Security

Threat Hunting with Velociraptor: A Beginner's Guide

December 28, 2024 10 min read ThinSky Team

Velociraptor is a powerful open-source tool for endpoint visibility and digital forensics. Named after the clever dinosaur, it's designed to help security teams hunt for threats across thousands of endpoints simultaneously. In this guide, we'll get you started with the basics.

What is Velociraptor?

Velociraptor is an advanced digital forensics and incident response (DFIR) platform that allows you to:

  • Collect forensic artifacts from endpoints at scale
  • Hunt for indicators of compromise (IOCs) across your network
  • Monitor endpoints in real-time
  • Perform live forensics during active incidents
  • Create custom detection rules using VQL (Velociraptor Query Language)

Understanding VQL: The Velociraptor Query Language

VQL is what makes Velociraptor incredibly powerful. It's a SQL-like language designed specifically for querying endpoint data. Let's start with some basic examples.

Your First VQL Query

Here's a simple query to list running processes:

SELECT Name, Pid, Username, CommandLine
FROM pslist()
WHERE Name =~ "chrome"

This query retrieves all Chrome processes, showing their name, process ID, username, and command line arguments.

Searching for Suspicious Files

Looking for recently modified executable files in temp directories:

SELECT FullPath, Size, Mtime, Hash
FROM glob(globs="C:/Users/*/AppData/Local/Temp/*.exe")
WHERE Mtime > now() - 86400

This finds all .exe files modified in the last 24 hours within user temp folders - a common location for malware.

Essential Threat Hunting Queries

1. Find Persistent Mechanisms

Attackers often establish persistence through registry run keys:

SELECT Name, FullPath, Data
FROM Artifact.Windows.Sys.StartupItems()
WHERE Data =~ "(?i)(powershell|cmd|wscript|cscript)"

2. Detect Suspicious Network Connections

Find processes with external network connections:

SELECT Pid, Name, LocalAddr, RemoteAddr, Status
FROM netstat()
WHERE RemoteAddr != "127.0.0.1"
  AND RemoteAddr != "0.0.0.0"
  AND Status = "ESTABLISHED"

3. Hunt for PowerShell Execution

PowerShell is frequently abused by attackers:

SELECT EventTime, Computer, Message
FROM Artifact.Windows.EventLogs.PowerShell()
WHERE Message =~ "(?i)(downloadstring|invoke-expression|encodedcommand)"
LIMIT 100

4. Check for Unsigned Drivers

Unsigned drivers can indicate rootkits:

SELECT Name, Path, Signed, SignerSubject
FROM Artifact.Windows.Sys.Drivers()
WHERE NOT Signed

Building a Hunt

A hunt in Velociraptor is a query that runs across multiple endpoints. Here's how to structure an effective hunt:

  1. Define your hypothesis - What are you looking for?
  2. Write the VQL query - Test it on a single endpoint first
  3. Set parameters - Define scope, timeouts, and resource limits
  4. Launch the hunt - Run across your target endpoints
  5. Analyze results - Look for anomalies and patterns

Real-World Hunt Example: Detecting Cobalt Strike

Cobalt Strike is a popular commercial penetration testing tool often abused by attackers. Here's a hunt to detect potential Cobalt Strike beacons:

LET suspicious_processes = SELECT * FROM pslist()
WHERE CommandLine =~ "(?i)(rundll32.*,.*Start|regsvr32.*/s|mshta.*javascript)"

LET beacon_network = SELECT * FROM netstat()
WHERE Pid IN suspicious_processes.Pid
  AND Status = "ESTABLISHED"

SELECT * FROM beacon_network

Best Practices for Threat Hunting

Start with Known Bad

Begin by hunting for known indicators - file hashes, IP addresses, domain names. This builds confidence and catches low-hanging fruit.

Progress to Behavioral Detection

Once comfortable, move to behavioral patterns:

  • Unusual parent-child process relationships
  • Processes running from unusual locations
  • Anomalous network traffic patterns
  • Unusual scheduled tasks or services

Document Everything

Keep a playbook of your hunts. Document what you looked for, why, and what you found. This builds organizational knowledge.

Integrating with Your Security Stack

Velociraptor works best as part of a larger security ecosystem:

  • Wazuh - Use alerts to trigger targeted Velociraptor hunts
  • MISP - Import threat intelligence for IOC hunting
  • TheHive - Manage cases and track investigations
  • Elastic - Store and visualize hunt results

Getting Started

Ready to start threat hunting with Velociraptor? Here's your action plan:

  1. Deploy Velociraptor server (can run in a Docker container)
  2. Install agents on a few test endpoints
  3. Practice VQL queries in the notebook interface
  4. Run your first hunt across test systems
  5. Gradually expand coverage to production

Want Managed Velociraptor?

ThinSky offers fully managed Velociraptor with 24/7 expert threat hunting support.

Learn More