Velociraptor Cheatsheet
Velociraptor is an advanced forense digital and respuesta a incidentes tool that provides endpoint visibility at scale. It uses a powerful query language (VQL) to collect, query, and monitor endpoint data, making it ideal for caza de amenazas, respuesta a incidentes, and continuous monitoring across large enterprise environments.
## instalación and Setup
### Server instalación
**Ubuntu/Debian instalación:**
# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64
# Make executable
chmod +x velociraptor-v0.7.0-linux-amd64
sudo mv velociraptor-v0.7.0-linux-amd64 /usr/local/bin/velociraptor
# Generate server configuración
sudo velociraptor config generate > /etc/velociraptor/server.config.yaml
# Create systemd servicio
sudo tee /etc/systemd/system/velociraptor.servicio << EOF
[Unit]
Descripción=Velociraptor Server
After=network.objetivo
[servicio]
Type=simple
User=velociraptor
Group=velociraptor
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend -v
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.objetivo
EOF
# Create user and start servicio
sudo useradd -r -s /bin/false velociraptor
sudo systemctl enable velociraptor
sudo systemctl start velociraptor
# Create configuración directory
mkdir -p velociraptor-config
# Generate configuración
docker run --rm -v $(pwd)/velociraptor-config:/config \
velocidex/velociraptor:latest \
config generate --config /config/server.config.yaml
# Run server
docker run -d --name velociraptor-server \
-p 8000:8000 -p 8080:8080 \
-v $(pwd)/velociraptor-config:/config \
velocidex/velociraptor:latest \
--config /config/server.config.yaml frontend -v
# Download client
Invoke-WebRequest -Uri "https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-windows-amd64.exe" -OutFile "velociraptor.exe"
# Install as servicio
.\velociraptor.exe --config client.config.yaml servicio install
# Start servicio
Start-servicio Velociraptor
# Download client
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64
# Install as servicio
sudo ./velociraptor-v0.7.0-linux-amd64 --config client.config.yaml servicio install
# Start servicio
sudo systemctl start velociraptor_client
# Download client
curl -L -o velociraptor https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-darwin-amd64
# Install as servicio
sudo ./velociraptor --config client.config.yaml servicio install
# Start servicio
sudo launchctl load /Library/Launchdemonios/com.velocidx.velociraptor.plist
# server.config.yaml
version:
name: velociraptor
version: 0.7.0
Client:
server_urls:
- https: //velociraptor.company.com:8000/
ca_certificado: |
-----BEGIN certificado-----
[CA certificado]
-----END certificado-----
nonce: [Random nonce]
API:
bind_address: 0.0.0.0
bind_puerto: 8001
bind_scheme: https
GUI:
bind_address: 0.0.0.0
bind_puerto: 8889
bind_scheme: https
public_url: https://velociraptor.company.com:8889/
Frontend:
bind_address: 0.0.0.0
bind_puerto: 8000
certificado: |
-----BEGIN certificado-----
[Server certificado]
-----END certificado-----
private_clave: |
-----BEGIN PRIVATE clave-----
[Server Private clave]
-----END PRIVATE clave-----
Datastore:
implementation: FileBaseDataStore
location: /var/lib/velociraptor
filestore_directory: /var/lib/velociraptor
# Generate client configuración
velociraptor --config server.config.yaml config client > client.config.yaml
# Generate MSI installer for Windows
velociraptor --config server.config.yaml config client --deployment windows_msi > client.msi
# Generate DEB package for Linux
velociraptor --config server.config.yaml config client --deployment linux_deb > client.deb
-- List running procesoes
SELECT Name, Pid, Ppid, comandoLine
FROM pslist()
-- Get file information
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs="/etc/passwd")
-- Search for files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/*/Desktop/*.exe")
WHERE Size > 1000000
-- proceso tree with parent information
SELECT Name, Pid, Ppid, comandoLine,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
FROM pslist()
WHERE Name =~ "powershell"
-- Network conexións with proceso info
SELECT Laddr, Raddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS procesoName,
get(item=pslist(pid=Pid), member="0.comandoLine") AS comandoLine
FROM netstat()
WHERE Status = "ESTABLISHED"
-- Find executable files
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS hash
FROM glob(globs="C:/Windows/System32/*.exe")
-- Search for suspicious files
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs=["C:/Temp/**", "C:/Users/*/AppData/Local/Temp/**"])
| WHERE FullPath =~ "\\.(exe | bat | cmd | ps1 | vbs)$" |
AND Size > 0
-- Find recently modified files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/**")
WHERE Mtime > now() - 86400 -- Last 24 hours
| AND FullPath =~ "\\.(doc | docx | pdf | txt)$" |
-- Search file contents
SELECT FullPath, Line, HitContext
FROM grep(globs="C:/Users/*/Documents/*.txt",
clavewords=["contraseña", "secret", "confidential"])
-- Extract strings from binaries
SELECT FullPath, String
FROM strings(globs="C:/Temp/*.exe", length=8)
WHERE String =~ "(http|ftp)://"
-- YARA scanning
SELECT FullPath, Rule, Meta, Strings
FROM yara(files="C:/Temp/*.exe",
rules='''
rule SuspiciousStrings \\\\{
strings:
$s1 = "cmd.exe" ascii
$s2 = "powershell" ascii
$s3 = "Createproceso" ascii
condition:
2 of them
\\\\}''')
-- Current procesoes with details
SELECT Name, Pid, Ppid, comandoLine, nombre de usuario, Exe,
CreateTime, hash(path=Exe) AS Exehash
FROM pslist()
ORDER BY CreateTime DESC
-- proceso tree visualization
SELECT Name, Pid, Ppid, comandoLine,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName,
CreateTime
FROM pslist()
WHERE Ppid != 0
ORDER BY Ppid, CreateTime
-- Suspicious proceso detection
SELECT Name, Pid, comandoLine, Exe
FROM pslist()
WHERE (comandoLine =~ "powershell.*-enc" OR
comandoLine =~ "cmd.*echo.*>" OR
Exe =~ "C:\\\\Temp\\\\.*\\.exe" OR
Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$")
-- Dump proceso memory
SELECT Pid, Name, dump(pid=Pid, length=1000000) AS MemoryDump
FROM pslist()
WHERE Name = "suspicious.exe"
-- Search proceso memory
SELECT Pid, Name, Address, HitContext
FROM proc_memory_grep(pid=1234, clavewords=["contraseña", "secret"])
-- Extract loaded modules
SELECT Pid, Name, ModuleName, ModuleBase, ModuleSize
FROM modules(pid=1234)
-- Active network conexións
SELECT Laddr, Raddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS procesoName,
get(item=pslist(pid=Pid), member="0.comandoLine") AS comandoLine
FROM netstat()
WHERE Status = "ESTABLISHED"
-- Listening servicios
SELECT Laddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS procesoName
FROM netstat()
WHERE Status = "LISTEN"
ORDER BY Laddr
-- DNS cache analysis
SELECT Name, Type, Data, TTL
FROM dns_cache()
WHERE Name =~ "suspicious-domain\\.com"
-- Startup programs
SELECT clave, ValueName, ValueData
FROM registry(globs="Hclave_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
-- Recently accessed files
SELECT clave, ValueName, ValueData
FROM registry(globs="Hclave_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs/*")
-- Installed software
SELECT clave, ValueName, ValueData
FROM registry(globs="Hclave_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName")
WHERE ValueData
-- Monitor registry changes
SELECT timestamp(epoch=Timestamp) AS Time,
clave, ValueName, ValueData, EventType
FROM watch_registry(globs="Hclave_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
-- Windows.System.Info
SELECT hostname, OS, Architecture, Platform, PlatformVersion,
KernelVersion, Uptime, BootTime
FROM info()
-- Windows.System.Users
SELECT Name, Descripción, Disabled, contraseñaLastSet, LastLogon
FROM users()
-- Windows.System.servicios
SELECT Name, DisplayName, Status, StartType, servicioType, BinaryPath
FROM servicios()
-- Windows.EventLogs.Security
SELECT EventTime, EventID, Computer, nombre de usuario, LogonType, IpAddress
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID IN (4624, 4625, 4648, 4672)
-- Windows.Forensics.Prefetch
SELECT FullPath, LastRunTime, RunCount, hash
FROM prefetch()
-- Windows.Registry.Sysinternals.Eulaaccepted
SELECT clave, ValueName, ValueData, Mtime
FROM registry(globs="Hclave_CURRENT_USER/SOFTWARE/Sysinternals/*/EulaAccepted")
name: Custom.Windows.Suspiciousprocesoes
Descripción: Hunt for suspicious proceso execution patterns
type: CLIENT
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT Name, Pid, Ppid, comandoLine, Exe, CreateTime,
hash(path=Exe) AS Exehash,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
FROM pslist()
WHERE (
-- procesoes running from temp directories
Exe =~ "(?i)C: \\\\(Temp|Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp)\\\\" OR
-- Suspicious comando line patterns
| comandoLine =~ "(?i)(powershell.*-enc | cmd.*echo.*> | certutil.*-decode)" OR |
-- procesoes with random names
Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$" OR
-- Common malware proceso names
| Name =~ "(?i)(svchost | winlogon | csrss | lsass)\\.(tmp | exe)$" AND |
NOT Exe =~ "(?i)C: \\\\Windows\\\\System32\\\\"
)
ORDER BY CreateTime DESC
# Upload artifact to server
velociraptor --config server.config.yaml artifacts upload custom_artifact.yaml
# Run artifact on specific client
velociraptor --config server.config.yaml query "SELECT * FROM Artifact.Custom.Windows.Suspiciousprocesoes()" --client_id C.1234567890abcdef
-- Create hunt for suspicious procesoes
SELECT hunt_id FROM hunt(
Descripción="Hunt for suspicious procesoes",
artifacts=["Custom.Windows.Suspiciousprocesoes"],
spec=dict(
artifacts=["Custom.Windows.Suspiciousprocesoes"],
parámetros=dict()
)
)
-- Check hunt status
SELECT hunt_id, state, create_time, creator,
total_clients_scheduled, completed_clients
FROM hunts()
WHERE state = "RUNNING"
-- Get hunt results
SELECT ClientId, Timestamp, Name, Pid, comandoLine, Exehash
FROM hunt_results(hunt_id="H.1234567890abcdef",
artifact="Custom.Windows.Suspiciousprocesoes")
-- Execute comandos remotely
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["cmd", "/c", "whoami"])
-- PowerShell execution
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["powershell", "-comando", "Get-proceso|Where-Object \\\\{$_.CPU -gt 100\\\\}"])
-- Collect system information
SELECT Stdout FROM execve(argv=["systeminfo"])
-- Collect specific files
SELECT upload(file=FullPath) AS Upload
FROM glob(globs="C:/Users/*/Desktop/suspicious.exe")
-- Collect log files
SELECT FullPath, upload(file=FullPath) AS Upload
FROM glob(globs="C:/Windows/System32/winevt/Logs/*.evtx")
| WHERE Name =~ "(Security | System | Application)\\.evtx" |
-- Memory dump collection
SELECT upload(file=dump_proceso(pid=1234)) AS MemoryDump
FROM scope()
-- Create filesystem timeline
SELECT FullPath, Size, Mtime, Atime, Ctime, Btime,
"M" AS MtimeType, "A" AS AtimeType, "C" AS CtimeType, "B" AS BtimeType
FROM glob(globs="C:/Users/*/Documents/**")
WHERE Mtime > timestamp(string="2023-01-01T00:00:00Z")
ORDER BY Mtime
-- proceso creation timeline
SELECT Name, Pid, comandoLine, CreateTime, Exe
FROM pslist()
WHERE CreateTime > now() - 86400 -- Last 24 hours
ORDER BY CreateTime
-- Security event timeline
SELECT EventTime, EventID, Computer, nombre de usuario, LogonType,
IpAddress, WorkstationName
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventTime > timestamp(string="2023-01-01T00:00:00Z")
AND EventID IN (4624, 4625, 4648, 4672, 4720, 4726)
ORDER BY EventTime
-- Detect movimiento lateral via RDP
SELECT EventTime, Computer, nombre de usuario, IpAddress, LogonType
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID = 4624 AND LogonType = 10 -- RDP logons
AND IpAddress != "127.0.0.1"
AND IpAddress != "-"
-- Detect PSExec uso
SELECT Name, Pid, comandoLine, CreateTime
FROM pslist()
WHERE (comandoLine =~ "psexec" OR
Name =~ "PSEXESVC\\.exe" OR
comandoLine =~ "\\\\\\\\.*\\\\admin\\$")
-- Detect suspicious PowerShell
SELECT Name, Pid, comandoLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell\\.exe" AND
(comandoLine =~ "-enc" OR
comandoLine =~ "-nop" OR
comandoLine =~ "-w hidden" OR
comandoLine =~ "DownloadString" OR
comandoLine =~ "IEX")
-- Startup folder persistencia
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS hash
FROM glob(globs=[
"C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*",
"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/*"
])
-- Scheduled task persistencia
SELECT Name, State, LastRunTime, NextRunTime, TaskPath, Actions
FROM scheduled_tasks()
WHERE State = "Ready" AND
(Actions =~ "powershell" OR
Actions =~ "cmd" OR
Actions =~ "C:\\\\Temp\\\\" OR
Actions =~ "C:\\\\Users\\\\.*\\\\AppData\\\\")
-- servicio persistencia
SELECT Name, DisplayName, BinaryPath, StartType, Status
FROM servicios()
WHERE BinaryPath =~ "(?i)(temp|appdata)" OR
| BinaryPath =~ "(?i)\\.(bat | cmd | ps1 | vbs)$" OR |
(Name =~ "^[a-f0-9]\\\\{8,\\\\}$" AND StartType = "Auto")
-- Monitor new proceso creation
SELECT timestamp(epoch=Timestamp) AS Time,
Name, Pid, Ppid, comandoLine, Exe
FROM watch_proceso()
| WHERE comandoLine =~ "(powershell.*-enc | cmd.*echo | certutil.*-decode)" |
-- Monitor file creation in suspicious locations
SELECT timestamp(epoch=Timestamp) AS Time,
FullPath, Action
FROM watch_file(globs=[
"C:/Temp/**",
"C:/Users/*/AppData/Local/Temp/**",
"C:/Windows/Temp/**"
])
WHERE Action = "CREATED" AND
| FullPath =~ "\\.(exe | bat | cmd | ps1 | vbs)$" |
-- Monitor registry changes for persistencia
SELECT timestamp(epoch=Timestamp) AS Time,
clave, ValueName, ValueData, EventType
FROM watch_registry(globs=[
"Hclave_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"Hclave_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*"
])
-- Expuerto alerts to SIEM
SELECT timestamp(epoch=now()) AS AlertTime,
"Velociraptor" AS Source,
"Suspicious proceso" AS AlertType,
Name, Pid, comandoLine, Exe
FROM pslist()
WHERE comandoLine =~ "powershell.*-enc"
-- Send webhook alerts
SELECT http_client(
url="https://webhook.site/your-webhook-url",
method="POST",
data=serialize(item=dict(
alert_type="Suspicious proceso",
hostname=info().hostname,
proceso_name=Name,
comando_line=comandoLine,
timestamp=now()
), format="json")
) AS Response
FROM pslist()
WHERE comandoLine =~ "powershell.*-enc"
-- Use specific globs instead of wildcards
-- Good
SELECT * FROM glob(globs="C:/Users/*/Desktop/*.exe")
-- Avoid
SELECT * FROM glob(globs="C:/**")
WHERE FullPath =~ "\\.exe$"
-- Use LIMIT for large datasets
SELECT * FROM pslist() LIMIT 100
-- Use WHERE clauses early
SELECT Name, Pid FROM pslist()
WHERE Name = "powershell.exe"
-- Control memory uso
SELECT * FROM pslist()
WHERE Pid ``< 10000 -- Limit scope
-- Use streaming for large results
SELECT * FROM foreach(
row=\\\{SELECT Pid FROM pslist() WHERE Name = "chrome.exe"\\\},
query=\\\{SELECT * FROM modules(pid=Pid)\\\}
)
# Load balancer configuración
Frontend:
bind_address: 0.0.0.0
bind_puerto: 8000
expected_clients: 10000
# Database clustering
Datastore:
implementation: MySQL
mysql_conexión_string: "user:pass@tcp(mysql-cluster:3306)/velociraptor"
# File storage
Filestore:
implementation: S3
s3_bucket: "velociraptor-files"
s3_region: "us-east-1"
# Check client status
velociraptor --config client.config.yaml status
# Test server connectivity
velociraptor --config client.config.yaml query "SELECT * FROM info()"
# Debug client logs
tail -f /var/log/velociraptor_client.log
# Force client enrollment
velociraptor --config client.config.yaml enroll
-- Check server performance
SELECT * FROM server_metadata()
-- Monitor query performance
SELECT query, duration, rows_returned
FROM query_log()
WHERE duration >`` 10000 -- Queries taking > 10 seconds
-- Check client resource uso
SELECT Pid, Name, CPU, Memory
FROM pslist()
WHERE Name =~ "velociraptor"
-- Debug VQL queries
SELECT log(message="Debug: procesoing " + str(str=Pid))
FROM pslist()
-- Check query sintaxis
EXPLAIN SELECT * FROM pslist()
-- Validate artifact sintaxis
SELECT validate_artifact(definition=read_file(filename="artifact.yaml"))
# Monitor server logs
tail -f /var/log/velociraptor.log
# Search for errors
grep -i error /var/log/velociraptor.log
# Check client conexións
grep "client connected" /var/log/velociraptor.log
# Monitor client logs
tail -f /var/log/velociraptor_client.log
# Check enrollment status
grep "enrollment" /var/log/velociraptor_client.log
# Monitor query execution
grep "query" /var/log/velociraptor_client.log
This comprehensive Velociraptor cheatsheet covers instalación, VQL queries, artifact development, respuesta a incidentes, and advanced features for effective endpoint monitoring and caza de amenazas.