Tools
T1057, T1012, T1005Velociraptor
A comprehensive guide to Velociraptor for DFIR — deployment, artifact collection, VQL queries, hunting across the fleet, and incident response workflows.
View on Graph
What Velociraptor Is and Why DFIR Teams Need It
- Velociraptor is an open-source tool (by Rapid7, originally by Mike Cohen and other Google veterans) for endpoint monitoring, forensic collection, and threat hunting. It was designed from the ground up for scale — querying thousands of endpoints simultaneously.
- Unlike its predecessor GRR (Google Rapid Response), Velociraptor uses a unique server-to-agent model where the server pulls results from agents via polling, and agents cache and compress results for efficient retrieval.
- MITRE ATT&CK maps Velociraptor’s collection capabilities to
T1057(Process Discovery),T1012(Query Registry), andT1005(Collection from Local System) — Velociraptor automates what a live responder would do manually on each host. - The key differentiators: VQL (Velociraptor Query Language — SQL-like syntax that runs on endpoints), offline collectors (pre-packaged collections for air-gapped environments), and server-side artifacts that can inspect and collect from remote endpoints without a live agent connection.
Architecture — Client/Server Model
| Component | Role | Deployment |
|---|---|---|
| Server | Central management, frontend (gRPC/HTTP), GUI, data store | Linux server — can be cloud-hosted or on-prem |
| Client (Agent) | Runs on endpoints, executes VQL queries, collects artifacts, reports results | Windows, Linux, macOS |
| Frontend | Accepts client connections, serves GUI, exposes gRPC API | Part of the server process |
| Data Store | Stores client records, hunt results, collected artifacts | Filesystem (default) or cloud storage (S3/GCS/Azure Blob) |
Quick Deploy
# Server — download and extract
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64
chmod +x velociraptor-linux-amd64
# Generate server config
./velociraptor-linux-amd64 config generate > server.config.yaml
# Start the server with GUI
./velociraptor-linux-amd64 --config server.config.yaml frontend
# Generate a client MSI for Windows deployment
./velociraptor-linux-amd64 --config server.config.yaml repack --msi velociraptor_client.msiVQL — Velociraptor Query Language
VQL is the heart of Velociraptor. It is a SQL-like query language that runs on the endpoint and returns structured results.
Core VQL Patterns
| Pattern | VQL Example | What It Returns |
|---|---|---|
| List processes | SELECT * FROM pslist() | Running processes with PID, PPID, name, command line |
| Read registry | SELECT * FROM read_reg_key(globs='HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run') | All Run key entries (persistence) |
| Find files | SELECT * FROM glob(globs='C:\\Users\\*\\AppData\\Local\\Temp\\*') | Files matching a path pattern |
| Parse EVTX | SELECT * FROM parse_evtx(filename='C:\\Windows\\System32\\winevt\\Logs\\Security.evtx') | Windows Event Log entries |
| YARA scan | SELECT * FROM yara(rules='rule Bad { strings: $a = "evil" condition: $a }', files=glob(globs='C:\\Users\\*\\Downloads\\*')) | YARA scan on a filesystem path |
| Network connections | SELECT * FROM netstat() | Active network connections per process |
| Registry content | SELECT * FROM read_reg_key(globs='C:\\Windows\\System32\\config\\SAM') | SAM hive (via VSS if needed) |
Example — Hunt for Unusual Processes
-- Find processes with suspicious command-line arguments
LET suspicious_args = ".*-enc.*|.*Invoke-Expression.*|.*DownloadString.*|.*/user:.*/sid:.*"
SELECT Name, Pid, Ppid, Cmdline, CreateTime
FROM pslist()
WHERE Cmdline =~ suspicious_argsArtifact Collections — Pre-Built Forensic Packs
Velociraptor ships with hundreds of pre-built artifacts that collect specific forensic data. These are organized by operating system and category.
Essential Artifacts for IR
| Artifact Name | What It Collects | Use Case |
|---|---|---|
Windows.KapeFiles.Targets | Thread hierarchy, network, prefetch, $MFT | Full KAPE-compatible collection |
Windows.System.Pslist | Process list with full command line | Initial triage — running processes |
Windows.Network.Netstat | Active network connections per PID | C2 detection, lateral movement |
Windows.Registry.NTUser | User Registry hives | Persistence analysis per user |
Windows.EventLogs.Evtx | Windows Event Logs | Complete event log collection |
Windows.Forensics.Prefetch | Prefetch files | Application execution evidence |
Windows.Forensics.Shimcache | Shimcache/AppCompatCache | Application execution artifacts |
Windows.Forensics.Amcache | Amcache.hve | Program execution and installation |
Windows.System.Persistence | Scheduled tasks, services, Run keys, startup folders | Comprehensive persistence scan |
Windows.Detection.Yara.Process | YARA scan against running processes | In-memory malware detection |
Linux.System.Pslist | Process list on Linux | Linux IR |
Linux.System.Proc | Process tree with file descriptors | Linux process forensics |
Linux.Network.Netstat | Network connections on Linux | Linux network investigation |
MacOS.System.Pslist | Process list on macOS | macOS IR |
Hunting — Running Threats at Scale
Hunts are the most powerful Velociraptor feature — deploy a VQL query to every client simultaneously and collect results.
How to Run a Hunt
- Create a hunt — define a VQL query or pre-built artifact to collect
- Schedule the hunt — run immediately or set a start time
- Set client filtering — target a specific operating system, client label, or hostname pattern
- Monitor results — results stream back to the server as clients respond
Example Hunt — Search All Endpoints for a Known IOC Hash
-- Hunt: Find any file matching a known-bad SHA256 hash
LET ioc_hash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
SELECT * FROM file_store(path=glob(globs='C:\\Users\\*\\*'))
WHERE HashSha256(file.path) = ioc_hashExample Hunt — Lateral Movement Detection (Event Logs)
-- Hunt: Find Event ID 4624 (successful logon) with LogonType 3 (network)
-- originating from unusual source IPs
SELECT *
FROM parse_evtx(filename='C:\\Windows\\System32\\winevt\\Logs\\Security.evtx')
WHERE EventID = 4624 AND LogonType = 3
AND NOT SourceIp =~ "192\.168\..*" -- Adjust to match your internal IP rangesVelociraptor vs Other DFIR Tools
| Feature | Velociraptor | Volatility | Sysinternals | GRR |
|---|---|---|---|---|
| Remote collection | Native client-server | Memory dump required locally | Manual per host | Native client-server |
| Scale | Thousands of endpoints simultaneously | Single host | Single host | Hundreds (slower) |
| Live response | Yes — VQL queries run live | No (memory dump analysis) | Yes (manual) | Yes |
| Offline collector | Yes — packaged collections | N/A | No | No |
| Scripting language | VQL (SQL-like) | Python (Volatility API) | PowerShell | Python |
| Artifact catalog | 400+ pre-built artifacts | Memory-specific plugins | Per-tool, not cataloged | 100+ |
| OS support | Windows, Linux, macOS | Windows, Linux, macOS | Windows only | Windows, Linux, macOS |
Offline Collectors — Air-Gapped Environments
Velociraptor’s offline collector is a critical feature for environments where agents cannot reach the server (air-gapped networks, incident response where the network is compromised).
# Generate an offline collector from the server
./velociraptor-linux-amd64 --config server.config.yaml \
collect Windows.KapeFiles.Targets \
--output collector.zip
# Run the collector on the target endpoint (no server connection needed)
collector.exe --output collected_data.zipThe offline collector bundles the Velociraptor binary, the artifact definition, and all dependencies. It runs without any server communication and produces a compressed results file that can be transferred back for analysis.
Related
- Azure Sentinel — detection and response for T1654 techniques
- BloodHound — detection and response for T1087 techniques
- Burp Suite — detection and response for T1592 techniques