Velociraptor is an open source endpoint visibility and DFIR platform. Unlike traditional forensic tools that require physical or remote access to pull individual artefacts, Velociraptor deploys a lightweight agent to endpoints and lets you
\ncollect artefacts, run hunts, and monitor for threats across your entire fleet simultaneously through a central server.<\/p>\n
# Download latest release\nwget https:\/\/github.com\/Velocidex\/velociraptor\/releases\/latest\/download\/velociraptor-linux-amd64\n\n# Generate server config\n.\/velociraptor config generate -i\n# Interactive wizard - choose self-signed cert for lab, set bind address to 0.0.0.0\n\n# Start server\n.\/velociraptor --config server.config.yaml frontend &\n\n# Create admin user\n.\/velociraptor --config server.config.yaml user add admin --role administrator<\/pre>\nThe GUI is available at
https:\/\/<server-ip>:8889<\/code>. Accept the self-signed cert warning in the browser.<\/p>\nAgent deployment<\/h3>\n
# Generate Windows MSI installer with client config embedded\n.\/velociraptor --config server.config.yaml config repack \\\n --exe velociraptor-windows-amd64.exe client_config.yaml output.msi\n\n# On the target Windows host (admin PowerShell):\nmsiexec \/i output.msi \/quiet<\/pre>\nThe agent connects back to the server and appears in the GUI under Clients within about 30 seconds.<\/p>\n
VQL \u2014 the query language<\/h3>\n
VQL is similar to SQL but designed for system introspection. Every Velociraptor capability is a VQL plugin. A basic query to list running processes:<\/p>\n
SELECT Pid, Name, Exe, CommandLine, Username\nFROM pslist()\nWHERE Name =~ \"powershell\"<\/pre>\nFinding persistence via scheduled tasks:<\/p>\n
SELECT Name, Command, Arguments, Enabled, NextRunTime\nFROM schtasks()\nWHERE Command !~ \"^C:\\\\Windows\\\\\" AND Enabled = TRUE<\/pre>\nSearching all registry run keys for anything pointing outside of Program Files or Windows:<\/p>\n
SELECT Key.FullPath AS KeyPath, Name, Data.value AS Value\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**\",\n \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\**\"\n])\nWHERE NOT Value =~ \"^(C:\\\\Windows|C:\\\\Program Files)\"<\/pre>\nRunning a fleet hunt<\/h3>\n
In the GUI, go to Hunt Manager, click New Hunt, and select artefacts. For initial compromise assessment on multiple hosts simultaneously, the most useful built-in artefacts are:<\/p>\n
\n
Windows.System.Pslist<\/code> \u2014 running processes across all endpoints<\/li>\nWindows.Network.Netstat<\/code> \u2014 active network connections per host<\/li>\nWindows.Persistence.PermanentWMIEvents<\/code> \u2014 WMI-based persistence (missed by most checklist-based IR)<\/li>\nWindows.Forensics.Prefetch<\/code> \u2014 execution history from Prefetch files<\/li>\nWindows.EventLogs.Evtx<\/code> \u2014 targeted event log collection with time range filter<\/li>\n<\/ul>\nA hunt across 100 endpoints for all of these typically completes in under 3 minutes. The results are queryable with VQL across the combined dataset.<\/p>\n
Collecting a specific file from all hosts<\/h3>\n
# Hunt to collect NTUSER.DAT from all endpoints for offline analysis\nSELECT OSPath, Size, Mtime\nFROM glob(globs=\"C:\/Users\/*\/NTUSER.DAT\")\nWHERE Size > 0<\/pre>\nAdd a file upload step and Velociraptor will stream the files back to the server automatically. No manual collection needed per host.<\/p>\n
Memory analysis integration<\/h3>\n
Velociraptor can trigger a memory acquisition and ship it directly to the server:<\/p>\n
SELECT * FROM Artifact.Windows.Memory.Acquisition(\n Destination=\"C:\/Windows\/Temp\/mem.dmp\"\n)<\/pre>\nThen collect the file through a separate upload artefact. From there, Volatility analysis can be done offline against the collected image.<\/p>\n","protected":false},"excerpt":{"rendered":"
Velociraptor is free, fast, and genuinely useful for rapid triage. A
\nwalkthrough of setting it up and collecting artefacts from a simulated compromised host.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=187"}],"version-history":[{"count":2,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}