Velociraptor changes what is practical in a live incident response context. Traditional IR on a single host takes hours: image the disk, acquire memory, copy the logs, transport everything back, start analysis. Velociraptor compresses that workflow significantly: deploy an agent, run a VQL query, get structured results back in seconds. Across a fleet of hundreds of endpoints the time savings become the difference between finding an attacker before and after they complete their objectives.<\/p>\n
# Server setup (Linux)\nwget https:\/\/github.com\/Velocidex\/velociraptor\/releases\/latest\/download\/velociraptor-linux-amd64\nchmod +x velociraptor-linux-amd64\n.\/velociraptor-linux-amd64 config generate -i\n.\/velociraptor-linux-amd64 --config server.config.yaml frontend &\n.\/velociraptor-linux-amd64 --config server.config.yaml user add admin --role administrator\n\n# Create Windows agent installer\n.\/velociraptor-linux-amd64 --config server.config.yaml config repack \\\n --exe velociraptor-windows-amd64.exe client_config.yaml output.msi\n\n# Deploy to target (admin PowerShell on the target machine)\nmsiexec \/i output.msi \/quiet<\/pre>\nFirst response queries<\/h3>\n
When you land on a suspect machine via Velociraptor the first queries establish the baseline: what is running, what is connected, and what has recently executed. These three queries cover the initial triage phase.<\/p>\n
-- Running processes with hash attribution\nSELECT Pid, Ppid, Name, Exe,\n hash(path=Exe, hashselect=\"SHA256\") AS SHA256,\n Username, CreateTime, CommandLine\nFROM pslist()\nORDER BY CreateTime DESC<\/pre>\n-- Active network connections with process context\nSELECT Pid, Name, LocalAddress, LocalPort,\n RemoteAddress, RemotePort, Status\nFROM netstat()\nWHERE Status = \"ESTABLISHED\"\nORDER BY Pid<\/pre>\n-- Recent process execution from suspicious locations\nSELECT Name, Exe, CommandLine, Username, CreateTime,\n hash(path=Exe, hashselect=\"SHA256\") AS SHA256\nFROM pslist()\nWHERE Exe =~ \"(?i)(Temp|AppData|Public|Downloads|Desktop)\"\nORDER BY CreateTime DESC<\/pre>\nCollecting volatile artefacts<\/h3>\n
-- DNS cache (reveals recent domain resolutions)\nSELECT Entry, RecordType, Data FROM dns_cache()\n\n-- Scheduled tasks pointing outside standard locations\nSELECT Name, Command, Arguments, Enabled\nFROM schtasks()\nWHERE Command !~ \"(?i)^C:\\\\Windows\\\\\"\n AND Enabled = TRUE\n\n-- WMI persistence subscriptions (commonly missed in manual IR)\nSELECT * FROM wmi_events()\n\n-- Registry run key entries pointing to unusual paths\nSELECT Key.FullPath AS KeyPath, Name, Data.value AS Value\nFROM read_reg_key(globs=[\n \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\**\",\n \"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\**\"\n])\nWHERE NOT Value =~ \"(?i)^(C:\\\\Windows|C:\\\\Program Files)\"<\/pre>\nMemory acquisition for deep analysis<\/h3>\n
-- Acquire full memory image and stream back to server\nSELECT * FROM Artifact.Windows.Memory.Acquisition(\n destination=\"C:\/Windows\/Temp\/mem.raw\"\n)\n\n-- The file is automatically uploaded to the Velociraptor server\n-- Download it and run Volatility analysis offline:\n-- vol -f mem.raw windows.pstree\n-- vol -f mem.raw windows.malfind\n-- vol -f mem.raw windows.netscan<\/pre>\nFleet-wide hunting from a single console<\/h3>\n
The most powerful aspect of Velociraptor is running the same query across every endpoint simultaneously. Create a hunt in the GUI under Hunt Manager, select the artefacts or write custom VQL, configure the target scope, and start. Results stream back per-client as they complete. A hunt across 200 endpoints for running processes, network connections, and WMI persistence typically completes in under five minutes. The results are queryable across the entire fleet with a single VQL query in the Hunt Notebook, letting you identify which machines out of 200 have a specific indicator without opening each one individually.<\/p>\n
Integrating Velociraptor into your response playbook<\/h3>\n
Velociraptor works best when it is already deployed before an incident begins. An agent that needs to be pushed to a machine during an active incident takes time and requires access that may be restricted. Deploying Velociraptor as a standard endpoint agent across your fleet, even in monitoring-only mode, means it is available the moment you need it. The artefacts and VQL queries you develop during hunting become immediately available as response tools when an incident begins, because the same agent handles both workflows.<\/p>\n","protected":false},"excerpt":{"rendered":"
Velociraptor is free, fast, and genuinely useful for rapid triage. A
\nwalkthrough of setting it up and collecting artefacts from a simulated compromised host.<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-dfir"],"_links":{"self":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/comments?post=187"}],"version-history":[{"count":4,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":356,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/posts\/187\/revisions\/356"}],"wp:attachment":[{"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/media?parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/categories?post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justruss.tech\/index.php\/wp-json\/wp\/v2\/tags?post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}