Velociraptor for Endpoint Threat Hunting: A Practical Guide

What Is Velociraptor?

Velociraptor is an open-source endpoint monitoring, digital forensics, and incident response platform. Where commercial EDR tools give you pre-built telemetry with vendor-defined coverage, Velociraptor gives you a flexible framework to ask any question of your endpoints — at scale, in seconds.

It was built by Mike Cohen and the team at Rapid7, is now fully open-source (AGPL), and has a thriving community maintaining the artifact exchange at docs.velociraptor.app/exchange/.

Architecture in brief: A central Velociraptor server communicates with lightweight agents (clients) deployed on endpoints. Operators write queries in VQL (Velociraptor Query Language) — a SQL-like language with built-in functions for OS artifacts, memory, filesystem, registry, and more. Hunt results stream back to the server in real time.

Why Velociraptor vs Commercial EDR

Velociraptor fills a different role than a traditional EDR:

Dimension	Commercial EDR	Velociraptor
Telemetry model	Continuous streaming	On-demand query
Query flexibility	Pre-defined schema	Ad-hoc VQL on any artifact
Memory forensics	Limited	Full via `process` plugins
Cost	High per-endpoint	Free (infra cost only)
Raw artifact access	Rare	Files, registry, MFT, USN journal, etc.

Use Velociraptor alongside your EDR, not instead of it. EDR gives you continuous detection coverage; Velociraptor gives you the ability to ask questions your EDR vendor hasn’t anticipated.

VQL Basics

VQL syntax looks like SQL but operates on virtual tables backed by OS data sources:

-- List all running processes
SELECT Pid, Ppid, Name, CommandLine, Exe
FROM pslist()
ORDER BY Name

-- Find processes with no parent (orphaned processes — suspicious)
SELECT Pid, Name, CommandLine, CreateTime
FROM pslist()
WHERE Ppid = 0 AND Name != "System"

-- Check for persistence via common Run keys
SELECT Key, Name, Type, Data
FROM read_reg_key(
  globs="HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\**"
)

-- Find recently modified files in temp directories
SELECT FullPath, Mtime, Atime, Ctime, Size
FROM glob(globs=[
  "C:/Windows/Temp/**",
  "C:/Users/*/AppData/Local/Temp/**"
])
WHERE Mtime > now() - 86400  -- Last 24 hours
  AND NOT IsDir
  AND Size > 0
ORDER BY Mtime DESC

Core Artifact Types

Velociraptor uses “artifacts” — named, parameterized VQL bundles — organized by category:

Windows.System.Pslist

Built-in artifact for process listing with enrichment:

SELECT Pid, Ppid, Name, Username, CommandLine,
       Exe, Hash.SHA256 AS SHA256,
       Authenticode.Trusted AS Signed
FROM Artifact.Windows.System.Pslist()
WHERE NOT Signed  -- Unsigned processes only

Windows.Forensics.Prefetch

Prefetch files record execution history — invaluable for proving a binary ran even if it’s been deleted:

SELECT Name, PrefetchFileName, LastRunTimes[0] AS LastRun,
       RunCount, BinaryPath
FROM Artifact.Windows.Forensics.Prefetch()
WHERE LastRun > timestamp(epoch=now() - 7*86400)
  AND (Name =~ "PSEXEC" OR Name =~ "MIMIKATZ" OR Name =~ "COBALT")

Windows.Forensics.NTFS.MFT

The Master File Table is a goldmine — it tracks every file ever created, even deleted ones:

-- Find recently created executables outside Program Files
SELECT FullPath, Created0x10 AS Created, Size, InUse
FROM Artifact.Windows.Forensics.NTFS.MFT()
WHERE FullPath =~ "\.exe$"
  AND NOT FullPath =~ "Program Files"
  AND NOT FullPath =~ "Windows\\System32"
  AND Created0x10 > timestamp(epoch=now() - 86400)
  AND InUse  -- Still exists on disk
ORDER BY Created DESC

Building a Custom Threat Hunt Artifact

Artifacts are YAML files with embedded VQL. Here’s a custom artifact for hunting LOLBin abuse:

name: Custom.Hunt.LOLBinExecution
description: Hunt for execution of common living-off-the-land binaries with suspicious parameters
type: CLIENT
parameters:
  - name: LookbackHours
    default: "24"
    type: int
sources:
  - name: SuspiciousExecution
    query: |
      LET lolbins <= (
        "certutil.exe", "mshta.exe", "regsvr32.exe",
        "wscript.exe", "cscript.exe", "rundll32.exe",
        "msiexec.exe", "installutil.exe", "regasm.exe"
      )

      LET suspicious_args <= (
        "-urlcache", "-decode", "-encode",
        "javascript:", "vbscript:", "http://", "https://",
        ".url", "scrobj.dll", "regsvr32"
      )

      SELECT Pid, Ppid,
             basename(path=Exe) AS ProcessName,
             CommandLine,
             Username,
             CreateTime,
             hash(path=Exe).SHA256 AS SHA256
      FROM pslist()
      WHERE basename(path=Exe) IN lolbins
        AND CommandLine =~ join(array=suspicious_args, sep="|")
        AND CreateTime > now() - LookbackHours * 3600

  - name: RecentHistory
    query: |
      -- Check prefetch for historical evidence
      SELECT Name, LastRunTimes[0] AS LastRun, RunCount
      FROM Artifact.Windows.Forensics.Prefetch()
      WHERE Name IN (
        "CERTUTIL.EXE", "MSHTA.EXE", "REGSVR32.EXE",
        "WSCRIPT.EXE", "CSCRIPT.EXE"
      )
      ORDER BY LastRun DESC

Live Response Capabilities

Beyond hunting, Velociraptor excels at live response:

Collect volatile memory artifacts:

-- Enumerate loaded network connections with process context
SELECT Pid, Name, Laddr, Raddr, Status, Type
FROM netstat()
WHERE Status = "ESTABLISHED"
  AND NOT Raddr =~ "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)"

Quarantine a host without rebooting:

The Windows.Remediation.Quarantine artifact can isolate a host by manipulating Windows Firewall rules, blocking all traffic except the Velociraptor server connection — allowing continued investigation while containing the threat.

Collect forensic artifacts for offline analysis:

# Via Velociraptor CLI — collect an artifact pack
velociraptor artifact collect Windows.KapeFiles.Targets \
  --args "Device=C:" \
  --output /evidence/collection.zip

Running Fleet-Wide Hunts

The GUI makes fleet-wide hunts straightforward: create a new Hunt, select your artifact, set scope (all clients, OS filter, label filter), and launch. Results stream in as clients respond — you can see partial results as the hunt progresses.

Practical hunt workflow:

Define your hypothesis (e.g., “LSASS dumpers may still be resident in memory”)
Choose or write an artifact
Scope to relevant clients (Windows servers first for high-value targets)
Review results — triage by outlier hostnames, unusual paths, or low-prevalence hashes
Click through to individual hosts for deeper investigation

Velociraptor’s “prevalence” analysis — counting how many endpoints have a given binary hash — is particularly powerful for identifying unique or rarely-seen executables, which are the most likely to be malicious.

Verdict

Velociraptor is one of the most powerful free tools available to a threat hunter. The VQL learning curve is real but shallow — within a day of use, you can write custom queries that answer questions no commercial tool’s pre-built dashboard was designed to answer. For teams that want flexibility and depth over polished UX, it’s a must-have.

Best use cases: incident response, threat hunting, compliance evidence collection, detection validation, and building custom artifact libraries tuned to your environment.