Velociraptor Deployment

Why a query language?

Able to dynamically adapt to changing requirements - without needing to rebuild clients or servers.
For example, a new IOC is released for detection of a specific threat
- Immediately write a VQL artifact for the threat, upload the artifact and hunt everywhere for it.
- Turn around from IOC to full hunt: A few minutes.
- Share artifacts with the community
VQL Artifacts are simply YAML files with VQL queries.
- Can be easily shared and cross pollinate other Artifacts
- Can be customized by callers.
- Public Artifact Reference

What is VQL?

SELECT X, Y, Z FROM plugin(arg=1) WHERE X = 1

X, Y, Z are called Column Selectors
plugin(arg=1) is termed a VQL Plugin with Args
X = 1 is the Filter Condition

Velociraptor artifacts

Velociraptor is just a VQL engine!

We package VQL queries in Artifacts:
- YAML files
- Include human description
- Package related VQL queries into “Sources”
- Take parameters for customization
- Can in turn be used in VQL as well...

What does the VFS view do under the cover?

Refreshing the VFS simply schedules new artifacts to be collected - it is just a GUI convenience.

Velociraptor uses expert knowledge

A key objective of Velociraptor is encapsulating DFIR knowledge into the platform, so you don’t need to be a DFIR expert. We have high level questions to answer We know where to look for evidence of user / system activities

We build artifacts to collect and analyze the evidence in order to answer our investigative questions.

Anatomy of an artifact

Collecting new artifacts

To collect a new artifact, from the Collected Artifacts screen, click Collect new artifact and search for it. Select Add to add it to this collection. When finished, click Next.

Configuring the artifact collection

Many artifacts take parameters that can control the way they work.

Configuring collection resource limits

There are many safety limits implemented into the client to control endpoint impact.

What do artifacts return?

All artifacts produce rows since they are just queries.
Some artifacts also upload files. You can create a download zip to export all the uploaded files.

Uploaded files

The uploads tab shows the file's location on the server.
You can download or preview each one individually.

Artifact query logs

As the query is running on the endpoint any log messages are sent to the server.
Click the log tab to see if there were any errors and how many rows are expected.

Artifacts return multiple tables (sources)

Source Selector: Viewing the result tab shows the rows sent from every artifact and source.

Exporting artifact collections

Use the GUI to create a zip export of the collection
Set a password in user preferences to export an encrypted Zip File

Velociraptor Artifacts

Fast, Efficient, Surgical