ReddRadar
Agent skill
implementing-velociraptor-for-ir-collection
Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/implementing-velociraptor-for-ir-collection
SKILL.md
Implementing Velociraptor for IR Collection
Overview
Velociraptor is an advanced open-source endpoint monitoring, digital forensics, and incident response platform developed by Rapid7. It uses the Velociraptor Query Language (VQL) to create custom artifacts that collect, query, and monitor almost any aspect of an endpoint. Velociraptor enables incident response teams to rapidly collect and examine forensic artifacts from across a network, supporting large-scale deployments with minimal performance impact. The client-server architecture with Fleetspeak communication enables real-time data collection from thousands of endpoints simultaneously, with offline endpoints picking up hunts when they reconnect.
When to Use
- When deploying or configuring implementing velociraptor for ir collection capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with incident response concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Architecture
Components
- Velociraptor Server: Central management console with web UI and API
- Velociraptor Client (Agent): Lightweight agent deployed to endpoints
- Fleetspeak: Communication framework between client and server
- VQL Engine: Query language engine for artifact collection
- Filestore: Server-side storage for collected artifacts
- Datastore: Metadata storage for hunts, flows, and client information
Supported Platforms
- Windows (7+, Server 2008R2+)
- Linux (Debian, Ubuntu, CentOS, RHEL)
- macOS (10.13+)
Deployment
Server Installation
# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64
# Generate server configuration
./velociraptor-linux-amd64 config generate -i
# Start the server
./velociraptor-linux-amd64 --config server.config.yaml frontend
# Or run as systemd service
sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor
sudo velociraptor --config /etc/velociraptor/server.config.yaml service install
Client Deployment
# Repack client MSI for Windows deployment
velociraptor --config server.config.yaml config client > client.config.yaml
velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi
# Deploy via Group Policy, SCCM, or Intune
# Client runs as a Windows service: "Velociraptor"
# Linux client deployment
velociraptor --config client.config.yaml client -v
# macOS client deployment
velociraptor --config client.config.yaml client -v
Docker Deployment
docker run --name velociraptor \
-v /opt/velociraptor:/velociraptor/data \
-p 8000:8000 -p 8001:8001 -p 8889:8889 \
velocidex/velociraptor
Core IR Artifact Collection
Windows Forensic Artifacts
-- Collect Windows Event Logs
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx",
IDRegex="4624|4625|4648|4672|4688|4698|4769|7045"
)
-- Collect Prefetch files for execution evidence
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
-- Collect Shimcache entries
SELECT * FROM Artifact.Windows.Registry.AppCompatCache()
-- Collect Amcache entries
SELECT * FROM Artifact.Windows.Forensics.Amcache()
-- Collect UserAssist data
SELECT * FROM Artifact.Windows.Forensics.UserAssist()
-- Collect NTFS MFT timestamps
SELECT * FROM Artifact.Windows.NTFS.MFT(
MFTFilename="C:/$MFT",
FileRegex=".(exe|dll|ps1|bat|cmd)$"
)
-- Collect scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()
-- Collect running processes with hashes
SELECT * FROM Artifact.Windows.System.Pslist()
-- Collect network connections
SELECT * FROM Artifact.Windows.Network.Netstat()
-- Collect DNS cache
SELECT * FROM Artifact.Windows.Network.DNSCache()
-- Collect browser history
SELECT * FROM Artifact.Windows.Applications.Chrome.History()
-- Collect PowerShell history
SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory()
-- Collect autoruns/persistence
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.Services()
SELECT * FROM Artifact.Windows.System.StartupItems()
Linux Forensic Artifacts
-- Collect auth logs
SELECT * FROM Artifact.Linux.Sys.AuthLogs()
-- Collect bash history
SELECT * FROM Artifact.Linux.Forensics.BashHistory()
-- Collect crontab entries
SELECT * FROM Artifact.Linux.Sys.Crontab()
-- Collect running processes
SELECT * FROM Artifact.Linux.Sys.Pslist()
-- Collect network connections
SELECT * FROM Artifact.Linux.Network.Netstat()
-- Collect SSH authorized keys
SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()
-- Collect systemd services
SELECT * FROM Artifact.Linux.Services()
Triage Collection (All-in-One)
-- Windows Triage Collection artifact
-- Collects event logs, prefetch, registry, browser data, and more
SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device="C:",
_AllFiles=FALSE,
_EventLogs=TRUE,
_Prefetch=TRUE,
_RegistryHives=TRUE,
_WebBrowsers=TRUE,
_WindowsTimeline=TRUE
)
Hunt Operations
Creating a Hunt
1. Navigate to Hunt Manager in Velociraptor Web UI
2. Click "New Hunt"
3. Configure:
- Description: "IR Triage - Case 2025-001"
- Include/Exclude labels for targeting
- Artifact selection (e.g., Windows.Forensics.Prefetch)
- Resource limits (CPU, IOPS, timeout)
4. Launch hunt
5. Monitor progress in real-time
VQL Hunt Examples
-- Hunt for specific file hash across all endpoints
SELECT * FROM Artifact.Generic.Detection.HashHunter(
Hashes="e99a18c428cb38d5f260853678922e03"
)
-- Hunt for YARA signatures in memory
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }'
)
-- Hunt for Sigma rule matches in event logs
SELECT * FROM Artifact.Server.Import.SigmaRules()
-- Hunt for suspicious scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()
WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32"
-- Hunt for processes with network connections to suspicious IPs
SELECT * FROM Artifact.Windows.Network.Netstat()
WHERE RemoteAddr =~ "10\\.13\\.37\\."
Real-Time Monitoring
-- Monitor for new process creation
SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}")
WHERE EventData.ImageName =~ "powershell|cmd|wscript"
-- Monitor file system changes
SELECT * FROM watch_directory(path="C:/Windows/Temp/")
-- Monitor registry changes
SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**")
Integration with SIEM/SOAR
Splunk Integration
Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC
--> Direct syslog forwarding
--> Velociraptor API --> Custom scripts --> Splunk
Elastic Stack Integration
# Velociraptor server config for Elastic output
Monitoring:
elastic:
addresses:
- https://elastic.local:9200
username: velociraptor
password: secure_password
index: velociraptor
MITRE ATT&CK Mapping
| Technique | VQL Artifact |
|---|---|
| T1059 - Command Scripting | Windows.EventLogs.EvtxHunter (4104, 4688) |
| T1053 - Scheduled Task | Windows.System.TaskScheduler |
| T1547 - Boot/Logon Autostart | Windows.Persistence.PermanentWMIEvents |
| T1003 - OS Credential Dumping | Windows.Detection.Yara.Process |
| T1021 - Remote Services | Windows.EventLogs.EvtxHunter (4624 Type 3/10) |
| T1070 - Indicator Removal | Windows.EventLogs.Cleared |
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?