VQL
Velociraptor Query Language: SQL-like syntax that queries live endpoint artifacts (file system, registry, process memory, Windows event logs) from the server console
10,000+
Endpoints a single Velociraptor server can handle: the agent is extremely lightweight (< 10 MB RAM), making large-fleet deployment practical for IR teams
Artifact Exchange
Velociraptor's community-maintained library of pre-built forensic artifact collectors: covers Prefetch, SRUM, Amcache, LNK files, browser history, and more
Hunt
Velociraptor's mechanism for running artifact collection across all endpoints simultaneously: "Start Hunt" sends a query to every agent and streams results back

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Traditional digital forensics requires imaging a compromised disk (hours per machine), shipping it to a lab (days), and analyzing it offline (days more). When an organization has 500 potentially affected endpoints after a breach, this model does not scale.

Velociraptor inverts this approach: instead of bringing the evidence to the analyst, it brings the analyst's queries to the evidence. A forensic analyst writes a VQL query specifying what artifacts to collect, starts a Hunt, and Velociraptor's agents on every enrolled endpoint execute the query and stream results back: all within minutes. During active IR, this enables answering scope questions across the entire fleet before the attacker moves laterally to additional hosts.

Deployment Architecture

Velociraptor uses a client-server model: a central server handles the web UI, query dispatch, and result storage, while lightweight agents run on every endpoint and execute VQL queries when instructed.

Server installation (Linux recommended):

# Download the latest release binary
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-v0.72-linux-amd64
chmod +x velociraptor-v0.72-linux-amd64
mv velociraptor-v0.72-linux-amd64 /usr/local/bin/velociraptor

# Generate server configuration
velociraptor config generate --interactive
# Follow prompts: set server URL, TLS cert path, datastore path
# Config saved to server.config.yaml and client.config.yaml

# Install as service and start
velociraptor --config server.config.yaml debian server
dpkg -i velociraptor_server.deb
systemctl enable velociraptor_server && systemctl start velociraptor_server

# Access the web UI:
# https://your-server:8889 (admin credentials set during config generation)

Deploy agents to Windows endpoints:

# Generate the Windows MSI installer from server
velociraptor --config client.config.yaml config repack --exe velociraptor-v0.72-windows.exe output_installer.exe

# Deploy via Group Policy, SCCM, or Intune:
# Create a Software Distribution package or Win32 app
# Command: output_installer.exe service install
# The agent registers with the server and appears in the Web UI

# Verify agent is online in UI: Clients > Connected Clients
# Or from command line:
velociraptor --config server.config.yaml query "SELECT * FROM clients()" --format json

Essential IR Artifact Collections

Collect Prefetch files from all endpoints (prove execution history):

// In the Velociraptor UI: Hunting > New Hunt > "Artifact Collection"
// Or use the built-in artifact: Windows.Forensics.Prefetch

-- VQL query equivalent:
SELECT Executable, LastRunTime, RunCount, PrefetchSize, Binary
FROM Artifact.Windows.Forensics.Prefetch()
WHERE Executable =~ '(?i)(mimikatz|psexec|cobalt|cobaltstrike|meterpreter|ncat|netcat)'
LIMIT 1000

// This returns Prefetch entries matching attacker tools from EVERY enrolled endpoint
// Results show: which machines have evidence, when the tool ran, how many times

Collect Windows Event Log entries (specific event IDs):

-- Hunt for failed logon attempts (Event 4625) across all machines
SELECT System.Computer, System.TimeCreated.SystemTime,
    EventData.TargetUserName, EventData.IpAddress, EventData.FailureReason
FROM Artifact.Windows.EventLogs.EvtxHunter(
    EvtxGlob="%SystemRoot%/system32/winevt/logs/Security.evtx",
    IdRegex="4625",
    SearchVSS=TRUE
)
WHERE System.TimeCreated.SystemTime > "2026-05-01T00:00:00Z"
LIMIT 10000

-- Hunt for lateral movement via remote service creation (Event 7045)
SELECT System.Computer, System.TimeCreated.SystemTime,
    EventData.ServiceName, EventData.ImagePath, EventData.AccountName
FROM Artifact.Windows.EventLogs.EvtxHunter(
    EvtxGlob="%SystemRoot%/system32/winevt/logs/System.evtx",
    IdRegex="7045"
)
LIMIT 5000

Collect running processes and network connections:

-- Snapshot of all running processes with network connections
SELECT Pid, Ppid, Name, Exe, CommandLine,
    Username, CreateTime, Laddr, Raddr, Status
FROM Artifact.Windows.Network.Netstat()
WHERE Raddr.IP !~ "^(127\.|::1|0\.0\.0\.0)"
  AND Status = "ESTABLISHED"

-- Same from process list:
SELECT Pid, Ppid, Name, Exe, CommandLine,
    Username, CreateTime, Hash.SHA256
FROM Artifact.Windows.System.Pslist()
WHERE Name =~ '(?i)(cmd|powershell|wscript|cscript|rundll32)'
  AND Username !~ 'SYSTEM|LOCAL SERVICE|NETWORK SERVICE'
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Timeline Reconstruction with NTFS $MFT

The NTFS Master File Table ($MFT) records creation, modification, and access timestamps for every file on the volume. Velociraptor can parse the $MFT directly from a live system: giving you a complete file activity timeline without imaging the disk.

-- Collect $MFT entries for files created during a specific timeframe
SELECT FullPath, FileSize, Created0x10, Modified0x10, MFTId
FROM Artifact.Windows.NTFS.MFT(
    MFTFilename="%SystemDrive%",
    AllDrives=FALSE
)
WHERE Created0x10 > "2026-05-13T00:00:00Z"
  AND Created0x10 < "2026-05-15T00:00:00Z"
  AND FullPath =~ '(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\public\\)'
ORDER BY Created0x10
LIMIT 10000

-- Find executable files created in unusual locations
SELECT FullPath, FileSize, Created0x10, Modified0x10
FROM Artifact.Windows.NTFS.MFT()
WHERE FullPath =~ '(?i)\.exe$'
  AND FullPath !~ '(?i)(\\Windows\\|\\Program Files)'
  AND Created0x10 > "2026-05-01T00:00:00Z"
ORDER BY Created0x10 DESC
LIMIT 5000

Collect registry run key persistence:

-- Check common persistence locations across all machines
SELECT Key.FullPath, Name, Data.value AS RegistryValue
FROM Artifact.Windows.Registry.RunKeys()
-- Built-in artifact checks all standard Run/RunOnce locations
-- Returns any entries that don't match a whitelist of known-good software

-- Also collect scheduled tasks:
SELECT Name, Path, Status, LastRunTime, NextRunTime, Actions
FROM Artifact.Windows.System.ScheduledTasks()
WHERE Path !~ '(?i)(\\microsoft\\|\\windows\\)'

Running Fleet-Wide Hunts

A Hunt in Velociraptor runs a query across all enrolled clients simultaneously: each agent executes the VQL locally and streams results back. This is the primary mechanism for answering scope questions during IR.

Create a Hunt via the UI:

1. Velociraptor UI > Hunts > New Hunt
2. Select artifacts: Windows.Forensics.Prefetch, Windows.Network.Netstat,
   Windows.EventLogs.EvtxHunter
3. Set parameters: date range, specific process names, IoC patterns
4. Set conditions: All clients, or specific client labels/OS
5. Click "Start Hunt"
6. Monitor progress: Hunts > [hunt ID] > Status
7. Download results: Hunts > [hunt ID] > Results > Download CSV

Or via the Velociraptor CLI (for scripting):

# Start a hunt from the command line
velociraptor --config server.config.yaml hunt start \
  --artifact "Windows.Forensics.Prefetch" \
  --args '{"NameRegex": "MIMIKATZ|PSEXEC"}' \
  --description "IR Hunt - Credential Tool Execution Evidence" \
  --output hunt_id.txt

# Wait for hunt to complete and export results
HUNT_ID=$(cat hunt_id.txt)
velociraptor --config server.config.yaml hunt export \
  --hunt_id $HUNT_ID \
  --output /tmp/hunt_results/

Custom artifact for a specific IoC sweep:

# Create a custom artifact to check for a specific file hash or IP
name: Custom.IR.IOCSweep
description: Check endpoints for specific IoC artifacts from incident
parameters:
  - name: SuspiciousIPs
    default: "1.2.3.4,5.6.7.8"
  - name: SuspiciousHashes
    default: "abc123...,def456..."
sources:
  - query: |
      -- Check for suspicious network connections to IoC IPs
      LET ips <= split(string=SuspiciousIPs, sep=',')
      SELECT Pid, Name, Exe, Raddr.IP
      FROM Artifact.Windows.Network.Netstat()
      WHERE Raddr.IP IN ips

The bottom line

Velociraptor enables fleet-wide forensic artifact collection during IR without disk imaging: run VQL queries across all enrolled endpoints simultaneously using Hunts. Key capabilities: parse Prefetch files to prove attacker tool execution, collect specific Event Log event IDs (4625, 7045, 4688), enumerate running processes with network connections, and parse the $MFT for file activity timelines. Deploy the server on Linux, agents via GPO/SCCM/Intune, and use the Artifact Exchange library for pre-built collectors. The typical IR workflow: start scope-assessment Hunts during initial triage to identify affected machines before proceeding to deep forensics on confirmed compromised hosts.

Frequently asked questions

What is Velociraptor used for in incident response?

Velociraptor is used for remote endpoint forensics and threat hunting without requiring disk image acquisition. During IR, it runs VQL queries across all enrolled endpoints simultaneously (Hunts) to collect Prefetch files (execution evidence), Windows event log entries, running processes with network connections, registry persistence keys, and NTFS $MFT file activity timelines. This enables scope assessment: identifying which machines are affected: in minutes across a fleet of thousands of endpoints.

How does Velociraptor compare to traditional disk imaging for forensics?

Traditional disk imaging takes hours per machine and requires physical or network access; analyzing a fleet of 500 endpoints takes weeks. Velociraptor collects targeted forensic artifacts from all enrolled endpoints simultaneously in minutes by running VQL queries on-device and streaming results back to a central server. The tradeoff: Velociraptor provides targeted artifact collection from live systems (not the complete disk for offline analysis), so it complements rather than fully replaces disk imaging for machines requiring deep analysis.

What is VQL and how does it work in Velociraptor?

VQL (Velociraptor Query Language) is a SQL-like query language for collecting and analyzing forensic data on Windows, macOS, and Linux endpoints. VQL queries run on the endpoint using built-in artifact definitions that collect specific data types: running processes, network connections, registry keys, file metadata, event logs, and parsed forensic artifacts (Prefetch, Shimcache, browser history). Example: SELECT * FROM glob(globs='C:/Windows/Prefetch/*.pf') returns all Prefetch file metadata. Velociraptor ships with hundreds of pre-built artifact definitions (Windows.System.Prefetch, Windows.EventLogs.Hayabusa, Windows.Timeline.MFT) that wrap common forensic collection tasks in parameterized VQL queries.

How do I deploy Velociraptor for incident response readiness?

Deploy Velociraptor in server-client mode: run a Velociraptor server (small Linux VM or cloud instance), generate a deployment package via 'velociraptor config generate -i', and distribute the agent to all endpoints via GPO, Intune, or Ansible. The agent is a single binary (under 20MB) with low performance overhead when idle. In a steady-state (no active investigation), agents check in periodically but collect no data. During incident response, push collection hunts to all or selected endpoints from the server GUI. Velociraptor is free and open source. For large environments, deploy multiple Velociraptor servers fronted by a load balancer, or use Velociraptor Cloud (managed hosting).

What Velociraptor artifacts should I collect during a ransomware investigation?

Core collection pack for ransomware investigation: Windows.EventLogs.Evtx (system, security, and application event logs for the infection timeline), Windows.System.Prefetch (identify executed malware binaries), Windows.System.Services (new or modified services — common ransomware persistence mechanism), Windows.Network.NetstatEnriched (current network connections with process context), Windows.Forensics.Shellbags (accessed folder paths revealing attacker browsing of the filesystem), Windows.Forensics.SRUM (System Resource Usage Monitor — tracks process execution and network usage over rolling 30 days), and Generic.Detection.Yara.Process (run YARA rules against running process memory to find in-memory ransomware or C2 implants).

How do you create and deploy a custom Velociraptor artifact for IoC sweeps during an active incident?

Define the artifact in YAML using the 'name', 'description', 'parameters', and 'sources' keys: the sources block contains the VQL query that references the parameter values. Store the artifact definition file locally, then import it into your Velociraptor server via the Artifacts > Import Artifact button in the UI or via the CLI with 'velociraptor artifacts import --config server.config.yaml custom_artifact.yaml'. Once imported, the artifact appears in the artifact browser and can be selected when creating a new Hunt. For IoC sweeps, parameterize the artifact to accept a comma-separated list of hashes, IPs, or file paths so analysts can update the IoC list without editing the artifact body. Test the artifact on a single client first by navigating to the client's page, selecting New Collection, and running the artifact against that one endpoint before launching the fleet-wide Hunt.

Sources & references

  1. Velociraptor Project Documentation
  2. Velociraptor Artifact Exchange
  3. Mike Cohen: Velociraptor Architecture

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.