Velociraptor Features

To give you a taste of what Velociraptor can do, here are some of the more interesting features:

Easy setup and deployment

  • Velociraptor ships as a singe executable which has no dependencies and requires no installation routine
  • Settings are defined by a pair of config files - one for the server and one for each endpoint
  • All comms between endpoints and the server are encrypted
  • The GUI supports SSL and SSO via Google Auth for strong identity management
  • Once an endpoint is started, it’s instantly available on the server dashboard (after a browser refresh).

Endpoint operations

  • Quickly search for endpoints and connect to them for fast browsing and evidence collection
  • Easily browse the contents of endpoint file systems, even bypass locked files using raw NTFS access
  • Remotely inspect and download files of interest all through the GUI
  • Search for files across all endpoints using glob expressions, file metadata and even Yara signatures
  • Collect files from endpoints automatically and on demand
  • Search and parse the Windows Registry for keys and values of interest
  • Perform triage collection of the most common digital forensic artefacts using build-in collection templates
  • Use the built-in library of artefacts to easily hunt for a wide range of forensic artefacts simultaneously across a whole network
  • Acquire process memory based on various conditions for further examination by Windbg
  • Apply Yara signatures to process memory
  • Extend VQL with WMI to build powerful queries for interrogation and data collection
  • An interactive shell is even available, for those unexpected times when you need to get hands-on.

Event streaming to monitor endpoint activity

  • Velociraptor also supports streaming event queries on endpoints themselves, meaning that data can be collected automatically from endpoints and stored on the server, for continual monitoring and real-time alerting, or for archival and investigation after the fact. Examples include:

    • Operating system logging events such as privileged account activities and process execution
    • Extended logging, for example through Sysmon integration
    • DNS queries and responses.
  • Escalations can be automatically actioned on the server, upon collection of client events

User interface and automation

  • An advanced GUI which makes many simple tasks easy
  • Server-side VQL allows for automating the server using VQL queries too, for example to launch further collection automatically when certain conditions are detected
  • A Python API also allows for full control of the server using Python, including post processing acquired data.

Endpoint resource management

  • Endpoint activities can be carefully managed, for example client-side throttling allows you to run intensive operations on the endpoints at a controlled rate to minimise impact on endpoint performance.