CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

EDR Velociraptor (free)

Author: Stefan Waldvogel
-under construction-

Overview:
Velociraptor is a free, advanced open-source endpoint monitoring, digital forensic and cyber response platform. It is easy to use and quick to install and you can run a server and the client at the same machine.

Fastest way (Self Signed SSL mode) is very simple. Download the velociraptor exe on github (github.com/Velocidex/velociraptor/releases/tag/v0.5.9-rc1) and run the executable via a administrator terminal.
velociraptor{version}.exe gui
Picture
Your browser will indicate a SSL problem, agree and that is it. Now you have a full server and a client add the same machine. This is great for tests. 

This article shows you a more complicated way where you can adjust more things and add a proper certificate and a more secure system.


For this task, I recommend to use John Strand's ADHD VM, but you can use any Windows VM with internet connection. You can download a 90 day Windows 10 test version here: www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
Documentation:
www.velocidex.com/docs/
GitHub download link:
github.com/Velocidex/velociraptor/releases (newest version)
github.com/Velocidex/velociraptor/releases/tag/v0.5.8-rc1
For our lab environment, we need an amd64 version. This version runs on all Windows (64 -bit) machines. If you want to follow the lab, please download it. The program works for the server and the client.
Picture
To install Velociraptor, you can follow this guide or you can use the documentation for the stand_alone installation (https://www.velocidex.com/docs/getting-started/stand_alone/) First, we need to install the server and second the client.
Server installation
- start the terminal as administrator
Picture
If you do not have the icon on the screen, type "cmd" into the search field and you get a "Command prompt". 
If you run the command prompt, you should accept the following question:
Picture
The console points to system32 but this is place is ful of programs and tools. It is better to move us to the Downloads folder with:
cd C:\Users\{username}\Downloads
dir
Please do not copy this command, you have to use your username.
Picture
With the "dir" command you can check if you are in the right folder with the velociraptor exe. Here, it is v0.5.6 but this will change in the future.
Hint: if you use an upgraded adhd VM, the installed version might not work and you get errors later. Download the newest version.

The next steps configure velociraptor and the command is:
velociraptor-v05.8-rc2-windows-amd64.exe config generate -i
Picture
Now, you can select your OS, here it is windows. Hint enter.
​The path is fine, too.
Picture
A self signed SSL cert is, okay. Enter
​The public dns name is here localhost. We hit enter again.
Picture
The port is 8000. Enter
GUI port is 8889. Enter
We do NOT use a DynDNS and we set it to n
Picture
We do not use an email for the GUI. Enter
The log path is okay. Enter
Picture
The next two options are standard, too. Hit enter.
Picture
The server GUI
The server is installed, but we want to use the GUI and first we need to add a GUI user with:
velociraptor-v{your version.exe} --config server.config.yaml user add root --role administrator
You will be asked for a password.
Picture
Starting the server
The commad to start the server is this:
velociraptor{yourversion.exe} --config server.config.yaml frontend -v
Picture
You see some red errors, this is okay. Velociraptor is updating some tools and at the end you get a link to the GUI. It should be:
​https://127.0.0.1:8889
Picture
Copy the path to your browser and you get a warning message.
Picture
Click on "continue"
Picture
The next window is a authentication request.
The username is: root
The password is: It is your selected password 
Picture
It can take or or two minutes to load.
Picture
Congratulations, your server is ready. Now we have to set up a client. (follow the right column to set it up.)
Client installation
The client installation is easier compared to the server installation and we need one command to start the client.
​Start a new terminal (cmd-command line) as administrator. 
Picture
Now, change the cursor to the Downloads directory with
cd C:\Users\{username}\Downloads\
Picture
Now, we can start the client with the following command:
velociraptor{yourversion.exe} --config client.config.yaml client -v
Hint: if you downloaded one version, you can use "tab" to autocomplete the name.
Picture
Add this point, the client is running and we can open the server GUI.

The server GUI runs on:
​ ​https://127.0.0.1:8889
(Most likely you already opened it.)


scroll down for the next steps
Errors:

Picture
If you install Velociraptor on a new machine, you have to create a Velociraptor folder under Program Files.
Exploring Velociraptor
First, we have to check if the Velociraptor's server sees our client. We have to click on the dashboard button
Picture
The next step is to find our client, so we can interact with it. Velociraptor is a more or less a beta and sometimes you have a connection, but the table is empty. 
Picture
I installed it on a new machine and now it works. I have a client ID and I can interact with machines.
Picture
We can click on the ID and we see an overview about the system. Additionally we can collect data or send commands to the machine.
Picture
The shell function looks like this:
Picture
Short overview how to investigate (Endpoint Analysis)

We can do a manual endpoint analysis on this machine. I show you some basic commands so you get the first idea but I am not a trained blue teamer (not yet).
-- If you are interested in this topic, try to do John Strand's SOC training. It is a pay as you can course (16 hours) and gives you a solid start point about this field. --

With this remote command line, we can investigate this machine. Usually it is a good idea to start with network connections and we can use commands like:
net view
net session
net use
netstat
netstat -naob   --> This is a very useful command, because we get a PID for further investigation.
netstat -f

Maybe we see a suspicious connection and we have the PID. Some relevant commands:
tasklist
tasklist /svc
tasklist /m

wmic process list full
Next: Suricata with RangeForce
© 2021. This work is licensed under a CC BY-SA 4.0 license​