. This is determined by the unique nonce inside the client’s configuration file. Therefore, each organization has a unique client configuration that should be deployed to that organization.

We will list all the organizations on the server using the Server.Orgs.ListOrgs artifact. Note that we are checking the AlsoDownloadConfigFiles parameter to receive the relevant configuration files.

Listing all the organizations on the server

The artifact also uploads the configuration files.

Viewing the organization’s configuration files

Now, we go through the usual deployment process with these configuration files and prepare MSI, RPM, or Deb packages as normal.

Switching between organizations

We can now switch between organizations using the organization selector.

Switching between orgs

Now the interface is inside the new organization.

Viewing an organization

Note the organization name is shown in the user tile, and client IDs have the org ID appended to them to remind us that the client exists within the org.

The new organization is functionally equivalent to a brand-new deployed server! It has a clean data store with new hunts, clients, notebooks, etc. Any server artifacts will run on this organization only, and server monitoring queries will also only apply to this organization.

Adding other users to the new organization

By default, the user which created the organization is given the administrator role within that organization. Users can be assigned arbitrary roles within the organization – so, for example, a user may be an administrator in one organization but a reader in another organization.

You can add new users or change the user’s roles using the Server.Utils.AddUser artifact. When using basic authentication, this artifact will create a user with a random password. The password will then be stored in the server’s metadata, where it can be shared with the user. We normally recommend Velociraptor to be used with single sign-on (SSO), such as OAuth2 or SAML, and not to use passwords to manage access.

Adding a new user into the org

View the user’s password in the server metadata screen. (You can remove this entry when done with it or ask the user to change their password.)

View the new user password in the server metadata screen

You can view all users in all orgs by collecting the Server.Utils.ListUsers artifact within the root org context.

Viewing all the users on the system

Although Velociraptor respects the assigned roles of users within an organization, at this stage this should not be considered an adequate security control. This is because there are obvious escalation paths between roles on the same server. For example, currently an administrator role by design has the ability to write arbitrary files on the server and run arbitrary commands (primarily this functionality allows for post processing flows with external tools).

This is currently also the case in different organizations, so an organization administrator can easily add themselves to another organization (or indeed to the root organization) or change their own role.

Velociraptor is not designed to contain untrusted users to their own organization unit at this stage – instead, it gives administrators flexibility and power.

GUI improvements

The 0.6.6 release introduces a number of other GUI improvements.

Updating user’s passwords

Usually Velociraptor is deployed in production using SSO such as Google’s OAuth2, and in this case, users manage their passwords using the provider’s own infrastructure.

However, it is sometimes convenient to deploy Velociraptor in Basic authentication mode (for example, for on-premises or air-gapped deployment). Velociraptor now lets users change their own passwords within the GUI.

Users may update their passwords in the GUI

Allow notebook GUI to set notebooks to public

Previously, notebooks could be shared with specific other users, but this proved unwieldy for larger installs with many users. In this release, Velociraptor offers a notebook to be public – this means the notebook will be shared with all users within the org.

Sharing a notebook with all users

More improvements to the process tracker

The experimental process tracker is described in more details here, but you can already begin using it by enabling the Windows.Events.TrackProcessesBasic client event artifact and using artifacts just as Generic.System.Pstree, Windows.System.Pslist, and many others.

Context menu

A new context menu is now available to allow sending any table cell data to an external service.

Sending a cell content to an external service

This allows for quick lookups using VirusTotal or a quick CyberChef analysis. You can also add your own send to items in the configuration files.

Conclusion

If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open-source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our Discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Additional reading: