Velociraptor

Velociraptor is a digital forensics and incident response platform, endpoint detection and response system, and visibility tool. It provides a query engine and remote forensic collector used to hunt for indicators of compromise and perform triage across a fleet of hosts.

The system is distinguished by its specialized query language for interrogating host state and parsing binary files. It features a notebook environment that combines markdown documentation with executable query cells to standardize investigative workflows and enable collaborative reporting.

The platform covers a wide range of capabilities including real-time kernel event streaming, remote filesystem browsing, and raw NTFS parsing for forensic evidence preservation. It includes an extensibility framework for importing community-defined artifacts and supports multi-tenant data isolation to separate evidence by organization.

The project provides a command-line interface for artifact validation and execution, and it supports deploying persistent agents or standalone offline collectors.

Features

Evidence Collection - Gathers critical digital evidence and forensic artifacts from multiple remote endpoints simultaneously for incident response.

Forensics and Incident Response - Provides a comprehensive platform for collecting and analyzing host-based artifacts to investigate security breaches.

Threat Hunting Tools - Velociraptor searches across multiple endpoints simultaneously for indicators of compromise or behavioral patterns.

Query Engines - A query language and execution engine for interrogating system state, parsing binary files, and automating data collection.

Host State Querying - Velociraptor uses a specialized query language to implement detections and collect host-based state.

Digital Forensics and Incident Response Platforms - A system for hunting indicators of compromise, analyzing disk images, and performing remote triage on compromised hosts.

Forensic Artifact Parsing - Decodes specialized system files such as EVTX logs and MFT entries to recover host state.

Forensic Artifact Collection - Gathers specific state information or forensic artifacts from endpoints using predefined queries for incident response.

Program Execution Analysis - Velociraptor parses Prefetch files and registry keys to identify which binaries were executed.

Forensic Capability Extensions - Extends system capabilities by importing community-defined templates for gathering specific forensic or system information.

Query Plugins - Integrates specialized plugins to monitor event logs, track processes, and parse file systems during collection.

File Collection Builders - Fetches individual files or entire directory trees from remote endpoints for centralized storage.

Interactive Notebooks - Features interactive notebooks that combine markdown documentation and executable query cells for organized forensic investigations.

Hierarchical Organization Isolation - Provides structural isolation by storing data for different organizations in separate directories.

Threat Hunting - Facilitates proactive threat hunting by executing complex queries across thousands of endpoints to find indicators of compromise.

Threat Hunting Operations - Proactively searches for indicators of compromise, such as unauthorized keys, across large networks.

Binary and Text File Parsing - Transforms raw binary data and unstructured text into structured records using profiles and regex.

Custom Query Execution - Allows the execution of arbitrary query language statements on endpoints to retrieve precise system data for investigation.

Data Transformation - Modifies and reshapes data returned from endpoints using transformation functions to convert raw values.

Query Filters - Applies queries to gathered results to isolate critical entries and perform aggregate counts across a fleet.

Host State Interrogation - Provides a specialized query language for interrogating host system state and retrieving structured forensic data.

Filesystem State Querying - Performs complex filesystem operations, including raw NTFS parsing, to retrieve structured information about files and directories.

Path Translation Accessors - Implements accessors that translate logical paths to read files and directories from diverse underlying storage.

Unified Data Access Interfaces - Provides a standard interface to access bulk data from filesystems, memory, archives, and remote stores.

Client Connections - Monitors the real-time connection status of agents to ensure endpoints are visible to the server.

Artifact Execution Control - Controls the execution of forensic artifacts on clients and assigns them to specific hunting tasks.

Execution Parameter Restrictions - Prevents the misuse of powerful artifacts by wrapping them with fixed, safe parameters.

Remote Command Execution - Runs shell commands directly on remote clients to perform manual administration or forensic triage.

Remote Management Agents - Manages the deployment, configuration, and health of persistent agents across diverse operating systems.

Endpoint-to-Server File Transfers - Moves files from remote clients to servers or cloud storage using deduplication and compression to optimize bandwidth.

Bulk File Acquisition - Acquires multiple files from endpoints based on glob patterns or target lists.

Kernel Event Stream Parsing - Captures real-time kernel and system events on endpoints and forwards them to server-side queues for analysis.

Offline Data Acquisition - Executes bulk collection tasks using a preconfigured standalone binary without requiring a server connection.

Offline Host Collection - Runs a standalone binary on target endpoints to gather forensic information without a network connection.

Raw Filesystem Parsing - Velociraptor accesses files by parsing the raw device to reveal hidden files and alternate data streams.

Specialized Data Accessors - Reads data from non-standard sources like raw disk clusters, locked files, and memory using specialized accessors.

File System Accessors - Implements virtual file system accessors to read live files, raw disks, or disk images through a unified interface.

Volatile State Captures - Velociraptor accesses live system memory and transient indicators that disappear after a reboot.

Registry Querying - Velociraptor searches registry keys and read values using filesystem-like plugins or registry functions.

Profile-Based Parsing - Maps raw binary data to structured records using JSON-defined field offsets and type definitions.

Agentless Data Collection - Supports performing one-time data collection by running the client binary from a network share without permanent installation.

Collection Data Encryption - Protects sensitive forensic evidence by encrypting collected data using passwords, certificates, or PGP keys.

Binary Pattern Searching - Scans process memory and unstructured binary files for specific keywords and patterns to identify malware.

Endpoint Agent Persistence - Installs persistent background services on endpoints to ensure real-time tasking and continuous connectivity.

Client Certificate Authentication - Secures API requests from external programs using mutual certificate authentication verified by an internal certificate authority.

Client Certificate Management - Generates and issues new identity certificates to clients to restore secure mutual TLS connectivity to the server.

Detection Artifact Distribution - Packages queries into shareable artifacts to deploy detection logic across hosts.

Data Hashing Utilities - Generates unique cryptographic fingerprints for files to verify content and identify known malicious binaries.

Runtime Threat Detection - Analyzes real-time system activity, configuration, and process memory to detect runtime behavioral threats.

Endpoint Detection and Response - Implements a full endpoint detection and response system for real-time threat monitoring across distributed hosts.

Artifact Access Controls - Enforces server-side permission requirements that users must meet before they can launch specific collection artifacts.

Mutual TLS Authentication - Secures endpoint-to-server communication using a built-in certificate authority and X.509 certificates for mutual identity verification.

Certificate Trust Validation - Prevents man-in-the-middle attacks by validating the server's TLS certificate against trusted root CAs.

Role-Based Access Controls - Assigns roles and permissions on a per-organization basis to isolate client data in a multi-tenant environment.

Mutual TLS Transports - Implements secure communication between endpoints and the server using a built-in PKI for mutual TLS authentication.

Network Communication Security - Protects data in transit between the server and endpoints using mutual TLS for secure communication.

Permission-Based Access Control - Implements a security model where the ability to schedule client artifacts is based on specific permissions assigned to the user.

YARA-Based Scanning - Searches unstructured binary data for malicious patterns using custom YARA rules.

Integrity Verifications - Uses SHA-256 hashing to verify that forensic collection containers have not been tampered with since acquisition.

Forensic Tools - A framework for collecting host-based state and forensic evidence across many endpoints using a specialized query language.

Container Transport Encryption - Encrypts collected forensic data using X.509 certificates to ensure the integrity and confidentiality of evidence during transport.

System Forensic Analysis - Provides a graphical notebook environment for analyzing a wide array of system forensic artifacts and structured data.

Extraction Plugins - Extends core capabilities via specialized plugins to parse system logs, registry hives, and binary formats.

Agent Configuration Generators - Generates unique configuration files for clients by extracting necessary cryptographic material and connection settings.

Security Alert Monitors - Generates security alert messages based on specific conditions and includes logic to suppress duplicate notifications.

Artifact Definition Management - Lists and filters available collection definitions and dependencies to identify tools for endpoint visibility.

Background Service Managers - Manages the installation, removal, and operational state of the background agent service on endpoints.

Endpoint Activity Monitoring - Velociraptor schedules specific artifacts to run continuously on client endpoints to track state changes.

Endpoint Collection Management - Provides tools to schedule data collections and launch hunts to gather host-based state across the fleet.

Endpoint Event Streaming - Collects system events in near-realtime and streams them to a central server for continuous monitoring.

Fleet-Wide State Collection - Queries host-based information across thousands of endpoints to identify indicators of compromise at scale.

Forensic Artifact Management - Enables the creation, update, and deletion of custom data collection definitions within a central repository.

Host State Event Streaming - Transmits host-based state and events in near-realtime to server-side queues for analysis.

Automated Incident Response Workflows - Triggers automatic escalation and response actions when suspicious events or query results are discovered.

Kernel Event Observability - Tracks real-time system events and network connections using kernel-level audit daemons.

Forensic Log Retrieval - Reads Windows evtx files and ETW providers to uncover evidence of malicious activity.

Event Monitoring Systems - Detects host-based events in real time and forwards them to a central server for analysis.

Telemetry Processing Engines - Intercepts, decodes, filters, and enriches event data from endpoints in real-time before storage.

Threat - Implements Sigma rule evaluation to identify potential security threats across the fleet of endpoints.

Network Connectivity Monitoring - Tracks the real-time online or offline status of endpoint agents to maintain visibility across the fleet.

Standalone Collector Binaries - Provides a standalone binary for gathering forensic data from endpoints without requiring a server connection.

Remote Artifact Execution - Runs predefined collection tasks on local machines, remote servers, or clients via a terminal interface.

Remote File Acquisition - Collects and retrieves specific files or directories from remote endpoints for forensic evidence preservation.

Remote Host State Collection - Retrieves structured system information and files from remote endpoints using a specialized query language for triage.

Remote Query Execution - Provides a command-line interface to execute VQL queries on remote servers and local systems for real-time state collection.

Remote Task Triggering - Schedules and executes collection tasks on remote clients with support for synchronous results or offline queuing.

System Event Monitors - Creates parallel requests that continuously track and report specific host events across the fleet.

Raw Registry Hive Parsing - Velociraptor reads registry data directly from hive files on disk to access non-logged-in user data.

Windows Endpoint Monitoring - Tracks real-time endpoint events, such as process execution chains, to detect suspicious behavior and threats.

Collection Flow Branching - Implements conditional branching and sequential chaining to determine which host data to collect based on logic.

Data Formats and Parsing - Extracts information from structured formats including JSON, XML, YAML, CSV, and plists.

Predefined Forensic Collection Scripts - Executes predefined collection scripts on endpoints to gather forensic evidence or configuration data.

Interactive Query Development - Provides an interactive notebook environment for iteratively writing and testing custom query logic.

Disk Image Management - Treats forensic disk images as live hosts by using remapping configurations for querying.

Forensic Evidence Preservation - Captures and secures critical system state and artifacts from a compromised endpoint.

Triage Image Captures - Velociraptor collects a condensed set of critical forensic artifacts and memory to create a portable image.

Kernel Object Enumerations - Velociraptor lists active mutexes or filter for specific names to identify indicators of compromise.

Collection Sequence Automation - Schedules host-based collections and monitors event queues to trigger subsequent response actions.

Investigation Notebooks - Provides collaborative reports that combine live query results with markdown documentation to track forensic investigations.

Device Metadata Collection - Gathers comprehensive system metadata including OS version, hostname, and hardware statistics from endpoints.

Binary Struct Mapping - Defines the layout of binary data using named fields and offsets to reconstruct C-style structs.

Bulk Data Ingestion - Supports high-performance ingestion of multiple collection containers simultaneously using notebook loops or server artifacts.

Standardized Data Interfaces - Provides a standardized file-like interface to read large datasets from filesystems, memory, and remote stores.

Storage Backend Configurations - Allows directing collected forensic evidence to remote storage backends such as SFTP servers or S3-compatible storage.

Collection Post-processing - Aggregates and filters data from collections and event sessions using custom queries to refine investigation findings.

Collection Result Retrieval - Allows downloading the output of previously executed collection tasks from a remote server.

Collection Exports - Packages uploaded files and metadata into structured ZIP archives for external forensic analysis.

Forensic Artifact Sharing - Allows publishing custom artifact YAML files to a central community exchange to share detection capabilities.

Password-Protected Archives - Packages multiple fetched files into a password-protected ZIP archive for local download.

Compressed Collection Importers - Ingests offline collection containers into the server using queries or specialized artifacts.

Data Manipulation Libraries - Transforms and decodes collected host state information using a specialized query language.

Query Result Transformations - Transforms query results using regex, conditional logic, and type conversion to refine investigative output.

Query Result Piping - Combines outputs of multiple queries into sequential pipes for processing and analysis.

Query Result Exporters - Enables exporting filtered tabular query results into portable formats like CSV and JSON for external analysis.

Query-Based Table Specifications - Defines query statements within collection artifacts to return specific, structured tables of forensic results.

Data Transformation Functions - Processes values into single results using built-in functions, custom local functions, or lambda expressions.

Dataset Joins - Combines rows from different data sources by matching them via a common identifier.

Edge Data Processing - Executes data analysis directly on the endpoint to reduce network traffic and avoid transferring raw data.

Embedded Database Extraction - Opens and extracts structured data from various embedded database files including SQLite and LevelDB.

Enum Label Mappings - Translates raw integer values into human-readable strings based on predefined bitmasks and enum mappings.

Event Data Forwarding - Sends real-time monitoring events and collected results to external data stores like cloud tables or search clusters.

External Storage Integrations - Routes collected files directly from endpoints to external destinations such as S3 or SFTP.

External Store Integrations - Sends query results to external destinations such as Azure Data Explorer or Elastic.

Label-Based Data Selection - Provides the ability to target specific subsets of hosts for data collection using assigned metadata labels.

Full Server State Backups - Generates and restores full copies of the server state, including database and configuration files.

Filesystem Type Identification - Enumerates mounted filesystems and identifies file types using magic rules for deep filesystem analysis.

Row Aggregations - Groups rows into bins using group-by clauses to calculate summary statistics like counts, sums, and rates.

Binary Array Interpretation - Processes repeated binary data by specifying the underlying type and determining array length.

Interrogation Artifact Overrides - Allows overriding the default information collection process with custom artifacts to tailor host interrogation.

SQLite Integration - Extracts structured data from SQLite databases by creating temporary cached copies.

Archive Content Access - Enables reading specific files from nested containers using a defined path and member identifier.

Timestamp Conversion - Transforms 64-bit binary integers into standardized time objects using specialized forensic parsers.

Query Package Management - Creates, edits, imports, or deletes query packages at runtime to extend system capabilities.

Server Configurations - Defines shared key-value pairs used by artifacts and queries to maintain consistent server configuration.

Forensic Artifact Integration - Loads external artifact packs or ZIP files to extend available collection types and capabilities.

Collaborative Analysis Environments - Provides an interactive environment for the joint analysis of collected endpoint data.

Configuration File Generators - Generates the necessary configuration files and cryptographic keys required to initialize servers and clients.

External Command Execution - Launches external system commands on the endpoint and captures standard error output for forensic analysis.

External Intelligence Integrators - Downloads and integrates curated collection rules and forensic modules from external repositories.

Glob Pattern Selectors - Finds files on a filesystem using wildcards and recursive glob patterns for flexible discovery.

File Search Utilities - Enumerates files across filesystems using optimized pattern matching to locate specific items.

Filesystem Search Utilities - Locates files and directories across various remote filesystems using optimized pattern matching.

Installer Packages - Builds platform-specific installation files with embedded configurations for scalable agent deployment.

Tenant-Specific Installers - Builds installation packages containing unique secrets that automatically associate endpoints with specific organizations.

Shareable Notebooks - Distributes analysis notebooks with other users to collaborate on forensic findings and investigative workflows.

External Artifact Repository Synchronization - Downloads and updates collection definitions from external projects to keep capabilities current.

Community Artifact Integrators - Downloads and integrates community-contributed collection definitions into the server to expand visibility.

Process Managers - Retrieves process IDs and terminates specific running processes on remote hosts.

Query Sequence Chaining - Runs a series of data collection tasks in a shared scope to allow the reuse of query results.

Investigation Layouts - Enables the creation of reusable notebook layouts and query sequences to standardize security investigation workflows.

Upload Automation - Automates the transfer of completed collection containers to cloud storage or network destinations.

Virtual Filesystem Navigation - Navigates the remote filesystem of an endpoint to inspect files without requiring full collection.

Air-Gapped Deployment Tools - Facilitates the movement of required binaries from connected systems into server inventories for use in isolated networks.

Artifact Deployment - Writes new or updated collection definitions to the server datastore via an API or query language.

Binary Distribution Tools - Controls whether endpoints fetch required binaries from the central server, external URLs, or cloud storage.

Binary Tool Bundling - Packages external executables into a collector for deployment and execution on target endpoints.

Cloud Native Infrastructure - Leverages cloud-native storage and serverless functions to provide visibility across millions of endpoints.

Capacity Scaling - Increases managed endpoint capacity by distributing client connections across multiple frontend server nodes.

Conditional File Uploads - Transfers specific files from remote hosts to a central server based on defined query criteria.

Configuration Artifact Packaging - Supports the import of collection definitions via zip archives or remote projects for operational configuration.

Deployment Configuration - Creates a YAML configuration file to define server and client operational parameters.

Collection Progress Monitors - Reports duration, data volume, and row counts of active collection flows originating from the endpoint.

Agent Troubleshooting - Allows administrators to identify and fix client-side problems remotely when local access to the host is unavailable.

Remote Server Fleet Management - Automates data retrieval by executing arbitrary queries and streaming results over remote connections to manage endpoint fleets.

Server State Synchronization - Coordinates operational state between master and minion servers using a replication service.

Detailed Result Retrieval - Downloads the complete raw data set of a completed collection as a ZIP file via an API.

Self-Hosted Deployments - Supports self-hosted deployment of the central management node with SSL certificate configuration.

Windows Service Deployments - Deploys the client as a native background system service to ensure automatic startup on boot.

Standardization Templates - Defines initial cells and required parameters to ensure consistent setup when creating analysis notebooks.

Client Metadata Management - Allows the storage and retrieval of user-defined key-value pairs to organize and categorize endpoints on the server.

Client Connection Distribution - Balances endpoint connections across a pool of frontend servers to optimize capacity and availability.

Network Connection Detectors - Retrieves current network connection information and socket state to monitor endpoint activity.

Offline Buffering - Queues event data in local writeback files during network outages and synchronizes them upon reconnection.

Remote Agent Updates - Updates the client version on remote endpoints using existing server connections or software management tools.

Client Configuration Settings - Modifies operational parameters and environment configurations for both the server and client agents.

Remote Procedure Call Interfaces - Provides a remote procedure call interface to programmatically control data collection and retrieve results via external scripts.

Cached File Inspection - Views cached file contents as hex or plaintext without requiring the endpoint to be online.

Filesystem Access Bypass - Reads locked files by automatically falling back from OS APIs to raw NTFS parsing.

Filesystem Path Remapping - Velociraptor maps paths from offline files or raw disks back to original logical structures.

Hidden System Data Access - Retrieves filesystem information using specialized parsers to access hidden files or registry keys that bypass standard APIs.

Linux System State Collection - Gathers host-level state and system metadata specifically from Linux clients for forensic analysis.

Master File Table Parsing - Extracts summaries and timestamps from MFT entries to inventory files or recover deleted data.

NTFS Index Carving - Carves residual file headers from NTFS I30 index streams to recover deleted directory entries.

Operating System State Analysis - Velociraptor queries the Windows Object Manager and execute WMI queries to monitor OS activity.

Process Memory Scanners - Dumps process memory and scans processes using YARA rules.

Process Tree Reconstruction - Visualizes parent-child relationships between processes to determine launch chains.

Entry Identifiers - Retrieves detailed attribute and stream information for files using their MFT ID.

System Artifact Extraction - Extracts host-based state information from system APIs, including certificates and network interface configurations.

System Resource Forensic Tracking - Extracts network statistics and resource metrics from the SRUM ESE database for forensic investigation.

Virtual Client Emulation - Velociraptor launches a client using a remapping configuration to collect artifacts from a disk image.

Virtual Client Simulation - Generates remapping configurations from disk images to simulate endpoints for artifact collection.

Volume Shadow Copy Enumerations - Velociraptor lists available VSS snapshots to allow filesystem analysis of previous system states.

Sandboxed JavaScript Execution - Compiles and executes JavaScript code to implement custom logic and data manipulation for investigations.

Artifact Distribution - Exports collection packages from a root organization to multiple tenants for centralized management.

Audit Logs - Records security-sensitive user actions in dedicated audit logs for monitoring, compliance, and forwarding.

Binary and Document Analysis - Inspects PE files and Office documents to extract metadata or embedded macros.

Browser-Based Data Extraction - Retrieves session storage entries and browser-specific data from installed web browsers for forensic analysis.

Collection Definition Packaging - Bundles one or more queries and related data into YAML files to simplify information gathering.

Cryptographic Operations - Provides cryptographic primitives to encrypt, decrypt, and reverse obfuscation using ciphers like RC4 and XOR.

Certificate Verification - Validates server identities using public CA lists or custom root certificates to ensure secure communication.

Endpoint Remediation - Modifies endpoint state to remove discovered threats or harden systems against future compromise.

Executable Integrity Auditing - Parses Authenticode information from PE files and scans strings to detect malicious content.

External Tool Orchestration - Pushes external binaries to endpoints, executes them remotely, and transfers the resulting data back to the server.

Malware Scanning - Submits text strings to the Windows Antimalware Scan Interface to determine if content is malicious.

Attack Simulations - Deploys attack simulation tests on endpoints to validate the effectiveness of detection rules and identify visibility gaps.

Query Permission Filters - Validates user tokens against the specific permissions required by plugins before allowing query execution.

Host Enumeration - Retrieves a comprehensive list of all connected hosts, including their IDs and assigned labels.

Host Network Isolation - Restricts endpoint communication exclusively to the management server to prevent unauthorized network connections.

Host Network Quarantine - Restricts a host's network stack to allow communication only with the management server during an incident.

Access Control List Management - Manages access control lists to regulate specific permissions for users and administrators.

Interface Access Security - Protects the management interface using basic authentication or single sign-on providers.

Memory Forensics - Identifies memory regions and linked DLLs within a process to determine binary functionality.

Forensic Artifact Extraction - Extracts critical forensic evidence from host memory and files into local files for further analysis.

Multi-Method API Authentication - Supports multiple identity verification methods including basic authentication, OIDC, OAuth2, SAML, and client certificates.

Multi-Tenant Isolation Layers - Ensures logical tenant boundaries by separating client metadata and collected evidence into organization-specific directories.

Query Parameterization - Provides the ability to define customizable variables in collection tasks to modify query behavior without altering the underlying logic.

Role-Based Access Control - Controls which users can execute specific collection tasks using role-based access controls.

Server Certificate Management - Manages secure communications using self-signed, Let's Encrypt, or custom PKI certificates.

Server Access Controls - Configures identity verification for server access using basic authentication or enterprise single sign-on.

Single Sign-On Integrations - Integrates with enterprise identity providers to enable centralized user authentication and access.

Offline Data Hunt Integration - Integrates imported offline collection data into active hunts for aggregated querying and analysis.

User Access Management - Includes centralized tools for managing user accounts and access policies within the server datastore.

User Permission Definitions - Assigns roles and granular permissions to users to control their ability to execute specific plugins.

Distributed Query Schedulers - Coordinates background query execution and batches results to schedule downstream tasks across a fleet of hosts.

Multi-tenancy Isolation - Implements architectural isolation to separate client metadata and evidence by organization.

Organization Management - Manages the runtime creation and destruction of organizations to facilitate tenant onboarding and offboarding.

Large Dataset Explorers - Executes complex post-processing queries on gathered information through notebook workers to analyze large datasets.

Query Logic Composition - Chains logic together by calling one artifact from within another and utilizing the results as input.

Task Progress Monitors - Tracks the progress, duration, and data volume of active forensic collection tasks on the endpoint.

Alert Routing - Routes high-value security notifications into dedicated alert queues for critical activity signaling.

Monitoring Overhead Optimization - Tracks the CPU, network, and storage impact of collection queries to ensure minimal performance degradation on hosts.

Artifact Pack Imports - Provides the ability to import multiple forensic collection definitions from compressed YAML archives into the server.

System Activity Auditors - Maintains historical records of user actions and security-relevant events to ensure accountability.

Audit Logs - Maintains auditable user event logs partitioned by organization for tenant administrator review.

Automated Collection Archiving - Triggers the creation of collection archives using queries or server monitoring to automate evidence preservation.

Binary Integrity Verifications - Verifies the integrity of downloaded binaries by comparing SHA256 hashes against known values.

Client Discovery and Search - Enables locating specific clients within the fleet to initiate targeted forensic investigations.

Client Management - Implements tools for creating, deleting, and updating records of registered endpoint clients within the server datastore.

Lifecycle Management - Manages the complete lifecycle of endpoint agents, including deployment, configuration updates, and version upgrades.

Collection Execution Filtering - Evaluates queries before running artifacts to skip execution if no results are returned, optimizing endpoint impact.

Collection Parameterization - Defines variables for data collection tasks to modify query behavior without editing the underlying query language.

CPU Utilization Monitoring - Tracks and limits processor usage to prevent performance degradation during remote data collection.

Dynamic Endpoint Labeling - Adds or removes host labels dynamically based on attributes, event results, or collection completion status.

Endpoint Discovery - Enables finding specific hosts using freeform text, wildcards, or structured operators like hostname and IP address.

External Binary Orchestration - Defines external executables required by artifacts, including hash verification and automated downloading.

External Script Execution - Executes system-native scripts on endpoints by shelling out to the interpreter and capturing output.

Host-Side Event Filtering - Applies detection logic directly on the endpoint to filter and forward only high-value events to the server.

Label-Based Grouping - Assigns tags to endpoints to organize them into logical groups for targeted collection or monitoring.

ETW Event Collectors - Subscribes to Windows Event Tracing for Windows (ETW) providers to capture real-time system information.

Windows Event - Implements periodic scanning and streaming of native Windows Event Log channels for forensic analysis.

Remote Profiling Interfaces - Captures internal state and resource data from remote agents to diagnose and troubleshoot performance bottlenecks.

Application Health Monitors - Visualizes server resource usage and client connection counts via telemetry dashboards to monitor deployment health.

MSI Installer Generation - Creates custom Windows MSI installers that embed deployment-specific configurations for scalable distribution.

Offline Collector Customization - Includes specific tools and custom artifact definitions from a server datastore into an offline collector build.

Performance Profiling Tools - Records CPU, memory statistics, and runtime traces to monitor the health and performance of endpoint agents.

Endpoint Resource Throttling - Limits CPU and I/O usage on clients to prevent performance degradation during forensic data collection.

Command Line Inspection - Collects process metadata and inspects command line arguments of active processes on remote hosts.

Process Lineage Visualizers - Monitors process creation and termination to reconstruct and analyze full process execution trees.

Property-Based Targeting - Groups hosts based on collected state information to narrow the scope of future forensic queries.

Query Frontend Horizontal Scaling - Increases managed client capacity by balancing endpoint connections across multiple frontend servers.

Query Performance Monitoring - Tracks active and completed queries to analyze execution time and behavioral patterns.

Remote File Managers - Allows inspection of directory structures and file metadata on remote endpoints by caching listings on the server.

Remote Filesystem Browsing - Provides a server-side cached view of an endpoint's filesystem or registry for remote inspection.

Resource Consumption Throttling - Velociraptor pauses query execution on an endpoint when CPU utilization exceeds a defined threshold to maintain system usability.

Resource Usage Limiters - Pauses query execution when CPU utilization exceeds defined limits to ensure host system stability.

Collection Resource Limits - Sets constraints on CPU, IOPS, and memory usage for specific forensic collections to protect endpoint performance.

Authenticated Access - Secures the administrative interface using basic authentication and centralized identity providers.

System Registry Managers - Provides utilities to read, set, and remove Windows registry keys for auditing and modifying system configuration.

Collection Task Scheduling - Schedules new data collection tasks on endpoints and monitors the status of their execution.

Third-Party Application Management - Adds, modifies, or removes third-party binaries and files within the server inventory via the command line.

Tool Binary Inventories - Stores binary tool specifications in one location to automate the downloading and updating of required utilities.

User Account Administration - Provides tools for administering user accounts and identity settings to control system access.

WMI Data Acquisition - Retrieves system configuration and state information by executing WQL queries against the Windows Management Instrumentation interface.

Artifact Validation - Validates reusable data collection packages against a subset of endpoints to ensure correctness before full deployment.

Timeline Navigators - Provides an interactive timeline interface for navigating and visualizing chronological forensic event data.

Databases - Forensic and security monitoring platform.

Incident Response Platforms - Tool for endpoint visibility and forensic data collection.

Acquisition and Imaging - Endpoint visibility and collection using query-based language.

Data Acquisition - Tool for host-based state collection using custom queries.

Digital Forensics - Endpoint visibility and digital forensic response platform.

Velocidexvelociraptor

Features

Star history