Velociraptor : Endpoint Visibility and Collection Tool

Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries. To learn more about Velociraptor, read the documentation on:

https://www.velocidex.com/docs/

Quick Start

If you want to see what Velociraptor is all about simply:

  • Download the binary from the release page for your favorite platform (Windows/Linux/MacOS).
  • Start the GUI

$ velociraptor gui

This will bring up the GUI, Frontend and a local client. You can collect artifacts from the client (which is just running on your own machine) as normal.

Once you are ready for a full deployment, check out the various deployment options at https://www.velocidex.com/docs/getting-started

Running Velociraptor via Docker

To run a Velociraptor server via Docker, follow the instructions here: https://github.com/weslambert/velociraptor-docker

Running Velociraptor Locally

Velociraptor is also useful as a local triage tool. You can create a self contained local collector using the GUI:

  • Start the GUI as above (velociraptor gui).
  • Select the Server Artifacts sidebar menu, then Build Collector.
  • Select and configure the artifacts you want to collect then select the Uploaded Files tab and download your customized collector.

Building From Source

To build from source, make sure you have a recent Golang installed from https://golang.org/dl/ (Currently at least Go 1.14):

$ git clone https://github.com/Velocidex/velociraptor.git
$ cd velociraptor
#This will build the GUI elements. You will need to have node installed first. For example on Windows get it from https://nodejs.org/en/download/. You also need to have JAVA installed from https://www.java.com because the js compiler needs it.
$ cd gui/static/
$ npm install
#If gulp is not on your path you need to run it using node: node node_modules\gulp\bin\gulp.js compile
$ gulp compile
$ cd –
#This builds a release (i.e. it will embed the GUI files in the binary). If you dont care about the GUI a simple “make” will build a bare debug binary.
$ go run make.go -v release
$ go run make.go -v windows

If you want to rebuild the protobuf you will need to install protobuf compiler (This is only necessary when editing any *.proto file):

$ wget https://github.com/protocolbuffers/protobuf/releases/download/v3.13.0/protoc-3.13.0-linux-x86_64.zip
$ unzip protoc-3.13.0-linux-x86_64.zip
$ sudo mv include/google/ /usr/local/include/
$ sudo mv bin/protoc /usr/local/bin/
$ go get -u github.com/golang/protobuf/protoc-gen-go/
$ go install github.com/golang/protobuf/protoc-gen-go/
$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ go install github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
$ ./make_proto.sh

Getting The Latest Version

We have a pretty frequent release schedule but if you see a new feature submitted that you are really interested in, we would love to have more testing prior to the official release.

We have a CI pipeline managed by GitHub actions. You can see the pipeline by clicking the actions tab on our GitHub project. There are two workflows:

  • Windows Test: this workflow build a minimal version of the Velociraptor binary (without the GUI) and runs all the tests on it. We also test various windows support functions in this pipeline. This pipeline builds on every push in each PR.
  • Linux Build All Arches: This pipeline builds complete binaries for many supported architectures. It only runs when the PR is merged into the master branch.

If you fork the project on GitHub, the pipelines will run on your own fork as well as long as you enable GitHub Actions on your fork. If you need to prepare a PR for a new feature or modify an existing feature you can use this to build your own binaries for testing on all architectures before send us the PR.

R K

Recent Posts

Pingora : Cloudflare’s Rust-Powered Framework For Next-Gen Proxies

Pingora is a cutting-edge Rust framework designed to build fast, reliable, and programmable networked systems.…

11 hours ago

DockerSpy : Hidden Secrets In Docker Images For Enhanced Security

DockerSpy is a powerful tool designed to perform Open Source Intelligence (OSINT) on Docker Hub,…

11 hours ago

Anki : The Smart Way To Memorize And Master New Information

Anki is a powerful, open-source flashcard software designed to enhance learning and memory retention through…

11 hours ago

Rolldown : A Next-Generation JavaScript Bundler

Rolldown is an innovative JavaScript/TypeScript bundler written in Rust, designed to revolutionize the development workflow…

11 hours ago

Invoke-ArgFuscator : A Tool For Command-Line Obfuscation

Invoke-ArgFuscator is an open-source, cross-platform PowerShell module designed to obfuscate command-line arguments for system-native executables.…

11 hours ago

Morgan : Advanced JavaScript Security Analyzer

Morgan is an advanced JavaScript security analyzer designed to detect and mitigate sensitive data exposure…

12 hours ago