TL;DR, What is Velociraptor?
Velociraptor is an open-source platform for targeted endpoint data collection, monitoring, threat hunting, digital forensics, and cyber response. It allows you to hunt across an entire network in minutes to investigate past events, respond to current threats, and continuously monitor for future attacks. As an open-source project, Velociraptor gives security teams a community-driven tool for scalable incident response.
An Actionable Incident Response Plan Template
A quickstart guide to creating a powerful incident response plan - designed specifically for organizations with cloud-based deployments.
At-A-Glance
GitHub: https://github.com/Velocidex/velociraptor
License: AGPL-3.0
Primary Language: Go
Stars: 2.6k ⭐
Last Release: v0.75.2 on August 30, 2024
Topics/Tags: incident-response, digital-forensics, security, endpoint-monitoring, threat-hunting
Common use cases
1. Incident Response and Digital Forensics: You can quickly deploy Velociraptor to compromised systems to collect and preserve volatile evidence, analyze attack timelines, and perform deep-dive forensic analysis using its built-in artifacts.
2. Proactive Threat Hunting: Search for persistent threats and indicators of compromise across your enterprise network by deploying custom VQL queries and YARA rules to identify unusual or malicious activity.
3. Continuous Security Monitoring: Integrate Velociraptor with a security operations center (SOC) to get real-time endpoint visibility. The tool streams alerts on suspicious activities like process injection and lateral movement, based on custom detection logic and Sigma rules.
4. Compliance and Security Auditing: Collect endpoint configuration data and system state evidence to validate security controls and demonstrate compliance with regulatory frameworks like NIST, ISO 27001, and other industry standards.
5. Enterprise-Wide Asset Inventory: Use Velociraptor's scalable data collection to perform detailed hardware, software, and configuration inventories across all your endpoints. The data provides a foundation for security posture management and vulnerability assessment.
How does Velociraptor work?
Velociraptor uses a client-server model where agents maintain persistent, encrypted connections to a central server. The model enables near-real-time security operations, allowing you to orchestrate large-scale data collection tasks (“hunts”) across thousands of endpoints. Using the web-based GUI, analysts deploy Velociraptor Query Language (VQL) queries that run directly on endpoints. Clients stream results back to the server, which acts as a central coordinator and data storage layer. The setup provides enterprise-wide visibility without creating a processing bottleneck.
Persistent Connections: Clients maintain a constant connection to the server for immediate tasking and data retrieval. The direct connection eliminates the latency common in polling-based systems.
Distributed VQL Processing: Queries run directly on the endpoint, distributing the processing load across your fleet. The distributed model makes the system scalable, as the server primarily handles orchestration and storage.
Offline Queuing: If an endpoint is offline, the agent continues running queries and queues the results locally. Data automatically streams to the server upon reconnection, preventing data loss.
Single Binary: The same executable can function as either a client or a server, which simplifies deployment and management across different environments.
Core Capabilities:
1. Precise data queries: Velociraptor Query Language (VQL) serves as SQL-like language that underpins all platform operations. VQL lets analysts write queries for real-time data collection, filtering, and processing. The language includes plugins and functions for forensic tasks and allows you to package complex investigations into readable, sharable queries.
2. Scalable Endpoint Hunting: You can run investigations across thousands of endpoints at once for enterprise-wide threat hunting. The platform distributes complex forensic artifacts with low impact on endpoint resources and automatically gathers results in a central GUI. The GUI helps you quickly identify compromised systems across the network.
3. Real-time Endpoint Monitoring: Get continuous security monitoring by using client-side event queries and native OS event sources like ETW and eBPF. You can immediately detect suspicious activities, use standard detection logic through Sigma rules, and preserve event data even when clients are offline.
4. Forensic Analysis: Use digital forensic capabilities for post-breach investigation, including NTFS and MFT parsing, registry examination, and event log analysis. The tool can perform YARA scanning on files and processes and collect volatile system state like network connections and memory artifacts to build an incident timeline.
5. Artifact-based Analysis Framework: Speed up incident response by packaging complex investigative procedures into reusable, sharable artifacts. The framework lets teams use a library of pre-built, community-contributed VQL queries for common forensic and security tasks. You can easily customize these queries to fit specific threat models and environments.
IR Playbook [Template]: AWS Ransomware Attacks
This IR Playbook Template provides a detailed, seven-step approach to manage ransomware incidents across AWS environments, helping you control, contain, and recover from attacks.
Limitations
1. Steep Learning Curve for VQL: The platform's main strength is its custom Velociraptor Query Language (VQL), which takes time to learn. To move beyond basic artifacts, analysts must become skilled in VQL syntax and its plugins.
2. Requires High Endpoint Privileges: The agent needs SYSTEM or root access to work correctly, which lets it access protected system files and memory. Requiring these privileges creates a potential security risk, as a compromised deployment could give an attacker high-level administrative control over your endpoints.
3. Server-Side Resource Intensity: Large-scale deployments that collect a lot of forensic data and real-time events require considerable server-side storage and network bandwidth. You must plan for the infrastructure costs to manage the ingestion, processing, and long-term storage of endpoint data, especially during a large incident.
4. Endpoint-Centric Focus: The tool specializes in host-based analysis and does not have native network traffic inspection features. While Velociraptor can report on an endpoint's network connections, the tool cannot analyze network protocols or packet content. You will need to integrate it with separate network detection and response (NDR) tools for full threat visibility.
5. Potential for Performance Overhead: Continuous monitoring and certain hunting queries can create performance overhead on endpoint systems. You must carefully schedule and scope resource-intensive operations, like full memory scans or file carving, to avoid impacting the performance of critical servers or user workstations.
Using Velociraptor for deep endpoint forensics and threat hunting? You can supercharge those findings with Wiz. While Velociraptor provides unmatched detail about what's happening on a host, Wiz adds the missing cloud context. This helps you instantly see if a compromised machine can access sensitive data or opens up a new attack path to your critical assets.
Getting Started:
Step 1: Download the Velociraptor binary for your operating system from the official release page: https://github.com/Velocidex/velociraptor/releases
Step 2: Make the downloaded file executable and place it in your PATH if needed.
Step 3: Launch the tool by running:
velociraptor guiStep 4: Access the Velociraptor GUI, frontend, and local client — they start automatically for initial exploration and artifact collection.
FAQs
Alternatives
| Feature | Velociraptor | OSQuery | GRR Rapid Response | Wazuh |
|---|---|---|---|---|
| Primary Use Case | Endpoint detection, response, and digital forensics | Endpoint monitoring and operating system instrumentation | Large-scale, live digital forensics and incident response | Unified XDR and SIEM platform for threat detection and response |
| Query Language | VQL (Velociraptor Query Language): a powerful, flexible, and SQL-like language for complex queries | SQL-based: allows querying the operating system as a relational database | Custom "flows": a more programmatic approach to defining data collection tasks | Uses a combination of rules, decoders, and a query language for searching indexed data |
| Architecture | Client-server architecture with a central server for managing clients and collecting data | Standalone agent that can be integrated with various backends for data collection and analysis | Client-server model with a focus on scalability and managing large fleets of endpoints | All-in-one platform with a central manager, indexer, and dashboard for data analysis and visualization |
| Real-time Monitoring | Yes, through client-side event queries and integration with technologies like ETW and eBPF | Yes, capable of real-time monitoring through its pub/sub framework and scheduled queries | Primarily focused on ad-hoc investigations, but can be configured for some monitoring tasks | Yes, a core feature of the platform with real-time alerting and active response capabilities |
| Extensibility | Highly extensible through custom VQL artifacts and a rich plugin ecosystem | Extensible through custom tables and plugins, allowing for the collection of additional data sources | Extensible through custom Python scripts and "flows," but can be more complex to customize | Open-source and highly extensible, with a large community and a wide range of integrations |