دليل Velociraptor السريع

📋 Copy All Velociraptor Commands 📄 Generate Velociraptor PDF Guide[This section is empty]

# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64

# Make executable
chmod +x velociraptor-v0.7.0-linux-amd64
sudo mv velociraptor-v0.7.0-linux-amd64 /usr/local/bin/velociraptor

# Generate server configuration
sudo velociraptor config generate > /etc/velociraptor/server.config.yaml

# Create systemd service
sudo tee /etc/systemd/system/velociraptor.service << EOF
[Unit]
Description=Velociraptor Server
After=network.target

[Service]
Type=simple
User=velociraptor
Group=velociraptor
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend -v
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

# Create user and start service
sudo useradd -r -s /bin/false velociraptor
sudo systemctl enable velociraptor
sudo systemctl start velociraptor
``````bash
   # Install required dependencies
   sudo apt update
   sudo apt install -y software-properties-common
   
   # Add Velociraptor repository
   sudo add-apt-repository ppa:velociraptor/release
   sudo apt update
   
   # Install Velociraptor
   sudo apt install velociraptor

# Create configuration directory
mkdir -p velociraptor-config

# Generate configuration
docker run --rm -v $(pwd)/velociraptor-config:/config \
  velocidex/velociraptor:latest \
  config generate --config /config/server.config.yaml

# Run server
docker run -d --name velociraptor-server \
  -p 8000:8000 -p 8080:8080 \
  -v $(pwd)/velociraptor-config:/config \
  velocidex/velociraptor:latest \
  --config /config/server.config.yaml frontend -v
``````bash
   # Pull Velociraptor Docker image
   docker pull velociraptor/velociraptor
   
   # Run Velociraptor server
   docker run -p 8889:8889 velociraptor/velociraptor server

# Download client
Invoke-WebRequest -Uri "https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-windows-amd64.exe" -OutFile "velociraptor.exe"

# Install as service
.\velociraptor.exe --config client.config.yaml service install

# Start service
Start-Service Velociraptor
``````powershell
   # Download Velociraptor Windows installer
   Invoke-WebRequest -Uri https://github.com/velociraptor/releases/download/latest/velociraptor-windows-installer.exe -OutFile velociraptor-installer.exe
   
   # Install client
   .\velociraptor-installer.exe install

# Download client
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64

# Install as service
sudo ./velociraptor-v0.7.0-linux-amd64 --config client.config.yaml service install

# Start service
sudo systemctl start velociraptor_client
``````bash
   # Download Velociraptor Linux client
   wget https://github.com/velociraptor/releases/download/latest/velociraptor-linux-client
   
   # Make executable
   chmod +x velociraptor-linux-client
   
   # Install client
   sudo ./velociraptor-linux-client install

# Download client
curl -L -o velociraptor https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-darwin-amd64

# Install as service
sudo ./velociraptor --config client.config.yaml service install

# Start service
sudo launchctl load /Library/LaunchDaemons/com.velocidx.velociraptor.plist
``````bash
   # Download Velociraptor macOS client
   curl -L https://github.com/velociraptor/releases/download/latest/velociraptor-macos-client -o velociraptor-client
   
   # Make executable
   chmod +x velociraptor-client
   
   # Install client
   sudo ./velociraptor-client install

Would you like me to continue with the remaining translations? Please provide the text for the remaining sections.```yaml

server.config.yaml

version: name: velociraptor version: 0.7.0

Client: server_urls: - https://velociraptor.company.com:8000/ ca_certificate:| -----BEGIN CERTIFICATE----- [CA Certificate] -----END CERTIFICATE----- nonce: [Random nonce]

API: bind_address: 0.0.0.0 bind_port: 8001 bind_scheme: https

GUI: bind_address: 0.0.0.0 bind_port: 8889 bind_scheme: https public_url: https://velociraptor.company.com:8889/

Frontend: bind_address: 0.0.0.0 bind_port: 8000 certificate:| -----BEGIN CERTIFICATE----- [Server Certificate] -----END CERTIFICATE----- private_key:| -----BEGIN PRIVATE KEY----- [Server Private Key] -----END PRIVATE KEY-----

Datastore: implementation: FileBaseDataStore location: /var/lib/velociraptor filestore_directory: /var/lib/velociraptor

### Client Configuration

**Client Config Generation:**
```bash
# Generate client configuration
velociraptor --config server.config.yaml config client > client.config.yaml

# Generate MSI installer for Windows
velociraptor --config server.config.yaml config client --deployment windows_msi > client.msi

# Generate DEB package for Linux
velociraptor --config server.config.yaml config client --deployment linux_deb > client.deb

VQL (Velociraptor Query Language)

Basic VQL Syntax

Simple Queries:

-- List running processes
SELECT Name, Pid, Ppid, CommandLine
FROM pslist()

-- Get file information
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs="/etc/passwd")

-- Search for files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/*/Desktop/*.exe")
WHERE Size > 1000000

Advanced Queries:

-- Process tree with parent information
SELECT Name, Pid, Ppid, CommandLine,
       get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
FROM pslist()
WHERE Name =~ "powershell"

-- Network connections with process info
SELECT Laddr, Raddr, Status, Pid,
       get(item=pslist(pid=Pid), member="0.Name") AS ProcessName,
       get(item=pslist(pid=Pid), member="0.CommandLine") AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"

File System Operations

File Discovery:

-- Find executable files
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS Hash
FROM glob(globs="C:/Windows/System32/*.exe")

-- Search for suspicious files
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs=["C:/Temp/**", "C:/Users/*/AppData/Local/Temp/**"])
WHERE FullPath =~ "\\.(exe|bat|cmd|ps1|vbs)$"
  AND Size > 0

-- Find recently modified files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/**")
WHERE Mtime > now() - 86400  -- Last 24 hours
  AND FullPath =~ "\\.(doc|docx|pdf|txt)$"

File Content Analysis:

-- Search file contents
SELECT FullPath, Line, HitContext
FROM grep(globs="C:/Users/*/Documents/*.txt",
          keywords=["password", "secret", "confidential"])

-- Extract strings from binaries
SELECT FullPath, String
FROM strings(globs="C:/Temp/*.exe", length=8)
WHERE String =~ "(http|ftp)://"

-- YARA scanning
SELECT FullPath, Rule, Meta, Strings
FROM yara(files="C:/Temp/*.exe",
          rules='''
          rule SuspiciousStrings \\\\{
              strings:
                  $s1 = "cmd.exe" ascii
                  $s2 = "powershell" ascii
                  $s3 = "CreateProcess" ascii
              condition:
                  2 of them
          \\\\}''')

Process Analysis

Process Monitoring:

-- Current processes with details
SELECT Name, Pid, Ppid, CommandLine, Username, Exe,
       CreateTime, hash(path=Exe) AS ExeHash
FROM pslist()
ORDER BY CreateTime DESC

-- Process tree visualization
SELECT Name, Pid, Ppid, CommandLine,
       get(item=pslist(pid=Ppid), member="0.Name") AS ParentName,
       CreateTime
FROM pslist()
WHERE Ppid != 0
ORDER BY Ppid, CreateTime

-- Suspicious process detection
SELECT Name, Pid, CommandLine, Exe
FROM pslist()
WHERE (CommandLine =~ "powershell.*-enc" OR
       CommandLine =~ "cmd.*echo.*>" OR
       Exe =~ "C:\\\\Temp\\\\.*\\.exe" OR
       Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$")

Process Memory Analysis:

-- Dump process memory
SELECT Pid, Name, dump(pid=Pid, length=1000000) AS MemoryDump
FROM pslist()
WHERE Name = "suspicious.exe"

-- Search process memory
SELECT Pid, Name, Address, HitContext
FROM proc_memory_grep(pid=1234, keywords=["password", "secret"])

-- Extract loaded modules
SELECT Pid, Name, ModuleName, ModuleBase, ModuleSize
FROM modules(pid=1234)

Network Analysis

Network Connections:

-- Active network connections
SELECT Laddr, Raddr, Status, Pid,
       get(item=pslist(pid=Pid), member="0.Name") AS ProcessName,
       get(item=pslist(pid=Pid), member="0.CommandLine") AS CommandLine
FROM netstat()
WHERE Status = "ESTABLISHED"

-- Listening services
SELECT Laddr, Status, Pid,
       get(item=pslist(pid=Pid), member="0.Name") AS ProcessName
FROM netstat()
WHERE Status = "LISTEN"
ORDER BY Laddr

-- DNS cache analysis
SELECT Name, Type, Data, TTL
FROM dns_cache()
WHERE Name =~ "suspicious-domain\\.com"

Registry Analysis (Windows)

Registry Queries:

-- Startup programs
SELECT Key, ValueName, ValueData
FROM registry(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")

-- Recently accessed files
SELECT Key, ValueName, ValueData
FROM registry(globs="HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs/*")

-- Installed software
SELECT Key, ValueName, ValueData
FROM registry(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName")
WHERE ValueData

Registry Monitoring:

-- Monitor registry changes
SELECT timestamp(epoch=Timestamp) AS Time,
       Key, ValueName, ValueData, EventType
FROM watch_registry(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")

Artifacts and Hunts

Built-in Artifacts

System Information:

-- Windows.System.Info
SELECT Hostname, OS, Architecture, Platform, PlatformVersion,
       KernelVersion, Uptime, BootTime
FROM info()

-- Windows.System.Users
SELECT Name, Description, Disabled, PasswordLastSet, LastLogon
FROM users()

-- Windows.System.Services
SELECT Name, DisplayName, Status, StartType, ServiceType, BinaryPath
FROM services()

Security Artifacts:

-- Windows.EventLogs.Security
SELECT EventTime, EventID, Computer, UserName, LogonType, IpAddress
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID IN (4624, 4625, 4648, 4672)

-- Windows.Forensics.Prefetch
SELECT FullPath, LastRunTime, RunCount, Hash
FROM prefetch()

-- Windows.Registry.Sysinternals.Eulaaccepted
SELECT Key, ValueName, ValueData, Mtime
FROM registry(globs="HKEY_CURRENT_USER/SOFTWARE/Sysinternals/*/EulaAccepted")

Custom Artifacts

Create Custom Artifact:

name: Custom.Windows.SuspiciousProcesses
description: Hunt for suspicious process execution patterns
type: CLIENT

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query:|
      SELECT Name, Pid, Ppid, CommandLine, Exe, CreateTime,
             hash(path=Exe) AS ExeHash,
             get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
      FROM pslist()
      WHERE (
        -- Processes running from temp directories
        Exe =~ "(?i)C:\\\\(Temp|Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp)\\\\" OR

        -- Suspicious command line patterns
        CommandLine =~ "(?i)(powershell.*-enc|cmd.*echo.*>|certutil.*-decode)" OR

        -- Processes with random names
        Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$" OR

        -- Common malware process names
        Name =~ "(?i)(svchost|winlogon|csrss|lsass)\\.(tmp|exe)$" AND
        NOT Exe =~ "(?i)C:\\\\Windows\\\\System32\\\\"
      )
      ORDER BY CreateTime DESC
```**نشر الأداة المخصصة:**
```bash
# Upload artifact to server
velociraptor --config server.config.yaml artifacts upload custom_artifact.yaml

# Run artifact on specific client
velociraptor --config server.config.yaml query "SELECT * FROM Artifact.Custom.Windows.SuspiciousProcesses()" --client_id C.1234567890abcdef
```### إدارة المطاردة

**إنشاء المطاردة:**
```sql
-- Create hunt for suspicious processes
SELECT hunt_id FROM hunt(
    description="Hunt for suspicious processes",
    artifacts=["Custom.Windows.SuspiciousProcesses"],
    spec=dict(
        artifacts=["Custom.Windows.SuspiciousProcesses"],
        parameters=dict()
    )
)
```**مراقبة تقدم المطاردة:**
```sql
-- Check hunt status
SELECT hunt_id, state, create_time, creator,
       total_clients_scheduled, completed_clients
FROM hunts()
WHERE state = "RUNNING"

-- Get hunt results
SELECT ClientId, Timestamp, Name, Pid, CommandLine, ExeHash
FROM hunt_results(hunt_id="H.1234567890abcdef",
                  artifact="Custom.Windows.SuspiciousProcesses")
```## الاستجابة للحوادث

### الاستجابة المباشرة

**الصدفية عن بعد:**
```sql
-- Execute commands remotely
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["cmd", "/c", "whoami"])

-- PowerShell execution
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["powershell", "-Command", "Get-Process|Where-Object \\\\{$_.CPU -gt 100\\\\}"])

-- Collect system information
SELECT Stdout FROM execve(argv=["systeminfo"])
```**جمع الملفات:**
```sql
-- Collect specific files
SELECT upload(file=FullPath) AS Upload
FROM glob(globs="C:/Users/*/Desktop/suspicious.exe")

-- Collect log files
SELECT FullPath, upload(file=FullPath) AS Upload
FROM glob(globs="C:/Windows/System32/winevt/Logs/*.evtx")
WHERE Name =~ "(Security|System|Application)\\.evtx"

-- Memory dump collection
SELECT upload(file=dump_process(pid=1234)) AS MemoryDump
FROM scope()
```### تحليل الجدول الزمني

**الجدول الزمني لنظام الملفات:**
```sql
-- Create filesystem timeline
SELECT FullPath, Size, Mtime, Atime, Ctime, Btime,
       "M" AS MtimeType, "A" AS AtimeType, "C" AS CtimeType, "B" AS BtimeType
FROM glob(globs="C:/Users/*/Documents/**")
WHERE Mtime > timestamp(string="2023-01-01T00:00:00Z")
ORDER BY Mtime

-- Process creation timeline
SELECT Name, Pid, CommandLine, CreateTime, Exe
FROM pslist()
WHERE CreateTime > now() - 86400  -- Last 24 hours
ORDER BY CreateTime
```**الجدول الزمني لسجل الأحداث:**
```sql
-- Security event timeline
SELECT EventTime, EventID, Computer, UserName, LogonType,
       IpAddress, WorkstationName
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventTime > timestamp(string="2023-01-01T00:00:00Z")
  AND EventID IN (4624, 4625, 4648, 4672, 4720, 4726)
ORDER BY EventTime
```### البحث عن التهديدات

**اكتشاف الحركة الجانبية:**
```sql
-- Detect lateral movement via RDP
SELECT EventTime, Computer, UserName, IpAddress, LogonType
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID = 4624 AND LogonType = 10  -- RDP logons
  AND IpAddress != "127.0.0.1"
  AND IpAddress != "-"

-- Detect PSExec usage
SELECT Name, Pid, CommandLine, CreateTime
FROM pslist()
WHERE (CommandLine =~ "psexec" OR
       Name =~ "PSEXESVC\\.exe" OR
       CommandLine =~ "\\\\\\\\.*\\\\admin\\$")

-- Detect suspicious PowerShell
SELECT Name, Pid, CommandLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell\\.exe" AND
      (CommandLine =~ "-enc" OR
       CommandLine =~ "-nop" OR
       CommandLine =~ "-w hidden" OR
       CommandLine =~ "DownloadString" OR
       CommandLine =~ "IEX")
```**اكتشاف الاستمرارية:**
```sql
-- Startup folder persistence
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS Hash
FROM glob(globs=[
    "C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*",
    "C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/*"
])

-- Scheduled task persistence
SELECT Name, State, LastRunTime, NextRunTime, TaskPath, Actions
FROM scheduled_tasks()
WHERE State = "Ready" AND
      (Actions =~ "powershell" OR
       Actions =~ "cmd" OR
       Actions =~ "C:\\\\Temp\\\\" OR
       Actions =~ "C:\\\\Users\\\\.*\\\\AppData\\\\")

-- Service persistence
SELECT Name, DisplayName, BinaryPath, StartType, Status
FROM services()
WHERE BinaryPath =~ "(?i)(temp|appdata)" OR
      BinaryPath =~ "(?i)\\.(bat|cmd|ps1|vbs)$" OR
      (Name =~ "^[a-f0-9]\\\\{8,\\\\}$" AND StartType = "Auto")
```## المراقبة والتنبيه

### المراقبة المباشرة

**مراقبة العمليات:**
```sql
-- Monitor new process creation
SELECT timestamp(epoch=Timestamp) AS Time,
       Name, Pid, Ppid, CommandLine, Exe
FROM watch_process()
WHERE CommandLine =~ "(powershell.*-enc|cmd.*echo|certutil.*-decode)"
```**مراقبة نظام الملفات:**
```sql
-- Monitor file creation in suspicious locations
SELECT timestamp(epoch=Timestamp) AS Time,
       FullPath, Action
FROM watch_file(globs=[
    "C:/Temp/**",
    "C:/Users/*/AppData/Local/Temp/**",
    "C:/Windows/Temp/**"
])
WHERE Action = "CREATED" AND
      FullPath =~ "\\.(exe|bat|cmd|ps1|vbs)$"
```**مراقبة السجل:**
```sql
-- Monitor registry changes for persistence
SELECT timestamp(epoch=Timestamp) AS Time,
       Key, ValueName, ValueData, EventType
FROM watch_registry(globs=[
    "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
    "HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*"
])
```### تكامل التنبيهات

**تكامل SIEM:**
```sql
-- Export alerts to SIEM
SELECT timestamp(epoch=now()) AS AlertTime,
       "Velociraptor" AS Source,
       "Suspicious Process" AS AlertType,
       Name, Pid, CommandLine, Exe
FROM pslist()
WHERE CommandLine =~ "powershell.*-enc"
```**تنبيهات Webhook:**
```sql
-- Send webhook alerts
SELECT http_client(
    url="https://webhook.site/your-webhook-url",
    method="POST",
    data=serialize(item=dict(
        alert_type="Suspicious Process",
        hostname=info().Hostname,
        process_name=Name,
        command_line=CommandLine,
        timestamp=now()
    ), format="json")
) AS Response
FROM pslist()
WHERE CommandLine =~ "powershell.*-enc"
```## الأداء والتوسع

### تحسين الاستعلامات

**استعلامات فعالة:**
```sql
-- Use specific globs instead of wildcards
-- Good
SELECT * FROM glob(globs="C:/Users/*/Desktop/*.exe")

-- Avoid
SELECT * FROM glob(globs="C:/**")
WHERE FullPath =~ "\\.exe$"

-- Use LIMIT for large datasets
SELECT * FROM pslist() LIMIT 100

-- Use WHERE clauses early
SELECT Name, Pid FROM pslist()
WHERE Name = "powershell.exe"
```**إدارة الموارد:**
```sql
-- Control memory usage
SELECT * FROM pslist()
WHERE Pid ``< 10000  -- Limit scope

-- Use streaming for large results
SELECT * FROM foreach(
    row=\\\{SELECT Pid FROM pslist() WHERE Name = "chrome.exe"\\\},
    query=\\\{SELECT * FROM modules(pid=Pid)\\\}
)
```### النشر الموزع

**إعداد متعدد الخوادم:**
```yaml
# Load balancer configuration
Frontend:
  bind_address: 0.0.0.0
  bind_port: 8000
  expected_clients: 10000

# Database clustering
Datastore:
  implementation: MySQL
  mysql_connection_string: "user:pass@tcp(mysql-cluster:3306)/velociraptor"

# File storage
Filestore:
  implementation: S3
  s3_bucket: "velociraptor-files"
  s3_region: "us-east-1"
```## استكشاف الأخطاء وإصلاحها

### المشاكل الشائعة

**مشاكل اتصال العميل:**
```bash
# Check client status
velociraptor --config client.config.yaml status

# Test server connectivity
velociraptor --config client.config.yaml query "SELECT * FROM info()"

# Debug client logs
tail -f /var/log/velociraptor_client.log

# Force client enrollment
velociraptor --config client.config.yaml enroll
```**مشاكل الأداء:**
```sql
-- Check server performance
SELECT * FROM server_metadata()

-- Monitor query performance
SELECT query, duration, rows_returned
FROM query_log()
WHERE duration >`` 10000  -- Queries taking > 10 seconds

-- Check client resource usage
SELECT Pid, Name, CPU, Memory
FROM pslist()
WHERE Name =~ "velociraptor"
```**تصحيح الاستعلامات:**

Would you like me to proceed with the full translation, or do you want to provide the specific text content for each section?```sql
-- Debug VQL queries
SELECT log(message="Debug: Processing " + str(str=Pid))
FROM pslist()

-- Check query syntax
EXPLAIN SELECT * FROM pslist()

-- Validate artifact syntax
SELECT validate_artifact(definition=read_file(filename="artifact.yaml"))

تحليل السجلات

# Monitor server logs
tail -f /var/log/velociraptor.log

# Search for errors
grep -i error /var/log/velociraptor.log

# Check client connections
grep "client connected" /var/log/velociraptor.log

سجلات الخادم:

# Monitor client logs
tail -f /var/log/velociraptor_client.log

# Check enrollment status
grep "enrollment" /var/log/velociraptor_client.log

# Monitor query execution
grep "query" /var/log/velociraptor_client.log

سجلات العميل: