CG
SkillsImplementing Velociraptor for Ir Collection
Start Free
Back to Skills Library
Incident Response🔴 Advanced

Implementing Velociraptor for Ir Collection

Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.

4 min read11 code examples

Implementing Velociraptor for IR Collection

Overview

Velociraptor is an advanced open-source endpoint monitoring, digital forensics, and incident response platform developed by Rapid7. It uses the Velociraptor Query Language (VQL) to create custom artifacts that collect, query, and monitor almost any aspect of an endpoint. Velociraptor enables incident response teams to rapidly collect and examine forensic artifacts from across a network, supporting large-scale deployments with minimal performance impact. The client-server architecture with Fleetspeak communication enables real-time data collection from thousands of endpoints simultaneously, with offline endpoints picking up hunts when they reconnect.

Architecture

Components

  • Velociraptor Server: Central management console with web UI and API
  • Velociraptor Client (Agent): Lightweight agent deployed to endpoints
  • Fleetspeak: Communication framework between client and server
  • VQL Engine: Query language engine for artifact collection
  • Filestore: Server-side storage for collected artifacts
  • Datastore: Metadata storage for hunts, flows, and client information

Supported Platforms

  • Windows (7+, Server 2008R2+)
  • Linux (Debian, Ubuntu, CentOS, RHEL)
  • macOS (10.13+)

Deployment

Server Installation

# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64

# Generate server configuration
./velociraptor-linux-amd64 config generate -i

# Start the server
./velociraptor-linux-amd64 --config server.config.yaml frontend

# Or run as systemd service
sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor
sudo velociraptor --config /etc/velociraptor/server.config.yaml service install

Client Deployment

# Repack client MSI for Windows deployment
velociraptor --config server.config.yaml config client > client.config.yaml
velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi

# Deploy via Group Policy, SCCM, or Intune
# Client runs as a Windows service: "Velociraptor"

# Linux client deployment
velociraptor --config client.config.yaml client -v

# macOS client deployment
velociraptor --config client.config.yaml client -v

Docker Deployment

docker run --name velociraptor \
  -v /opt/velociraptor:/velociraptor/data \
  -p 8000:8000 -p 8001:8001 -p 8889:8889 \
  velocidex/velociraptor

Core IR Artifact Collection

Windows Forensic Artifacts

-- Collect Windows Event Logs
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
  EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx",
  IDRegex="4624|4625|4648|4672|4688|4698|4769|7045"
)

-- Collect Prefetch files for execution evidence
SELECT * FROM Artifact.Windows.Forensics.Prefetch()

-- Collect Shimcache entries
SELECT * FROM Artifact.Windows.Registry.AppCompatCache()

-- Collect Amcache entries
SELECT * FROM Artifact.Windows.Forensics.Amcache()

-- Collect UserAssist data
SELECT * FROM Artifact.Windows.Forensics.UserAssist()

-- Collect NTFS MFT timestamps
SELECT * FROM Artifact.Windows.NTFS.MFT(
  MFTFilename="C:/$MFT",
  FileRegex=".(exe|dll|ps1|bat|cmd)$"
)

-- Collect scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()

-- Collect running processes with hashes
SELECT * FROM Artifact.Windows.System.Pslist()

-- Collect network connections
SELECT * FROM Artifact.Windows.Network.Netstat()

-- Collect DNS cache
SELECT * FROM Artifact.Windows.Network.DNSCache()

-- Collect browser history
SELECT * FROM Artifact.Windows.Applications.Chrome.History()

-- Collect PowerShell history
SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory()

-- Collect autoruns/persistence
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.Services()
SELECT * FROM Artifact.Windows.System.StartupItems()

Linux Forensic Artifacts

-- Collect auth logs
SELECT * FROM Artifact.Linux.Sys.AuthLogs()

-- Collect bash history
SELECT * FROM Artifact.Linux.Forensics.BashHistory()

-- Collect crontab entries
SELECT * FROM Artifact.Linux.Sys.Crontab()

-- Collect running processes
SELECT * FROM Artifact.Linux.Sys.Pslist()

-- Collect network connections
SELECT * FROM Artifact.Linux.Network.Netstat()

-- Collect SSH authorized keys
SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()

-- Collect systemd services
SELECT * FROM Artifact.Linux.Services()

Triage Collection (All-in-One)

-- Windows Triage Collection artifact
-- Collects event logs, prefetch, registry, browser data, and more
SELECT * FROM Artifact.Windows.KapeFiles.Targets(
  Device="C:",
  _AllFiles=FALSE,
  _EventLogs=TRUE,
  _Prefetch=TRUE,
  _RegistryHives=TRUE,
  _WebBrowsers=TRUE,
  _WindowsTimeline=TRUE
)

Hunt Operations

Creating a Hunt

1. Navigate to Hunt Manager in Velociraptor Web UI
2. Click "New Hunt"
3. Configure:
   - Description: "IR Triage - Case 2025-001"
   - Include/Exclude labels for targeting
   - Artifact selection (e.g., Windows.Forensics.Prefetch)
   - Resource limits (CPU, IOPS, timeout)
4. Launch hunt
5. Monitor progress in real-time

VQL Hunt Examples

-- Hunt for specific file hash across all endpoints
SELECT * FROM Artifact.Generic.Detection.HashHunter(
  Hashes="e99a18c428cb38d5f260853678922e03"
)

-- Hunt for YARA signatures in memory
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
  YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }'
)

-- Hunt for Sigma rule matches in event logs
SELECT * FROM Artifact.Server.Import.SigmaRules()

-- Hunt for suspicious scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()
WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32"

-- Hunt for processes with network connections to suspicious IPs
SELECT * FROM Artifact.Windows.Network.Netstat()
WHERE RemoteAddr =~ "10\\.13\\.37\\."

Real-Time Monitoring

-- Monitor for new process creation
SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}")
WHERE EventData.ImageName =~ "powershell|cmd|wscript"

-- Monitor file system changes
SELECT * FROM watch_directory(path="C:/Windows/Temp/")

-- Monitor registry changes
SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**")

Integration with SIEM/SOAR

Splunk Integration

Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC
                   --> Direct syslog forwarding
                   --> Velociraptor API --> Custom scripts --> Splunk

Elastic Stack Integration

# Velociraptor server config for Elastic output
Monitoring:
  elastic:
    addresses:
      - https://elastic.local:9200
    username: velociraptor
    password: secure_password
    index: velociraptor

MITRE ATT&CK Mapping

TechniqueVQL Artifact
T1059 - Command ScriptingWindows.EventLogs.EvtxHunter (4104, 4688)
T1053 - Scheduled TaskWindows.System.TaskScheduler
T1547 - Boot/Logon AutostartWindows.Persistence.PermanentWMIEvents
T1003 - OS Credential DumpingWindows.Detection.Yara.Process
T1021 - Remote ServicesWindows.EventLogs.EvtxHunter (4624 Type 3/10)
T1070 - Indicator RemovalWindows.EventLogs.Cleared

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.3 (Incident Identification), CC7.4 (Incident Response), CC7.5 (Recovery)
  • ISO 27001: A.16.1 (Security Incident Management)
  • NIST 800-53: IR-1 through IR-10 (Incident Response Family)
  • NIST CSF: RS.RP (Response Planning), RS.CO (Communications), RC.RP (Recovery Planning)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add implementing-velociraptor-for-ir-collection

# Or load dynamically via MCP
grc.load_skill("implementing-velociraptor-for-ir-collection")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

References

  • Velociraptor Official Documentation
  • Rapid7 Velociraptor Product Page
  • CISA Velociraptor Resource
  • Velociraptor GitHub Repository
  • Pen Test Partners: Large-Scale Velociraptor

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add implementing-velociraptor-for-ir-collection
// Or via MCP
grc.load_skill("implementing-velociraptor-for-ir-collection")

Tags

velociraptordfirendpoint-collectionvqlforensic-artifactsrapid7threat-huntingincident-response

Related Skills

Incident Response

Containing Active Security Breach

4m·advanced
Incident Response

Collecting Volatile Evidence from Compromised Host

5m·intermediate
Incident Response

Eradicating Malware from Infected Systems

4m·intermediate
Incident Response

Performing Ransomware Incident Response

4m·intermediate
Incident Response

Building Incident Timeline with Timesketch

4m·intermediate
Incident Response

Conducting Post Incident Lessons Learned

4m·intermediate

Skill Details

Domain
Incident Response
Difficulty
advanced
Read Time
4 min
Code Examples
11

On This Page

OverviewArchitectureDeploymentCore IR Artifact CollectionHunt OperationsReal-Time MonitoringIntegration with SIEM/SOARMITRE ATT&CK MappingReferencesVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →