Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.
To learn more about Velociraptor, read the documentation on:
https://www.velocidex.com/docs/
-
Download the binary from the release page.
-
You need to generate a server config file. This will generate new key material. Simply follow the prompts:
$ velociraptor config generate -i- Start the server:
$ velociraptor --config server.config.yaml frontend -v-
Point a browser at the GUI port that you set in the config file. You should be able to log in with the password set earlier.
-
Launch the client on any system with the generated client config file.
$ velociraptor --config client.conf.yaml client -v- You should be able to search for the client in the GUI, browse VFS, download files etc.
To deploy the windows executable:
-
Install the released MSI installer.
-
Drop the client configuration into
C:\Program Files\Velociraptor\Velociraptor.config.yamlusing any system administration method (e.g. group policy, SCCM etc).
See more information for deployment options at https://www.velocidex.com/docs/getting-started
Velociraptor is also useful as a local triage tool. In particular you might find Velociraptor's artifacts especially useful for quickly capturing important information about a running system. You can collect artifacts by using the "artifacts collect" command:
$ velociraptor artifacts list
INFO:2018/08/20 22:28:56 Loaded 18 built in artifacts
INFO:2018/08/20 22:28:56 Loaded 18 artifacts from artifacts/definitions/
Linux.Applications.Chrome.Extensions
Linux.Applications.Chrome.Extensions.Upload
Linux.Applications.Docker.Info
Linux.Applications.Docker.Version
Linux.Debian.AptSources
$ velociraptor artifacts list -v Linux.Debian.AptSources
.... displays the artifacts
$ velociraptor artifacts collect -v Linux.Debian.AptSources --output myfile.zip
... Collects all the named artifacts into myfile.zipExplore more of Velociraptor's options using the -h flag.
To build from source, make sure you have a recent Golang installed from https://golang.org/dl/ (Currently at least Go 1.13):
$ git clone https://github.com/Velocidex/velociraptor.git
$ cd velociraptor
# This will build the GUI elements. You will need to have node
# installed first. For example on Windows get it from
# https://nodejs.org/en/download/ . You also need to have JAVA
# installed from https://www.java.com because the js compiler
# needs it.
$ cd gui/static/
$ npm install
# If gulp is not on your path you need to run it using node:
# node node_modules\gulp\bin\gulp.js compile
$ gulp compile
$ cd -
# This builds a release (i.e. it will embed the GUI files in the
# binary). If you dont care about the GUI a simple "make" will
# build a bare debug binary.
$ go run make.go -v release
$ go run make.go -v windowsIf you want to rebuild the protobuf you will need to install protobuf
compiler (This is only necessary when editing any *.proto file):
$ wget https://github.com/protocolbuffers/protobuf/releases/download/v3.8.0/protoc-3.8.0-linux-x86_64.zip
$ unzip protoc-3.8.0-linux-x86_64.zip
$ sudo mv include/google/ /usr/local/include/
$ sudo mv bin/protoc /usr/local/bin/
$ go get -u github.com/golang/protobuf/protoc-gen-go/
$ go install github.com/golang/protobuf/protoc-gen-go/
$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ go install github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ ./make_proto.sh
We have a pretty frequent release schedule but if you see a new feature submitted that you are really interested in, we would love to have more testing prior to the official release.
We have a CI pipeline at https://www.velocidex.com/ci managed by
AppVeyor. The pipeline produces a complete windows binary
built at each commit poiint - simply click on the artifacts tab,
scroll down and download velociraptor.exe
Additionally we build all binaries using Github actions. Simply click
the actions tab
on Github and download the Binaries.zip file. This will contain
binaries for Windows, MacOS and Linux.
Questions and feedback are welcome at velociraptor-discuss@googlegroups.com
You can also chat with us directly on discord https://www.velocidex.com/discord
File issues on https://github.com/Velocidex/velociraptor
Read more about Velociraptor on our blog:
https://www.velocidex.com/blog/
Hang out on Medium https://medium.com/velociraptor-ir