Velociraptor Cheatsheet
Velociraptor is an advanced criminalistique numérique and réponse aux incidents tool that provides endpoint visibility at scale. It uses a powerful query language (VQL) to collect, query, and monitor endpoint data, making it ideal for chasse aux menaces, réponse aux incidents, and continuous monitoring across large enterprise environments.
## Installation and Setup
### Server Installation
**Ubuntu/Debian Installation:**
# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64
# Make executable
chmod +x velociraptor-v0.7.0-linux-amd64
sudo mv velociraptor-v0.7.0-linux-amd64 /usr/local/bin/velociraptor
# Generate server configuration
sudo velociraptor config generate > /etc/velociraptor/server.config.yaml
# Create systemd service
sudo tee /etc/systemd/system/velociraptor.service << EOF
[Unit]
Description=Velociraptor Server
After=network.cible
[service]
Type=simple
User=velociraptor
Group=velociraptor
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml frontend -v
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.cible
EOF
# Create user and start service
sudo useradd -r -s /bin/false velociraptor
sudo systemctl enable velociraptor
sudo systemctl start velociraptor
# Create configuration directory
mkdir -p velociraptor-config
# Generate configuration
docker run --rm -v $(pwd)/velociraptor-config:/config \
velocidex/velociraptor:latest \
config generate --config /config/server.config.yaml
# Run server
docker run -d --name velociraptor-server \
-p 8000:8000 -p 8080:8080 \
-v $(pwd)/velociraptor-config:/config \
velocidex/velociraptor:latest \
--config /config/server.config.yaml frontend -v
# Download client
Invoke-WebRequest -Uri "https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-windows-amd64.exe" -OutFile "velociraptor.exe"
# Install as service
.\velociraptor.exe --config client.config.yaml service install
# Start service
Start-service Velociraptor
# Download client
wget https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-linux-amd64
# Install as service
sudo ./velociraptor-v0.7.0-linux-amd64 --config client.config.yaml service install
# Start service
sudo systemctl start velociraptor_client
# Download client
curl -L -o velociraptor https://github.com/Velocidex/velociraptor/releases/download/v0.7.0/velociraptor-v0.7.0-darwin-amd64
# Install as service
sudo ./velociraptor --config client.config.yaml service install
# Start service
sudo launchctl load /Library/Launchdémons/com.velocidx.velociraptor.plist
# server.config.yaml
version:
name: velociraptor
version: 0.7.0
Client:
server_urls:
- https: //velociraptor.company.com:8000/
ca_certificat: |
-----BEGIN certificat-----
[CA certificat]
-----END certificat-----
nonce: [Random nonce]
API:
bind_address: 0.0.0.0
bind_port: 8001
bind_scheme: https
GUI:
bind_address: 0.0.0.0
bind_port: 8889
bind_scheme: https
public_url: https://velociraptor.company.com:8889/
Frontend:
bind_address: 0.0.0.0
bind_port: 8000
certificat: |
-----BEGIN certificat-----
[Server certificat]
-----END certificat-----
private_clé: |
-----BEGIN PRIVATE clé-----
[Server Private clé]
-----END PRIVATE clé-----
Datastore:
implementation: FileBaseDataStore
location: /var/lib/velociraptor
filestore_directory: /var/lib/velociraptor
# Generate client configuration
velociraptor --config server.config.yaml config client > client.config.yaml
# Generate MSI installer for Windows
velociraptor --config server.config.yaml config client --deployment windows_msi > client.msi
# Generate DEB package for Linux
velociraptor --config server.config.yaml config client --deployment linux_deb > client.deb
-- List running processuses
SELECT Name, Pid, Ppid, commandeLine
FROM pslist()
-- Get file information
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs="/etc/passwd")
-- Search for files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/*/Desktop/*.exe")
WHERE Size > 1000000
-- processus tree with parent information
SELECT Name, Pid, Ppid, commandeLine,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
FROM pslist()
WHERE Name =~ "powershell"
-- Network connexions with processus info
SELECT Laddr, Raddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS processusName,
get(item=pslist(pid=Pid), member="0.commandeLine") AS commandeLine
FROM netstat()
WHERE Status = "ESTABLISHED"
-- Find executable files
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS hash
FROM glob(globs="C:/Windows/System32/*.exe")
-- Search for suspicious files
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs=["C:/Temp/**", "C:/Users/*/AppData/Local/Temp/**"])
| WHERE FullPath =~ "\\.(exe | bat | cmd | ps1 | vbs)$" |
AND Size > 0
-- Find recently modified files
SELECT FullPath, Size, Mtime
FROM glob(globs="C:/Users/**")
WHERE Mtime > now() - 86400 -- Last 24 hours
| AND FullPath =~ "\\.(doc | docx | pdf | txt)$" |
-- Search file contents
SELECT FullPath, Line, HitContext
FROM grep(globs="C:/Users/*/Documents/*.txt",
cléwords=["mot de passe", "secret", "confidential"])
-- Extract strings from binaries
SELECT FullPath, String
FROM strings(globs="C:/Temp/*.exe", length=8)
WHERE String =~ "(http|ftp)://"
-- YARA scanning
SELECT FullPath, Rule, Meta, Strings
FROM yara(files="C:/Temp/*.exe",
rules='''
rule SuspiciousStrings \\\\{
strings:
$s1 = "cmd.exe" ascii
$s2 = "powershell" ascii
$s3 = "Createprocessus" ascii
condition:
2 of them
\\\\}''')
-- Current processuses with details
SELECT Name, Pid, Ppid, commandeLine, nom d'utilisateur, Exe,
CreateTime, hash(path=Exe) AS Exehash
FROM pslist()
ORDER BY CreateTime DESC
-- processus tree visualization
SELECT Name, Pid, Ppid, commandeLine,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName,
CreateTime
FROM pslist()
WHERE Ppid != 0
ORDER BY Ppid, CreateTime
-- Suspicious processus detection
SELECT Name, Pid, commandeLine, Exe
FROM pslist()
WHERE (commandeLine =~ "powershell.*-enc" OR
commandeLine =~ "cmd.*echo.*>" OR
Exe =~ "C:\\\\Temp\\\\.*\\.exe" OR
Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$")
-- Dump processus memory
SELECT Pid, Name, dump(pid=Pid, length=1000000) AS MemoryDump
FROM pslist()
WHERE Name = "suspicious.exe"
-- Search processus memory
SELECT Pid, Name, Address, HitContext
FROM proc_memory_grep(pid=1234, cléwords=["mot de passe", "secret"])
-- Extract loaded modules
SELECT Pid, Name, ModuleName, ModuleBase, ModuleSize
FROM modules(pid=1234)
-- Active network connexions
SELECT Laddr, Raddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS processusName,
get(item=pslist(pid=Pid), member="0.commandeLine") AS commandeLine
FROM netstat()
WHERE Status = "ESTABLISHED"
-- Listening services
SELECT Laddr, Status, Pid,
get(item=pslist(pid=Pid), member="0.Name") AS processusName
FROM netstat()
WHERE Status = "LISTEN"
ORDER BY Laddr
-- DNS cache analysis
SELECT Name, Type, Data, TTL
FROM dns_cache()
WHERE Name =~ "suspicious-domain\\.com"
-- Startup programs
SELECT clé, ValueName, ValueData
FROM registry(globs="Hclé_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
-- Recently accessed files
SELECT clé, ValueName, ValueData
FROM registry(globs="Hclé_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs/*")
-- Installed software
SELECT clé, ValueName, ValueData
FROM registry(globs="Hclé_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName")
WHERE ValueData
-- Monitor registry changes
SELECT timestamp(epoch=Timestamp) AS Time,
clé, ValueName, ValueData, EventType
FROM watch_registry(globs="Hclé_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*")
-- Windows.System.Info
SELECT hôtename, OS, Architecture, Platform, PlatformVersion,
KernelVersion, Uptime, BootTime
FROM info()
-- Windows.System.Users
SELECT Name, Description, Disabled, mot de passeLastSet, LastLogon
FROM users()
-- Windows.System.services
SELECT Name, DisplayName, Status, StartType, serviceType, BinaryPath
FROM services()
-- Windows.EventLogs.Security
SELECT EventTime, EventID, Computer, nom d'utilisateur, LogonType, IpAddress
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID IN (4624, 4625, 4648, 4672)
-- Windows.Forensics.Prefetch
SELECT FullPath, LastRunTime, RunCount, hash
FROM prefetch()
-- Windows.Registry.Sysinternals.Eulaaccepted
SELECT clé, ValueName, ValueData, Mtime
FROM registry(globs="Hclé_CURRENT_USER/SOFTWARE/Sysinternals/*/EulaAccepted")
name: Custom.Windows.Suspiciousprocessuses
Description: Hunt for suspicious processus execution patterns
type: CLIENT
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT Name, Pid, Ppid, commandeLine, Exe, CreateTime,
hash(path=Exe) AS Exehash,
get(item=pslist(pid=Ppid), member="0.Name") AS ParentName
FROM pslist()
WHERE (
-- processuses running from temp directories
Exe =~ "(?i)C: \\\\(Temp|Users\\\\[^\\\\]+\\\\AppData\\\\Local\\\\Temp)\\\\" OR
-- Suspicious commande line patterns
| commandeLine =~ "(?i)(powershell.*-enc | cmd.*echo.*> | certutil.*-decode)" OR |
-- processuses with random names
Name =~ "^[a-f0-9]\\\\{8,\\\\}\\.(exe|tmp)$" OR
-- Common logiciel malveillant processus names
| Name =~ "(?i)(svchôte | winlogon | csrss | lsass)\\.(tmp | exe)$" AND |
NOT Exe =~ "(?i)C: \\\\Windows\\\\System32\\\\"
)
ORDER BY CreateTime DESC
# Upload artifact to server
velociraptor --config server.config.yaml artifacts upload custom_artifact.yaml
# Run artifact on specific client
velociraptor --config server.config.yaml query "SELECT * FROM Artifact.Custom.Windows.Suspiciousprocessuses()" --client_id C.1234567890abcdef
-- Create hunt for suspicious processuses
SELECT hunt_id FROM hunt(
Description="Hunt for suspicious processuses",
artifacts=["Custom.Windows.Suspiciousprocessuses"],
spec=dict(
artifacts=["Custom.Windows.Suspiciousprocessuses"],
paramètres=dict()
)
)
-- Check hunt status
SELECT hunt_id, state, create_time, creator,
total_clients_scheduled, completed_clients
FROM hunts()
WHERE state = "RUNNING"
-- Get hunt results
SELECT ClientId, Timestamp, Name, Pid, commandeLine, Exehash
FROM hunt_results(hunt_id="H.1234567890abcdef",
artifact="Custom.Windows.Suspiciousprocessuses")
-- Execute commandes remotely
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["cmd", "/c", "whoami"])
-- PowerShell execution
SELECT Stdout, Stderr, ReturnCode
FROM execve(argv=["powershell", "-commande", "Get-processus|Where-Object \\\\{$_.CPU -gt 100\\\\}"])
-- Collect system information
SELECT Stdout FROM execve(argv=["systeminfo"])
-- Collect specific files
SELECT upload(file=FullPath) AS Upload
FROM glob(globs="C:/Users/*/Desktop/suspicious.exe")
-- Collect log files
SELECT FullPath, upload(file=FullPath) AS Upload
FROM glob(globs="C:/Windows/System32/winevt/Logs/*.evtx")
| WHERE Name =~ "(Security | System | Application)\\.evtx" |
-- Memory dump collection
SELECT upload(file=dump_processus(pid=1234)) AS MemoryDump
FROM scope()
-- Create filesystem timeline
SELECT FullPath, Size, Mtime, Atime, Ctime, Btime,
"M" AS MtimeType, "A" AS AtimeType, "C" AS CtimeType, "B" AS BtimeType
FROM glob(globs="C:/Users/*/Documents/**")
WHERE Mtime > timestamp(string="2023-01-01T00:00:00Z")
ORDER BY Mtime
-- processus creation timeline
SELECT Name, Pid, commandeLine, CreateTime, Exe
FROM pslist()
WHERE CreateTime > now() - 86400 -- Last 24 hours
ORDER BY CreateTime
-- Security event timeline
SELECT EventTime, EventID, Computer, nom d'utilisateur, LogonType,
IpAddress, WorkstationName
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventTime > timestamp(string="2023-01-01T00:00:00Z")
AND EventID IN (4624, 4625, 4648, 4672, 4720, 4726)
ORDER BY EventTime
-- Detect mouvement latéral via RDP
SELECT EventTime, Computer, nom d'utilisateur, IpAddress, LogonType
FROM parse_evtx(filename="C:/Windows/System32/winevt/Logs/Security.evtx")
WHERE EventID = 4624 AND LogonType = 10 -- RDP logons
AND IpAddress != "127.0.0.1"
AND IpAddress != "-"
-- Detect PSExec utilisation
SELECT Name, Pid, commandeLine, CreateTime
FROM pslist()
WHERE (commandeLine =~ "psexec" OR
Name =~ "PSEXESVC\\.exe" OR
commandeLine =~ "\\\\\\\\.*\\\\admin\\$")
-- Detect suspicious PowerShell
SELECT Name, Pid, commandeLine, CreateTime
FROM pslist()
WHERE Name =~ "powershell\\.exe" AND
(commandeLine =~ "-enc" OR
commandeLine =~ "-nop" OR
commandeLine =~ "-w hidden" OR
commandeLine =~ "DownloadString" OR
commandeLine =~ "IEX")
-- Startup folder persistance
SELECT FullPath, Size, Mtime, hash(path=FullPath) AS hash
FROM glob(globs=[
"C:/Users/*/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/*",
"C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Startup/*"
])
-- Scheduled task persistance
SELECT Name, State, LastRunTime, NextRunTime, TaskPath, Actions
FROM scheduled_tasks()
WHERE State = "Ready" AND
(Actions =~ "powershell" OR
Actions =~ "cmd" OR
Actions =~ "C:\\\\Temp\\\\" OR
Actions =~ "C:\\\\Users\\\\.*\\\\AppData\\\\")
-- service persistance
SELECT Name, DisplayName, BinaryPath, StartType, Status
FROM services()
WHERE BinaryPath =~ "(?i)(temp|appdata)" OR
| BinaryPath =~ "(?i)\\.(bat | cmd | ps1 | vbs)$" OR |
(Name =~ "^[a-f0-9]\\\\{8,\\\\}$" AND StartType = "Auto")
-- Monitor new processus creation
SELECT timestamp(epoch=Timestamp) AS Time,
Name, Pid, Ppid, commandeLine, Exe
FROM watch_processus()
| WHERE commandeLine =~ "(powershell.*-enc | cmd.*echo | certutil.*-decode)" |
-- Monitor file creation in suspicious locations
SELECT timestamp(epoch=Timestamp) AS Time,
FullPath, Action
FROM watch_file(globs=[
"C:/Temp/**",
"C:/Users/*/AppData/Local/Temp/**",
"C:/Windows/Temp/**"
])
WHERE Action = "CREATED" AND
| FullPath =~ "\\.(exe | bat | cmd | ps1 | vbs)$" |
-- Monitor registry changes for persistance
SELECT timestamp(epoch=Timestamp) AS Time,
clé, ValueName, ValueData, EventType
FROM watch_registry(globs=[
"Hclé_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*",
"Hclé_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/*"
])
-- Export alerts to SIEM
SELECT timestamp(epoch=now()) AS AlertTime,
"Velociraptor" AS Source,
"Suspicious processus" AS AlertType,
Name, Pid, commandeLine, Exe
FROM pslist()
WHERE commandeLine =~ "powershell.*-enc"
-- Send webhook alerts
SELECT http_client(
url="https://webhook.site/your-webhook-url",
method="POST",
data=serialize(item=dict(
alert_type="Suspicious processus",
hôtename=info().hôtename,
processus_name=Name,
commande_line=commandeLine,
timestamp=now()
), format="json")
) AS Response
FROM pslist()
WHERE commandeLine =~ "powershell.*-enc"
-- Use specific globs instead of wildcards
-- Good
SELECT * FROM glob(globs="C:/Users/*/Desktop/*.exe")
-- Avoid
SELECT * FROM glob(globs="C:/**")
WHERE FullPath =~ "\\.exe$"
-- Use LIMIT for large datasets
SELECT * FROM pslist() LIMIT 100
-- Use WHERE clauses early
SELECT Name, Pid FROM pslist()
WHERE Name = "powershell.exe"
-- Control memory utilisation
SELECT * FROM pslist()
WHERE Pid ``< 10000 -- Limit scope
-- Use streaming for large results
SELECT * FROM foreach(
row=\\\{SELECT Pid FROM pslist() WHERE Name = "chrome.exe"\\\},
query=\\\{SELECT * FROM modules(pid=Pid)\\\}
)
# Load balancer configuration
Frontend:
bind_address: 0.0.0.0
bind_port: 8000
expected_clients: 10000
# Database clustering
Datastore:
implementation: MySQL
mysql_connexion_string: "user:pass@tcp(mysql-cluster:3306)/velociraptor"
# File storage
Filestore:
implementation: S3
s3_bucket: "velociraptor-files"
s3_region: "us-east-1"
# Check client status
velociraptor --config client.config.yaml status
# Test server connectivity
velociraptor --config client.config.yaml query "SELECT * FROM info()"
# Debug client logs
tail -f /var/log/velociraptor_client.log
# Force client enrollment
velociraptor --config client.config.yaml enroll
-- Check server performance
SELECT * FROM server_metadata()
-- Monitor query performance
SELECT query, duration, rows_returned
FROM query_log()
WHERE duration >`` 10000 -- Queries taking > 10 seconds
-- Check client resource utilisation
SELECT Pid, Name, CPU, Memory
FROM pslist()
WHERE Name =~ "velociraptor"
-- Debug VQL queries
SELECT log(message="Debug: processusing " + str(str=Pid))
FROM pslist()
-- Check query syntaxe
EXPLAIN SELECT * FROM pslist()
-- Validate artifact syntaxe
SELECT validate_artifact(definition=read_file(filename="artifact.yaml"))
# Monitor server logs
tail -f /var/log/velociraptor.log
# Search for errors
grep -i error /var/log/velociraptor.log
# Check client connexions
grep "client connected" /var/log/velociraptor.log
# Monitor client logs
tail -f /var/log/velociraptor_client.log
# Check enrollment status
grep "enrollment" /var/log/velociraptor_client.log
# Monitor query execution
grep "query" /var/log/velociraptor_client.log
This comprehensive Velociraptor cheatsheet covers Installation, VQL queries, artifact development, réponse aux incidents, and advanced features for effective endpoint monitoring and chasse aux menaces.