Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.
To learn more about Velociraptor, read the documentation on:
https://www.velocidex.com/docs/
-
Download the binary from the release page.
-
You need to generate a server config file. This will generate new key material. Simply follow the prompts:
$ velociraptor config generate -i- Start the server:
$ velociraptor --config /etc/velociraptor.config.yaml frontend -v-
Point a browser at the GUI port that you set in the config file. You should be able to log in with the password set earlier.
-
Launch the client on any system with the generated client config file.
$ velociraptor --config client.conf.yaml client -v- You should be able to search for the client in the GUI, browse VFS, download files etc.
To deploy the windows executable:
-
Install the released MSI installer.
-
Drop the client configuration into
C:\Program Files\Velociraptor\Velociraptor.config.yamlusing any system administration method (e.g. group policy, SCCM etc).
See more information for deployment options at https://www.velocidex.com/docs/getting-started
Velociraptor is also useful as a local triage tool. In particular you might find Velociraptor's artifacts especially useful for quickly capturing important information about a running system. You can collect artifacts by using the "artifacts collect" command:
$ velociraptor artifacts list
INFO:2018/08/20 22:28:56 Loaded 18 built in artifacts
INFO:2018/08/20 22:28:56 Loaded 18 artifacts from artifacts/definitions/
Linux.Applications.Chrome.Extensions
Linux.Applications.Chrome.Extensions.Upload
Linux.Applications.Docker.Info
Linux.Applications.Docker.Version
Linux.Debian.AptSources
$ velociraptor artifacts list -v Linux.Debian.AptSources
.... displays the artifacts
$ velociraptor artifacts collect -v Linux.Debian.AptSources --output myfile.zip
... Collects all the named artifacts into myfile.zipExplore more of Velociraptor's options using the -h flag.
To build from source, make sure you have a recent Golang installed from https://golang.org/dl/ (Currently at least Go 11 but Go 13 is recommended):
$ git clone https://github.com/Velocidex/velociraptor.git
$ cd velociraptor
# This will build the GUI elements. You will need to have node
# installed first. For example on Windows get it from
# https://nodejs.org/en/download/ . You also need to have JAVA
# installed from https://www.java.com because the js compiler
# needs it.
$ cd gui/static/
$ npm install
# If gulp is not on your path you need to run it using node:
# node node_modules\gulp\bin\gulp.js compile
$ gulp compile
$ cd -
# This builds a release (i.e. it will embed the GUI files in the
# binary). If you dont care about the GUI a simple "make" will
# build a bare debug binary.
$ go run make.go -v release
$ go run make.go -v windowsIf you want to rebuild the protobuf you will need to install protobuf
compiler (This is only necessary when editing any *.proto file):
$ wget https://github.com/protocolbuffers/protobuf/releases/download/v3.8.0/protoc-3.8.0-linux-x86_64.zip
$ unzip protoc-3.8.0-linux-x86_64.zip
$ sudo mv include/google/ /usr/local/include/
$ sudo mv bin/protoc /usr/local/bin/
$ go get -u github.com/golang/protobuf/protoc-gen-go/
$ go install github.com/golang/protobuf/protoc-gen-go/
$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ go install github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ ./make_proto.sh
We have a pretty frequent release schedule but if you see a new feature submitted that you are really interested in, we would love to have more testing prior to the official release.
We have a CI pipeline at https://www.velocidex.com/ci managed by
AppVeyor. The pipeline produces a complete windows and linux binary
built at each commit poiint - simply click on the artifacts tab,
scroll down and download velociraptor.exe or
velociraptor_linux.elf
Questions and feedback are welcome at velociraptor-discuss@googlegroups.com
You can also chat with us directly on discord https://www.velocidex.com/discord
File issues on https://github.com/Velocidex/velociraptor
Read more about Velociraptor on our blog: