Velociraptor is a powerful new opensource endpoint visibility tool. Learn how to leverage this tool to respond to advanced threats. About this Event The next generation in endpoint visibility. With a solid architecture, a library of customization forensic artifacts and its own unique and flexible query language, Velociraptor provides the next generation in endpoint monitoring, digital forensic investigations and cyber incident response. You can read more about Velociraptor at

About this course

This training event is run by the company behind Velociraptor - you will learn from the developers and practitioners who use Velociraptor every day to respond to incidents and investigate breaches. The course is run in person over 2 days with hands on practical instructor led classes. Course material and detailed preparation instructions will be distributed to participants the week prior to the course.

Morning and afternoon coffee/tea will be provided and lunch is available at your own cost in numerous restaurants in the area.

Course Contents

Day 1

This day introduces Velociraptor and the incident response process. After this day you will be able to deploy Velociraptor on your network. You will then be able to hunt and investigate across thousands of machines at a press of a button.

Installing Velociraptor in the cloud

We begin by installing a typical secure Velociraptor server on a cloud VM. We then deploy Velociraptor clients on a typical Windows network using group policy, as well as a typical Ubuntu installation.

Introduction to the Velociraptor GUI

Velociraptor’s powerful GUI allows for interactively inspecting remote machines. We will learn our way around the interface. Applying these skills, delegates will spot check particular settings on end points.

What are forensic artifacts?

Velociraptor’s unique feature is the formulation and use of forensic artifacts. We learn what artifacts are, why they are useful and then apply our knowledge to identify lateral movement (WMI and PsExec). Delegates will collect artifacts interactively from machines to capture and triage the state of the machine.

Hunting at scale

While collecting and analyzing specific endpoints is a useful feature, hunting across the entire deployment is a powerful way to identify anomalies. We will export the results and use external tools to further analyze the results.

Monitoring and Event Artifacts

While hunting is useful for proactively searching for anomalies, it is sometimes useful to be alerted immediately. Velociraptor can implement monitoring queries on endpoints which alert when anomalous behavior is identified.

Day 2

The real power of Velociraptor is in the flexibility and customization available using VQL queries. This day will delve into Velociraptor internals. Using this flexibility you will be able to develop some new artifacts and implement custom detection rules. Examples we will cover include detecting and automatically responding to lateral movement, endpoint compromise and backdoor installations.

What is VQL?

Velociraptor’s Query Language (VQL) is the powerful and flexible dialect behind Velociraptor’s artifacts. This module introduces VQL and its basic grammar. We examine several built in artifacts to understand how they work.

Customizing and creating Velociraptor artifacts

Velociraptor’s unique strength lies in the flexibility afforded by custom user artifacts. We will learn how to modify existing artifacts and write brand new ones by leveraging our new VQL knowledge. We apply the new artifacts to realistic scenarios from hunting for new threats to detecting and alerting on modifications to critical system files.

Extending VQL

VQL is a very simple language which allows us to express artifacts easily. It was never meant to be a complete language, instead VQL provides for extensions using VQL plugins. In this module we learn how to extend VQL using PowerShell and external binaries. You will be writing some new artifacts leveraging various tools to create a coherent incident response plan.

Scripting Velociraptor

Modern incident response tools are typically used as part of a larger system incorporating many other products. In order to allow for easy integration, Velociraptor provides a powerful API. We will look at how to use this API from Python. You will write a python script to take action when certain detection events occur.

About Velocidex

Velocidex Enterprises was founded by well established industry professionals with many years of proven expertise in the development of digital forensic software and its use to support a wide range of digital forensic investigations and cyber breach response cases.

Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting. We already know a great deal about how to investigate computer systems and monitor for malicious activities. Velociraptor aims to encapsulte this industry knowledge and empower both experts and novices to leverage it, to collect and analyse evidence of malicious activities with speed and precision.

The Venue

This training event will be held immediately after the annual Linux Conference ( If you are going to Linux Conf, you might find it convenient to stay an extra couple of days and attend the Velociraptor training.

The training is held at the Southport Community Center (6 Lawson St) which is a short Tram ride from Surfers Paradise