Authorized Use Only: Velociraptor agents provide deep endpoint visibility and remote collection. Deploy only on assets you own or are authorized to monitor, in accordance with your monitoring policy and applicable law.
Velociraptor is an open-source endpoint visibility and digital-forensics platform from Rapid7/Velocidex. A single Go binary acts as server, client (agent), and CLI depending on how it is invoked and configured. Its power comes from VQL (Velociraptor Query Language) — an SQL-like language whose plugins query the live state of an endpoint (processes, files, registry, event logs, WMI, network connections, prefetch, etc.). VQL queries are packaged into reusable Artifacts, and Artifacts are run at scale as Hunts that fan out across every connected client and stream results back to the server as structured rows.
This makes Velociraptor ideal for fleet-wide threat hunting: a hypothesis ("are any hosts running suspicious PowerShell?") becomes a VQL artifact, deployed as a hunt, with results aggregated centrally in minutes. It also supports offline collectors (standalone executables that collect and bundle artifacts on air-gapped or unmanaged hosts) and live forensic notebooks.
chmod +x velociraptor-v0.*-linux-amd64
sudo mv velociraptor-v0.*-linux-amd64 /usr/local/bin/velociraptor
| ID | Official Technique Name | Relevance to this skill |
|---|---|---|
| T1059 | Command and Scripting Interpreter | A primary hunt target — VQL artifacts surface anomalous interpreter execution (PowerShell, cmd, wscript) across the fleet for detection and triage. |
Velociraptor is a defensive hunting platform; the mapping reflects the adversary behavior the hunts are designed to detect.
The interactive generator writes a server config (TLS, datastore paths, GUI users, frontend URL). Use config generate for a self-signed lab build or the interactive -i wizard for production.
# Non-interactive: dump a default server config
velociraptor config generate > server.config.yaml
# Interactive wizard (recommended for production deployments)
velociraptor config generate -i
Create at least one administrator to log into the console.
velociraptor --config server.config.yaml user add admin --role administrator
The frontend accepts client connections; the GUI is served per the config (default https://127.0.0.1:8889).
velociraptor --config server.config.yaml frontend -v
For a quick all-in-one local lab (server + frontend + a local client in one process):
velociraptor gui
Derive the client config from the server config and run it as the client on each endpoint.
# Produce the client config (embeds server URL + CA)
velociraptor --config server.config.yaml config client > client.config.yaml
# On a Linux endpoint, run as a client (or install as a service)
velociraptor --config client.config.yaml client -v
On Windows, build an MSI/service installer from the GUI ("Server Artifacts" > deployment) or run:
velociraptor.exe --config client.config.yaml service install
Validate a query locally with query (-q) before deploying it fleet-wide. VQL is SQL-like: SELECT ... FROM plugin(...) WHERE ....
# List running processes with their command lines
velociraptor query "SELECT Pid, Name, CommandLine FROM pslist()"
# Hunt for suspicious PowerShell command lines
velociraptor query "
SELECT Pid, Name, CommandLine
FROM pslist()
WHERE Name =~ 'powershell'
AND CommandLine =~ '(?i)(-enc|frombase64string|downloadstring|-w hidden|iex)'
"
Artifacts wrap VQL into reusable, parameterized collections.
# Show available artifacts
velociraptor artifacts list
# Collect a built-in artifact and write results to a directory
velociraptor artifacts collect Windows.System.Pslist --output results.zip
In the GUI: Hunt Manager > New Hunt > select the artifact (e.g. Windows.Detection.Powershell or a custom one) and parameters > Launch. The hunt fans out to every matching client; results stream into the hunt's results table and can be exported as CSV/JSON. Equivalent server-side VQL:
-- Create a hunt programmatically via a server VQL notebook
SELECT hunt(
description="Suspicious PowerShell fleet sweep",
artifacts="Windows.Detection.Powershell"
) FROM scope()
Custom artifacts are YAML documents containing parameters and VQL sources. Save in the GUI's Artifact editor or import via artifacts:
name: Custom.Hunt.SuspiciousPowershell
description: Find encoded / download-cradle PowerShell across the fleet.
parameters:
- name: regex
default: "(?i)(-enc|frombase64string|downloadstring|-w hidden|iex)"
sources:
- query: |
SELECT Pid, Name, CommandLine, timestamp(epoch=now()) AS Collected
FROM pslist()
WHERE Name =~ "powershell" AND CommandLine =~ regex
For unmanaged/air-gapped hosts, build a standalone collector from the GUI ("Server Artifacts" > Server.Utils.CreateCollector) or via VQL; it produces a single executable that collects chosen artifacts into a ZIP for later import.
| Resource | Purpose | Link |
|---|---|---|
| Velociraptor releases | Official binaries | https://github.com/Velocidex/velociraptor/releases |
| Documentation | Deployment, VQL, artifacts | https://docs.velociraptor.app/ |
| VQL reference | Plugin/function reference | https://docs.velociraptor.app/vql_reference/ |
| Artifact Exchange | Community artifacts | https://docs.velociraptor.app/exchange/ |
| Source | GitHub repository | https://github.com/Velocidex/velociraptor |
| Command | Purpose |
|---|---|
config generate [-i] |
Create server config (interactive optional) |
config client |
Derive client config from server config |
user add <name> --role administrator |
Add a GUI admin |
frontend -v |
Start server frontend (client comms + GUI) |
gui |
All-in-one local lab instance |
client -v |
Run as an endpoint agent |
service install |
Install the agent as a service |
query "<VQL>" |
Run VQL ad hoc |
artifacts list |
List available artifacts |
artifacts collect <name> --output <zip> |
Collect an artifact locally |
query