Velociraptor is an open source endpoint visibility and DFIR platform. Unlike traditional forensic tools that require physical or remote access to pull individual artefacts, Velociraptor deploys a lightweight agent to endpoints and lets you
collect artefacts, run hunts, and monitor for threats across your entire fleet simultaneously through a central server.
Server deployment
# Download latest release wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64 # Generate server config ./velociraptor config generate -i # Interactive wizard - choose self-signed cert for lab, set bind address to 0.0.0.0 # Start server ./velociraptor --config server.config.yaml frontend & # Create admin user ./velociraptor --config server.config.yaml user add admin --role administrator
The GUI is available at https://<server-ip>:8889. Accept the self-signed cert warning in the browser.
Agent deployment
# Generate Windows MSI installer with client config embedded ./velociraptor --config server.config.yaml config repack \ --exe velociraptor-windows-amd64.exe client_config.yaml output.msi # On the target Windows host (admin PowerShell): msiexec /i output.msi /quiet
The agent connects back to the server and appears in the GUI under Clients within about 30 seconds.
VQL — the query language
VQL is similar to SQL but designed for system introspection. Every Velociraptor capability is a VQL plugin. A basic query to list running processes:
SELECT Pid, Name, Exe, CommandLine, Username FROM pslist() WHERE Name =~ "powershell"
Finding persistence via scheduled tasks:
SELECT Name, Command, Arguments, Enabled, NextRunTime FROM schtasks() WHERE Command !~ "^C:\\Windows\\" AND Enabled = TRUE
Searching all registry run keys for anything pointing outside of Program Files or Windows:
SELECT Key.FullPath AS KeyPath, Name, Data.value AS Value
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\**",
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\**"
])
WHERE NOT Value =~ "^(C:\\Windows|C:\\Program Files)"
Running a fleet hunt
In the GUI, go to Hunt Manager, click New Hunt, and select artefacts. For initial compromise assessment on multiple hosts simultaneously, the most useful built-in artefacts are:
Windows.System.Pslist— running processes across all endpointsWindows.Network.Netstat— active network connections per hostWindows.Persistence.PermanentWMIEvents— WMI-based persistence (missed by most checklist-based IR)Windows.Forensics.Prefetch— execution history from Prefetch filesWindows.EventLogs.Evtx— targeted event log collection with time range filter
A hunt across 100 endpoints for all of these typically completes in under 3 minutes. The results are queryable with VQL across the combined dataset.
Collecting a specific file from all hosts
# Hunt to collect NTUSER.DAT from all endpoints for offline analysis SELECT OSPath, Size, Mtime FROM glob(globs="C:/Users/*/NTUSER.DAT") WHERE Size > 0
Add a file upload step and Velociraptor will stream the files back to the server automatically. No manual collection needed per host.
Memory analysis integration
Velociraptor can trigger a memory acquisition and ship it directly to the server:
SELECT * FROM Artifact.Windows.Memory.Acquisition(
Destination="C:/Windows/Temp/mem.dmp"
)
Then collect the file through a separate upload artefact. From there, Volatility analysis can be done offline against the collected image.