top of page

Navigating Velociraptor: A Step-by-Step Guide


Velociraptor is an incredibly powerful tool for endpoint visibility and digital forensics. In this guide, we’ll dive deep into the Velociraptor interface to help you navigate the platform effectively. Let’s start by understanding the Search Bar, working through various sections like VFS (Virtual File System), and explore advanced features such as Shell for live interactive sessions.


Navigation:


1. Search Bar: Finding Clients Efficiently

The search bar is the quickest way to locate connected clients. You can search for clients by typing:

  • All to see all connected endpoints

  • label:<label_name> to filter endpoints by label


For example: If you have 10 endpoints and you label 5 of them as Windows and the other 5 as Linux, you can simply type label:Windows to display the Windows clients, or label:Linux to find the Linux ones. Labels are critical for grouping endpoints, making it easier to manage large environments.


To create a label:

  • Select the client you want to label.

  • Click on Label and assign a name to the client for easier identification later.


2. Client Status Indicators

Next to each client, you’ll see a green light if the client is active. This indicates that the endpoint is connected to the Velociraptor server and ready for interaction.

  • Green light: Client is active.

  • No light: Client is offline or disconnected.

To view detailed information about any particular client, just click on the client’s ID. You’ll see specific details such as the IP address, system name, operating system, and more.


3. Navigating the Left Panel: Interrogate, VFS, Collected

In the top-left corner, you’ll find three key filters:

  • Interrogate: This function allows you to update client details (e.g., IP address or system name changes). Clicking Interrogate will refresh the information on that endpoint.


  • VFS (Virtual File System): This is the forensic expert’s dream! It allows you to explore the entire file system of an endpoint, giving you access to NTFS partitions, registries, C drives, D drives, and more. You can focus on collecting specific pieces of information instead of acquiring full disk images.

Example:

If you want to investigate installed software on an endpoint, you can navigate to the relevant registry path, and collect only that specific data, making the process faster and less resource-intensive.

  • Collected: This filter shows all the data collected from the clients during previous hunts or investigations.


4. Exploring the VFS: A Forensic Goldmine

When you click on VFS, you can explore the entire endpoint in great detail. For instance, you can:


  • Navigate through directories like C:\ or D:\.


Refresh the directory, recursive refresh, 3rd one is downloading the entire directory from client into your server


  • Access registry keys, installed software, and even get MACB timestamps for files (created, modified, accessed, birth timestamps).


Example: Let’s say you find an unknown executable file. Velociraptor allows you to collect that file directly from the endpoint by clicking Collect from Client. Once collected, it will be downloaded to the server for further analysis (e.g., malware sandbox testing or manual review).


Important Features:

  • Folder Navigation: You can browse through directories and files with ease.

  • File Download: You can download individual files like MFTs, Prefetch, or any other artifacts from the endpoint to your server for further analysis.

  • Hash Verification: When you collect a file, Velociraptor automatically generates the file’s hash, which can be used to verify its integrity during analysis.


We will talk about where u can find these download or collected artifacts at end


5. Client Performance Considerations

Keep in mind that if you’re managing a large number of endpoints and you start downloading large files (e.g., 1GB or more) from multiple clients simultaneously, you could impact network performance. Be mindful of the size of artifacts you collect and prioritize gathering only critical data to avoid crashing the network or server.


6. Host Quarantine

At the top near VFS, you’ll see the option to quarantine a host. When a host is quarantined, it gets isolated from the network to prevent any further suspicious activity. However, this feature requires prior configuration on how you want to quarantine the host.


7. Top-Right Navigation: Overview, VQL Drilldown, and Shell

At the top-right corner of the client page, you’ll find additional navigation options:


  • Overview: Displays a general summary of the endpoint, including key details such as hostname, operating system, and general system health.

  • VQL Drilldown: Provides a more detailed overview of the client, including memory and CPU usage, network connections, and other system metrics. This section is useful for more in-depth endpoint monitoring.

  • Shell: Offers an interactive command-line interface where you can execute commands on the endpoint, much like using the Windows Command Prompt or Linux Terminal. You can perform searches, check running processes, or even execute scripts.


Example:

If you’re investigating suspicious activity, you could use the shell to search for specific processes or services running on the endpoint


Next Comes the Hunt Manager:- What is a Hunt?

A Hunt in Velociraptor is a logical collection of one or more artifacts from a set of systems. The Hunt Manager schedules these collections based on the criteria you define (such as labels or client groups), tracks the progress of these hunts, and stores the collected data.


Example 1: Collecting Windows Event Logs

In this scenario, let's collect Windows Event Logs for preservation from specific endpoints labeled as domain systems. Here's how to go about it:


  • Labeling Clients: Labels make targeting specific groups of endpoints much easier. For instance, if you have labeled domain systems as "Domain", you can target only these systems in your hunt.

    • For this example, I labeled one client as Domain to ensure the hunt runs only on that particular system.

  • Artifact Selection: In the Select Artifact section of the Hunt Manager, I’ll choose a KAPE script from the artifacts, which is built into Velociraptor. This integration makes it simple to collect various system artifacts like Event Logs, MFTs, or Prefetch files.

  • Configure the Hunt: On the next page, I will configure the hunt to target Windows Event Logs from the KAPE Targets artifact list.

  • Resource Configuration: In the resource configuration step, you need to specify certain parameters such as CPU usage. Be cautious with your configuration, as this directly impacts the client's performance during the hunt. For instance, I set the CPU limit to 50% to ensure the client is not overloaded while collecting data.

  • Launch the Hunt: After finalizing the configuration, I launch the hunt. Note that once launched, the hunt initially enters a Paused state.

  • Run the Hunt: To begin data collection, you must select the hunt from the list and click Run. The hunt will execute on the targeted clients (based on the label).

  • Stopping the Hunt: Once the hunt completes, you can stop it to avoid further resource usage.


  • Reviewing Collected Data: After the hunt is finished, navigate to the designated directory in Velociraptor to find the collected event logs. You’ll have everything preserved for analysis.


Example 2: Running a Hunt for Scheduled Tasks on All Windows Clients

Let’s take another example where we want to gather data on Scheduled Tasks across all Windows clients:


  • Artifact Selection: In this case, I create a query targeting all Windows clients and select the appropriate artifact for gathering scheduled task information.


  • Configure the Query: Once the query is set, I configure the hunt, ensuring it targets all Windows clients in my environment.

  • Running the Hunt: Similar to the first example, I launch the hunt, which enters a paused state. I then select the hunt and run it across all Windows clients.


  • Check the Results: Once the hunt finishes, you can navigate to the Notebook section under the hunt. This shows all the output data generated during the hunt:

    • Who ran the hunt

    • Client IDs involved

    • Search through the output directly from this interface or explore the directory for more details.


  • The collected data is available in JSON format under the designated directory, making it easy to analyze or integrate into further forensic workflows.


Key Points to Remember

  1. CPU Limit: Be careful when configuring resource usage. The CPU limit you set will be used on the client machines, so ensure it's not set too high to avoid system slowdowns.

  2. Labeling: Using labels to organize clients (e.g., by OS, department, or role) will make it easier to manage hunts across large environments. This is especially useful in large-scale investigations.

  3. Directory Navigation: After the hunt is complete, navigate to the appropriate directories to find the collected artifacts.

  4. Hunt Scheduling: The Hunt Manager allows you to schedule hunts at specific times or run them on-demand, giving you flexibility in managing system resources.



Viewing and Managing Artifacts

Velociraptor comes pre-loaded with over 250 artifacts. You can view all available artifacts, customize them, or even create your own. Here’s how you can access and manage these artifacts:

  • Accessing Artifacts:

    • Click on the Wrench icon in the Navigator menu along the left-hand side of the WebUI. This opens the list of artifacts available on Velociraptor.

    • Artifacts are categorized by system components, forensic artifacts, memory analysis, and more.

    • Use the Filter field to search for specific artifacts. You can filter by name, description, or both. This helps narrow down relevant artifacts from the large list.

  • Custom Artifacts:

    • Velociraptor also allows you to write your own artifacts or upload customized ones. This flexibility enables you to adapt Velociraptor to the specific forensic and incident response needs of your organization.


Server Events and Collected Artifacts

Next, let's talk about Server Events. These represent activity logs from the Velociraptor server, where you can find details like:

  • Audit Logs: Information about who initiated which hunts, including timestamps.

  • Artifact Logs: Details about what was collected during each hunt or manual query, and which endpoint provided the data.


Collected Artifacts

 shows what data was gathered from an endpoint. Here’s what you can do:

  • Selecting an Artifact: When you select a specific artifact, you’ll get information such as file uploads, request logs, results, and query outputs.

  • This helps with post-collection analysis, allowing you to drill down into each artifact to understand what data was collected and how it was retrieved.


Client Monitoring with Event Queries

Velociraptor allows for real-time monitoring of events happening on the client systems using client events or client monitoring artifacts. These are incredibly useful when tracking system activity as it happens. Let’s walk through an example:

  • Monitoring Example:

    • Let’s create a monitoring query for Edge URLs, process creation, and service creation.

    • Once the monitoring begins, Velociraptor keeps an eye on these specific events.

  • Real-Time Alerts:

    • As soon as a new process or service is created, an alert will be generated in the output.

    • You’ll get a continuous stream of results showing URLs visited, services launched, and processes created in real-time.


VQL (Velociraptor Query Language) Overview

Velociraptor’s power lies in its VQL Engine, which allows for complex queries to be run across systems. It offers two main types of queries:

1. Collection Queries:

  • Purpose: Snapshots of data at a specific point in time.

  • Execution: These queries run once and return all results (e.g., querying for running processes).

  • Example Use: Retrieving a list of running processes or collecting event logs at a specific moment. collecting prefetch, MFT, Usserassist.


2. Event Queries:

  • Purpose: Continuous background monitoring.

  • Execution: These queries continue running in a separate thread, adding rows of data as new events occur.

  • Example Use: Monitoring DNS queries, process creation, or new services being installed (e.g., tracking Windows event ID 7045 for service creation).


Use Cases for VQL Queries

  • Collection Queries: Best used for forensic investigations requiring one-time data retrieval. For example, listing processes, file listings, or memory analysis.

  • Event Queries: Ideal for real-time monitoring. This can include:

    • DNS Query Monitor: Tracks DNS queries made by the client.

    • Process Creation Monitor: Watches for any newly created processes.

    • Service Creation Monitor: Monitors system event ID 7045 for newly installed services.


Summary:

  • Collection Queries: Snapshot-style queries; ideal for point-in-time data gathering.

  • Event Queries: Continuous, real-time monitoring queries for live activity tracking.


Offline Triage with Velociraptor

One more exciting feature: Velociraptor supports offline triage, allowing you to collect artifacts even when a system is not actively connected to the server. This can be helpful for forensic collection when endpoints are temporarily offline. To learn more about offline triage, you can check the official Velociraptor documentation here: Offline Triage.


At Last:- Exploring Directories on the Server

Finally, let's take a quick look at the directory structure on the Velociraptor server.

Each client in Velociraptor has a unique client ID.


When you manually collect data or run hunts on an endpoint, the collected artifacts are stored in a folder associated with that client ID.


  • Clients Folder: Inside the clients directory, you’ll find subfolders named after each client ID. By diving into these folders, you can access the artifacts collected from each respective client.

  • Manual vs Hunt Collection:


    Artifacts collected manually go under the Collections folder.


Artifacts collected via hunts are usually stored under the Artifact folder. You can check this by running tests yourself.


Conclusion

Velociraptor is a flexible, powerful tool for endpoint monitoring, artifact collection, and real-time forensics. The VQL engine provides powerful querying capabilities, both for one-time collections and continuous event monitoring. Using hunts, custom artifacts, and real-time alerts, you can monitor and collect essential forensic data seamlessly.


Before signing off, I highly recommend you install Velociraptor, try running some hunts, and explore the available features firsthand. Dive into both manual collections and hunt-driven collections, and test the offline triage capability to see how versatile Velociraptor can be in real-world forensic investigations!


Akash Patel

107 views0 comments

Комментарии


bottom of page