CyberCheatsheets

Velociraptor Cheat Sheet

Endpoint visibility and digital forensic platform with VQL for hunting, collections, and incident response at scale.

Forensics & IRartifacthuntingirUpdated 2026-06-02

Overview

Velociraptor deploys agents (or runs offline) to collect artifacts, run VQL queries, and hunt across endpoints. Used in enterprise IR for process lists, registry, browser history, and YARA scans with centralized server.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

Server + client binary

wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-v0.72.0-linux-amd64
chmod +x velociraptor-* && mv velociraptor-* /usr/local/bin/velociraptor

Generate server config (first time)

velociraptor config generate -i
velociraptor --config server.config.yaml frontend -v

Essential commands

Interactive client (local debug)

velociraptor -c client.config.yaml query "SELECT * FROM info()"

Built-in artifact collection

velociraptor -c client.config.yaml artifacts collect Windows.System.Pslist

Common workflows

VQL notebook queries (UI) —

-- Running processes
SELECT Pid, Name, CommandLine, Username
FROM pslist()
-- Network connections
SELECT Pid, Laddr, Raddr, Status
FROM netstat()
-- Files in user Downloads modified last 7 days
SELECT FullPath, Mtime, Size
FROM glob(globs="C:/Users/*/Downloads/**")
WHERE Mtime > timestamp(epoch=now() - 7*86400)

CLI collector (offline IR)

velociraptor-collector.exe --definitions Collector.zip -o ./collection.zip

YARA hunt —

SELECT File, Rule, Tags
FROM proc.yara(
rules="rule test { strings: $a = \"evil\" condition: $a }",
processes=True,
files="C:\\Users\\*\\Downloads\\*"
)

Upload / file fetch —

SELECT upload(file="C:/Windows/System32/config/SAM") AS Upload
FROM scope()

Linux agent —

sudo velociraptor -c client.config.yaml client -v

Flags reference

frontend

Start server UI/API

client

Run agent

artifacts list

Available collections

query 'VQL'

Ad-hoc query

--config FILE

YAML config

config generate

Bootstrap server/client

GUI port

Default 8889/frontend

Tips

  • VQL is powerful — test hunts on single host before org-wide deployment.
  • Use labels (e.g. windows, critical) to scope hunts.
  • Collector ZIP runs without permanent agent — good for one-off IR.
  • Integrate with Sigma → Velociraptor artifacts for detection engineering.

References

Related cheat sheets