seikaikyo/implementing-velociraptor-for-ir-collection
external/anthropic-cybersecurity-skills/skills/implementing-velociraptor-for-ir-collection/SKILL.md
Deploy and configure Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and pre-built artifact packs across Windows, Linux, and macOS environments.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills implementing-velociraptor-for-ir-collectionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 5:09 AM18.8s7 files scanned
SKILL.md
- name:
- implementing-velociraptor-for-ir-collection
- description:
- Deploy and configure Velociraptor for scalable endpoint forensic artifact
- domain:
- cybersecurity
- subdomain:
- incident-response
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing Velociraptor for IR Collection
Overview
Velociraptor is an advanced open-source endpoint monitoring, digital forensics, and incident response platform developed by Rapid7. It uses the Velociraptor Query Language (VQL) to create custom artifacts that collect, query, and monitor almost any aspect of an endpoint. Velociraptor enables incident response teams to rapidly collect and examine forensic artifacts from across a network, supporting large-scale deployments with minimal performance impact. The client-server architecture with Fleetspeak communication enables real-time data collection from thousands of endpoints simultaneously, with offline endpoints picking up hunts when they reconnect.
When to Use
- When deploying or configuring implementing velociraptor for ir collection capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with incident response concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Architecture
Components
- Velociraptor Server: Central management console with web UI and API
- Velociraptor Client (Agent): Lightweight agent deployed to endpoints
- Fleetspeak: Communication framework between client and server
- VQL Engine: Query language engine for artifact collection
- Filestore: Server-side storage for collected artifacts
- Datastore: Metadata storage for hunts, flows, and client information
Supported Platforms
- Windows (7+, Server 2008R2+)
- Linux (Debian, Ubuntu, CentOS, RHEL)
- macOS (10.13+)
Deployment
Server Installation
# Download latest release
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64
# Generate server configuration
./velociraptor-linux-amd64 config generate -i
# Start the server
./velociraptor-linux-amd64 --config server.config.yaml frontend
# Or run as systemd service
sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor
sudo velociraptor --config /etc/velociraptor/server.config.yaml service install
Client Deployment
# Repack client MSI for Windows deployment
velociraptor --config server.config.yaml config client > client.config.yaml
velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi
# Deploy via Group Policy, SCCM, or Intune
# Client runs as a Windows service: "Velociraptor"
# Linux client deployment
velociraptor --config client.config.yaml client -v
# macOS client deployment
velociraptor --config client.config.yaml client -v
Docker Deployment
docker run --name velociraptor \
-v /opt/velociraptor:/velociraptor/data \
-p 8000:8000 -p 8001:8001 -p 8889:8889 \
velocidex/velociraptor
Core IR Artifact Collection
Windows Forensic Artifacts
-- Collect Windows Event Logs
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx",
IDRegex="4624|4625|4648|4672|4688|4698|4769|7045"
)
-- Collect Prefetch files for execution evidence
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
-- Collect Shimcache entries
SELECT * FROM Artifact.Windows.Registry.AppCompatCache()
-- Collect Amcache entries
SELECT * FROM Artifact.Windows.Forensics.Amcache()
-- Collect UserAssist data
SELECT * FROM Artifact.Windows.Forensics.UserAssist()
-- Collect NTFS MFT timestamps
SELECT * FROM Artifact.Windows.NTFS.MFT(
MFTFilename="C:/$MFT",
FileRegex=".(exe|dll|ps1|bat|cmd)$"
)
-- Collect scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()
-- Collect running processes with hashes
SELECT * FROM Artifact.Windows.System.Pslist()
-- Collect network connections
SELECT * FROM Artifact.Windows.Network.Netstat()
-- Collect DNS cache
SELECT * FROM Artifact.Windows.Network.DNSCache()
-- Collect browser history
SELECT * FROM Artifact.Windows.Applications.Chrome.History()
-- Collect PowerShell history
SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory()
-- Collect autoruns/persistence
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.Services()
SELECT * FROM Artifact.Windows.System.StartupItems()
Linux Forensic Artifacts
-- Collect auth logs
SELECT * FROM Artifact.Linux.Sys.AuthLogs()
-- Collect bash history
SELECT * FROM Artifact.Linux.Forensics.BashHistory()
-- Collect crontab entries
SELECT * FROM Artifact.Linux.Sys.Crontab()
-- Collect running processes
SELECT * FROM Artifact.Linux.Sys.Pslist()
-- Collect network connections
SELECT * FROM Artifact.Linux.Network.Netstat()
-- Collect SSH authorized keys
SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()
-- Collect systemd services
SELECT * FROM Artifact.Linux.Services()
Triage Collection (All-in-One)
-- Windows Triage Collection artifact
-- Collects event logs, prefetch, registry, browser data, and more
SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device="C:",
_AllFiles=FALSE,
_EventLogs=TRUE,
_Prefetch=TRUE,
_RegistryHives=TRUE,
_WebBrowsers=TRUE,
_WindowsTimeline=TRUE
)
Hunt Operations
Creating a Hunt
1. Navigate to Hunt Manager in Velociraptor Web UI
2. Click "New Hunt"
3. Configure:
- Description: "IR Triage - Case 2025-001"
- Include/Exclude labels for targeting
- Artifact selection (e.g., Windows.Forensics.Prefetch)
- Resource limits (CPU, IOPS, timeout)
4. Launch hunt
5. Monitor progress in real-time
VQL Hunt Examples
-- Hunt for specific file hash across all endpoints
SELECT * FROM Artifact.Generic.Detection.HashHunter(
Hashes="e99a18c428cb38d5f260853678922e03"
)
-- Hunt for YARA signatures in memory
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }'
)
-- Hunt for Sigma rule matches in event logs
SELECT * FROM Artifact.Server.Import.SigmaRules()
-- Hunt for suspicious scheduled tasks
SELECT * FROM Artifact.Windows.System.TaskScheduler()
WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32"
-- Hunt for processes with network connections to suspicious IPs
SELECT * FROM Artifact.Windows.Network.Netstat()
WHERE RemoteAddr =~ "10\\.13\\.37\\."
Real-Time Monitoring
-- Monitor for new process creation
SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}")
WHERE EventData.ImageName =~ "powershell|cmd|wscript"
-- Monitor file system changes
SELECT * FROM watch_directory(path="C:/Windows/Temp/")
-- Monitor registry changes
SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**")
Integration with SIEM/SOAR
Splunk Integration
Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC
--> Direct syslog forwarding
--> Velociraptor API --> Custom scripts --> Splunk
Elastic Stack Integration
# Velociraptor server config for Elastic output
Monitoring:
elastic:
addresses:
- https://elastic.local:9200
username: velociraptor
password: secure_password
index: velociraptor
MITRE ATT&CK Mapping
| Technique | VQL Artifact | |-----------|-------------| | T1059 - Command Scripting | Windows.EventLogs.EvtxHunter (4104, 4688) | | T1053 - Scheduled Task | Windows.System.TaskScheduler | | T1547 - Boot/Logon Autostart | Windows.Persistence.PermanentWMIEvents | | T1003 - OS Credential Dumping | Windows.Detection.Yara.Process | | T1021 - Remote Services | Windows.EventLogs.EvtxHunter (4624 Type 3/10) | | T1070 - Indicator Removal | Windows.EventLogs.Cleared |
References
- Velociraptor Official Documentation
- Rapid7 Velociraptor Product Page
- CISA Velociraptor Resource
- Velociraptor GitHub Repository
- Pen Test Partners: Large-Scale Velociraptor
Related Skills
seikaikyo/performing-soc2-type2-audit-preparation
development
VerifiedTrustedCommunity
Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 Type II certification.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soc-tabletop-exercise
testing
VerifiedTrustedCommunity
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soap-web-service-security-testing
development
VerifiedTrustedCommunity
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-service-account-credential-rotation
devops
VerifiedTrustedCommunity
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
1SKILL.mdUpdated Jun 13, 2026