Velociraptor? Dinosaur?

I really am new in using velociraptor so please excuse me if I made a mistake here.

This a practical guide for DFIR, threat hunting, and detection engineering using Velociraptor.

๐Ÿงฉ What is Velociraptor?

Velociraptor is a DFIR and threat hunting platform that uses VQL (Velociraptor Query Language) to collect, hunt, and monitor endpoints.

Key features:

๐Ÿš€ Basic Commands

Start/Stop Service (Linux)

systemctl start velociraptor
systemctl stop velociraptor
systemctl status velociraptor

Run GUI Server

velociraptor --config server.config.yaml frontend

Client Diagnostics

velociraptor --config client.config.yaml interrogate

๐Ÿงช VQL Basics

Query Template

SELECT field1, field2 FROM source()

Run VQL in GUI

๐Ÿ“š Common VQL Sources

Source Purpose
Artifact.Windows.Sysinternals.Autoruns Autoruns & persistence
Artifact.Windows.EventLogs.* Windows event logs
Artifact.Windows.Detection.* Common detections
pslist() Processes
filelist() Files on disk
winreg_*() Windows registry
netstat() Network connections

๐Ÿ•ต๏ธโ€โ™‚๏ธ Threat Hunting Queries

List Running Processes

SELECT Name, Pid, Exe, Cmdline FROM pslist()

Suspicious Processes

SELECT * FROM pslist() WHERE Cmdline =~ "(powershell|nc|base64|wget)"

Network Connections

SELECT LocalAddr, RemoteAddr, Pid FROM netstat()

Look for Reverse Shell Indicators

SELECT * FROM pslist() WHERE Cmdline =~ "(tcp|udp|connect|bash -i)"

Search File System for IOCs

SELECT * FROM filelist(globs="**/suspect.exe")

Detect Persistence via Registry Run Keys

SELECT Name, Data FROM winreg_list_keys(path="HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")

๐Ÿงฐ Velociraptor Artifacts (Most Useful)

Windows

Linux

Endpoint Monitoring

๐Ÿ“ก Live Hunt Examples

Find Mimikatz Execution

Mimikatz is a post-exploitation tool used to extract credentials from windows system!

SELECT * FROM pslist() WHERE Exe =~ "mimikatz"

Powershell Download Cradle

SELECT * FROM Windows.EventLogs.PowerShell WHERE Message =~ "DownloadString"

Detect Web Shells

SELECT * FROM filelist(globs="C:/inetpub/wwwroot/**/*.aspx") WHERE Size < 2000

๐Ÿ”Ž DFIR Investigation

File System Timeline

SELECT * FROM Artifact.Windows.Forensics.Timeline()

Investigate Modified System Binaries

SELECT * FROM filelist(globs="C:/Windows/System32/*.exe") WHERE Mtime > now() - 3600

Saved Browser Credentials

SELECT * FROM Artifact.Windows.Forensics.CredentialManager()

๐Ÿ“ Writing Custom VQL

Basic VQL Artifact Template

name: Custom.Hunt.SuspiciousFiles
sources:
  - query: |
      SELECT * FROM filelist(globs="C:/Users/*/AppData/**/*.exe")

Add Parameters

params:
  - name: TargetGlob
    default: "**/*.exe"

sources:
  - query: |
      SELECT * FROM filelist(globs=TargetGlob)

๐ŸŽฏ Detection Engineering with Velociraptor

1. Build High-Fidelity Detections

Use VQL to:

2. Example: Detection for Living-Off-The-Land (LOLBin)

SELECT * FROM pslist() WHERE Exe IN (
  "certutil.exe", "bitsadmin.exe", "wmic.exe"
)

3. Example: Detect PowerShell Obfuscation

SELECT * FROM Windows.EventLogs.PowerShell WHERE Message =~ "EncodedCommand"

๐Ÿ›ก Best Practices (by ChatGPT)

๐Ÿš€ Hunting Workflow for DFIR

  1. Collect triage artifacts (pslist, netstat, autoruns)

  2. Build timeline

  3. Search for suspicious processes or connections

  4. Enumerate persistence

  5. Extract IOCs

  6. Hunt organization-wide

  7. Validate and respond