Objective

This lab is an introduction to look at Velociraptor performance when using yara.

We will be walking through the best way to run Velociraptor queries with a few different use cases.

Dependencies

Velociraptor available on the desktop to run as per Lab: GUI mode walk through

Open cmd, browse to desktop and run: velociraptor .exe gui –-datastore=./VRdata -v

The Velociraptor GUI is configured to open automatically upon start, but the credentials are available below:

• URL: https://127.0.0.1:8889/
• Username: admin
• Password: password

Tasks

Disk queries

Memory queries

References:

1. Neo23x0 - YARA-Performance-Guidelines
2. Hexacorn - Writing better Yara rules in 2023…
3. Yara documentation - Writing rules

👈 To go back, tap the link at the top left, or swipe from left to right across your screen.