Velociraptor - Features and Overview - CastleDefender

# Velociraptor - Features and Overview 06-11-2025 Tags: #Velociraptor Links: [[Velociraptor - Installation and Deployment]] ## Overview Velociraptor is an endpoint visibility and collection tool that uses a query language (VQL) to hunt for suspicious activity at scale. Below is a walkthrough of key features, commands, and real-world use cases I've explored in my Velociraptor deployment. --- Here is a brief overview and explanation on each of the tools in our menu: - **Hunt Manager** - **View Artifacts** - **Server Events** - **Server Artifacts** - **Notebooks** - **Users** ![[velo_server_artifacts.png]] ## Hunt Manager This is where I can create and manage hunts. Key capabilities include: - **Target selection** via labels or OS type - **Artifact selection** (e.g., `Windows.System.Pslist`) - **Resource tuning**, which is helpful when hunting across production systems without causing performance degradation --- ## View Artifacts This section shows all available artifacts for collection. From here, I can: - Create or edit artifacts - Import community-created artifacts - Search for IOCs, CVEs, or malware behavior using VQL ### Example Use Case: If a new CVE drops, I can craft an artifact using VQL to detect indicators of compromise (IOCs), and then: - Tag suspicious systems - Optionally quarantine them --- ## Server Events Provides visibility into: - Server health and performance - Audit logs - Custom dashboard widgets - Welcome message customization --- ## Server Artifacts Artifacts in this section focus specifically on server-side tasks, such as: - Data enrichment - Flow configuration to forward data to a SIEM --- ## Notebooks This is a place to write, edit, and test VQL queries. I use it frequently for real-time data filtering and post-processing. --- ## Users Admin panel for managing user accounts and access permissions. --- > [!Note] > ⚠️ **Storage Consideration:** Velociraptor can generate large volumes of data quickly. Ensure you have sufficient disk space, especially during intensive hunts or mass collections. ## Viewing Clients Clicking the **magnifying glass** in the top menu brings up all connected clients. ![[velo_connected_clients.png]] Clicking on a client opens a dashboard with host information and five main actions: ### 1. **Interrogate** Run the `Interrogate` action to collect details like: - OS version - User accounts - Network configuration ### 2. **VFS (Virtual File System)** Browse and interact with the client’s file system. To download a file: 1. Click `auto` 2. Refresh the directory (recursive refresh can be slow) 3. Expand folder paths and refresh until the target file appears 4. Click the file and download it for analysis --- ### 3. **Collected** Displays all artifacts collected from the host. ![[velo_collected.png]] Click on an artifact (e.g., `Generic.Client.Info`) to view its status and results. ![[velo_artifact_results.png]] #### Example: View Running Processes To view active processes: 1. Click `New Collection` 2. Search for `Pslist` 3. Select `Windows.System.Pslist` 4. Launch with default settings Then view the results in real time, export as CSV/JSON, or further refine using VQL. #### Filter Using VQL To display only processes with a command line: 1. Go to `Notebook` 2. Select `Windows.System.Pslist` 3. Click the pencil icon (`Edit Cell`) 4. Add the following VQL: ```VQL WHERE CommandLine != "" ``` 5. Save — Now you're only seeing processes with command-line arguments. --- ### 4. **Quarantine Host** Clicking this icon isolates the client from the network (except the Velociraptor server). You can also include a custom help message for the quarantined user. To unquarantine, simply click the button again. #### Mass Quarantine via Hunt To quarantine multiple hosts: 1. Create a new hunt 2. Use the `Windows.Remediation.Quarantine` artifact 3. Configure parameters 4. Launch the hunt manually (unlike artifacts, hunts aren’t automatic) To revert quarantine: - Create a similar hunt using the same artifact - Check the `Remove policy` box --- ## Real-World Use Cases Velociraptor isn’t just a lab toy—it’s built for real-world response. Here are a few example scenarios where it shines: ### **Ransomware Triage** When a ransomware infection hits your environment, you can: - Use `Windows.Timeline.Run` or `Windows.EventLogs.EvtxHunter` to gather execution history - Collect persistence mechanisms (like autoruns or scheduled tasks) - Isolate infected machines using the quarantine feature - Exfiltrate key files and registry hives for off-site forensic analysis ### **Post-Incident Investigation** After containment of an intrusion, you can: - Hunt for lateral movement artifacts (e.g., `Windows.EventLogs.PowerShell`, `Windows.NTFS.UsnJrnl`) - Search for dropped payloads or encoded PowerShell commands across machines - Run targeted collections using custom IOC-hunting artifacts ### **Threat Hunting at Scale** During a proactive hunting cycle, you might: - Create a hunt targeting newly discovered vulnerabilities (e.g., vulnerable DLLs, unquoted service paths) - Use `Linux.System.Pslist` or `Windows.System.Psxview` to identify stealthy persistence mechanisms - Search for common post-exploitation frameworks like Cobalt Strike or Empire ### **Blue Team Automation** You can also integrate Velociraptor into your detection pipeline: - Automatically launch collections when Wazuh or Graylog detects suspicious activity - Feed results into a SOAR platform (like Shuffle) for triage, enrichment, or ticketing - Create dashboards in Grafana using log data exported from Velociraptor hunts ## Conclusion: Why Velociraptor Stands Out Velociraptor is one of the most powerful, flexible, and lightweight endpoint visibility tools available today—especially for DFIR, threat hunting, and compromise assessment scenarios. Its unique combination of speed, precision, and customizability makes it a key player in both small environments and enterprise-scale infrastructures. ### What I Didn’t Cover (Yet) While this post focused on core functionality—like hunting, artifact collection, VFS exploration, and quarantining—I haven’t yet touched on: - **Live Response Automation** — using scheduled collections or reactive hunts triggered by specific conditions. - **Custom Artifact Development** — building advanced detection logic with chained queries or custom parameters. - **Integration with Other Tools** — such as sending alerts to Slack, ingesting logs into Graylog/Wazuh, or orchestrating playbooks via Shuffle. - **Remote Shell and Live Triage** — which allow for advanced investigations on a compromised machine directly from the web GUI or CLI. These are all deep topics worthy of their own breakdowns—and I’ll probably explore them in future posts. --- ## References >MyDFIR, *FREE Cybersecurity Tool: Velociraptor (Step-By-Step Guide)*: https://www.youtube.com/watch?v=p9pQ2g-18o4