Velociraptor changes what is practical in a live incident response context. Traditional IR on a single host takes hours: image the disk, acquire memory, copy the logs, transport everything back, start analysis. Velociraptor compresses that workflow significantly: deploy an agent, run a VQL query, get structured results back in seconds. Across a fleet of hundreds of endpoints the time savings become the difference between finding an attacker before and after they complete their objectives.
Deploying Velociraptor for live response
# Server setup (Linux)
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64
chmod +x velociraptor-linux-amd64
./velociraptor-linux-amd64 config generate -i
./velociraptor-linux-amd64 --config server.config.yaml frontend &
./velociraptor-linux-amd64 --config server.config.yaml user add admin --role administrator
# Create Windows agent installer
./velociraptor-linux-amd64 --config server.config.yaml config repack \
--exe velociraptor-windows-amd64.exe client_config.yaml output.msi
# Deploy to target (admin PowerShell on the target machine)
msiexec /i output.msi /quietFirst response queries
When you land on a suspect machine via Velociraptor the first queries establish the baseline: what is running, what is connected, and what has recently executed. These three queries cover the initial triage phase.
-- Running processes with hash attribution
SELECT Pid, Ppid, Name, Exe,
hash(path=Exe, hashselect="SHA256") AS SHA256,
Username, CreateTime, CommandLine
FROM pslist()
ORDER BY CreateTime DESC-- Active network connections with process context
SELECT Pid, Name, LocalAddress, LocalPort,
RemoteAddress, RemotePort, Status
FROM netstat()
WHERE Status = "ESTABLISHED"
ORDER BY Pid-- Recent process execution from suspicious locations
SELECT Name, Exe, CommandLine, Username, CreateTime,
hash(path=Exe, hashselect="SHA256") AS SHA256
FROM pslist()
WHERE Exe =~ "(?i)(Temp|AppData|Public|Downloads|Desktop)"
ORDER BY CreateTime DESCCollecting volatile artefacts
-- DNS cache (reveals recent domain resolutions)
SELECT Entry, RecordType, Data FROM dns_cache()
-- Scheduled tasks pointing outside standard locations
SELECT Name, Command, Arguments, Enabled
FROM schtasks()
WHERE Command !~ "(?i)^C:\\Windows\\"
AND Enabled = TRUE
-- WMI persistence subscriptions (commonly missed in manual IR)
SELECT * FROM wmi_events()
-- Registry run key entries pointing to unusual paths
SELECT Key.FullPath AS KeyPath, Name, Data.value AS Value
FROM read_reg_key(globs=[
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
])
WHERE NOT Value =~ "(?i)^(C:\\Windows|C:\\Program Files)"Memory acquisition for deep analysis
-- Acquire full memory image and stream back to server
SELECT * FROM Artifact.Windows.Memory.Acquisition(
destination="C:/Windows/Temp/mem.raw"
)
-- The file is automatically uploaded to the Velociraptor server
-- Download it and run Volatility analysis offline:
-- vol -f mem.raw windows.pstree
-- vol -f mem.raw windows.malfind
-- vol -f mem.raw windows.netscanFleet-wide hunting from a single console
The most powerful aspect of Velociraptor is running the same query across every endpoint simultaneously. Create a hunt in the GUI under Hunt Manager, select the artefacts or write custom VQL, configure the target scope, and start. Results stream back per-client as they complete. A hunt across 200 endpoints for running processes, network connections, and WMI persistence typically completes in under five minutes. The results are queryable across the entire fleet with a single VQL query in the Hunt Notebook, letting you identify which machines out of 200 have a specific indicator without opening each one individually.
Integrating Velociraptor into your response playbook
Velociraptor works best when it is already deployed before an incident begins. An agent that needs to be pushed to a machine during an active incident takes time and requires access that may be restricted. Deploying Velociraptor as a standard endpoint agent across your fleet, even in monitoring-only mode, means it is available the moment you need it. The artefacts and VQL queries you develop during hunting become immediately available as response tools when an incident begins, because the same agent handles both workflows.