fleet-hunting-with-velociraptor
Fleet Hunting with Velociraptor
Authorized Use Only: Velociraptor agents provide deep endpoint visibility and remote collection. Deploy only on assets you own or are authorized to monitor, in accordance with your monitoring policy and applicable law.
Overview
Velociraptor is an open-source endpoint visibility and digital-forensics platform from Rapid7/Velocidex. A single Go binary acts as server, client (agent), and CLI depending on how it is invoked and configured. Its power comes from VQL (Velociraptor Query Language) — an SQL-like language whose plugins query the live state of an endpoint (processes, files, registry, event logs, WMI, network connections, prefetch, etc.). VQL queries are packaged into reusable Artifacts, and Artifacts are run at scale as Hunts that fan out across every connected client and stream results back to the server as structured rows.
This makes Velociraptor ideal for fleet-wide threat hunting: a hypothesis ("are any hosts running suspicious PowerShell?") becomes a VQL artifact, deployed as a hunt, with results aggregated centrally in minutes. It also supports offline collectors (standalone executables that collect and bundle artifacts on air-gapped or unmanaged hosts) and live forensic notebooks.
When to Use
- Hunting for a TTP across hundreds or thousands of endpoints from a single console.
- Collecting forensic artifacts on demand during incident response without re-imaging.
- Continuously monitoring for an indicator using client-side event artifacts.
- Generating standalone offline collectors for hosts you cannot enroll.