kyjonin

With the MCP buzz still running hot I thought I would take some time to use and document one that really caught my eye recently. This MCP, was developed by @mgreen27  and I am very excited to see how it continues to grow. In this post, I’ll walk through how to spin up a Velociraptor MCP from this GitHub repo , explore what the protocol does under the hood, and demonstrate how you can contribute to or build on it yourself. Whether you're a threat hunter looking to streamline workflows or a DFIR practitioner building custom tooling, understanding and leveraging MCP will help you take full advantage of Velociraptor’s extensibility. Personal skippable waffle I am interested in seeing how the cybersecurity space adapts to MCPs (and AI as a whole..), I believe they should be used in conjunction ; i.e - you begin analysing the triage image or acquired artifacts whilst you run a simultaneous query targeting 'known-evil' or anything of the such - this provides us with quick wins...

The Problem (and the solution) So you need to perform dead-disk forensics on a Windows host, but post acquisition (which may typically be preceded by access to the host (live) or via an offline-collector) you want to continue with your standard way of working. I did too, and fortunately  Velociraptor has the ability to emulate a live client from dead disk images, meaning we can simply point our instance to the physically acquired disk and perform the investigation as normal. In this quick post, I intend to show the steps after you have acquired the image. Before starting I'd recommend reading the below link; this covers this capability in a lot more detail than I'm providing here in this quick 101 - and it will help you understand the negatives. https://docs.velociraptor.app/blog/2022/2022-03-22-deaddisk/ But what's most important to us for right now is: Velociraptor currently supports the following 4 disk image formats via built-in accessors : - EWF: Expert Witness Compres...

Scenario: Waifu University's cyber team has called you after their IT teams reported a number of servers with files that aren't opening and have a strange extension . On your scoping call, the victim also said they had identified a ransom note stating their data has been stolen . When asked about any earlier signs, the victim mentioned some strange, failed login activity early in March 2024 in their Entra ID , but it wasn't of concern at the time . Ransomware typically avoids system files to not cause crashes in the system, which also happens to be where a lot of forensic evidence is! You have been provided triage images of the hosts and log exports from the relevant systems. The Waifu University team took triage collections from the affected hosts using the account WAIFU\kscanlan6 at approximately 2024-03-07 05:00:00 UTC . Consider activity after this point related to the response. I've tried to make a point here to avoid directly giving the answers, they may b...