This lab is a walkthrough of the patched Terminal Services DLL use case - T1505.005. We will firstly replicate the scenario, then walk through how I would build a cross artifact detection using Velociraptor.
VM with internet access and Velociraptor available on the desktop to run as per Lab: GUI mode walk through
Artifact Exchange content has been imported into your Velociraptor instance - Lab: GUI mode walk through
Once patch loaded: Open cmd, browse to desktop and run:
velociraptor .exe gui –-datastore=./VRdata -v
The Velociraptor GUI is configured to open automatically upon start, but the credentials are available below:
https://127.0.0.1:8889/adminpassword