Deploys and configures Velociraptor for incident response artifact collection using VQL queries, Hunts, and packs across Windows, Linux, macOS endpoints.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Velociraptor 是由 Rapid7 开发的高级开源端点监控、数字取证和事件响应平台。它使用 Velociraptor 查询语言(Velociraptor Query Language,VQL)创建自定义产物,可采集、查询和监控端点的几乎所有方面。Velociraptor 使事件响应团队能够快速从整个网络采集和检查取证产物,支持对性能影响极小的大规模部署。基于 Fleetspeak 通信的客户端-服务器架构可同时从数千个端点实时采集数据,离线端点在重新连接后也会自动补充执行 Hunt 任务。
Deploys and configures Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and artifacts across Windows, Linux, macOS.
Deploys and configures Velociraptor for scalable endpoint forensic artifact collection during incident response using VQL queries, hunts, and artifact packs on Windows, Linux, macOS.
Enables endpoint visibility, digital forensics, and incident response using Velociraptor VQL for evidence collection, threat hunting, and live response across endpoints.
Share bugs, ideas, or general feedback.
Velociraptor 是由 Rapid7 开发的高级开源端点监控、数字取证和事件响应平台。它使用 Velociraptor 查询语言(Velociraptor Query Language,VQL)创建自定义产物,可采集、查询和监控端点的几乎所有方面。Velociraptor 使事件响应团队能够快速从整个网络采集和检查取证产物,支持对性能影响极小的大规模部署。基于 Fleetspeak 通信的客户端-服务器架构可同时从数千个端点实时采集数据,离线端点在重新连接后也会自动补充执行 Hunt 任务。
# 下载最新版本
wget https://github.com/Velocidex/velociraptor/releases/latest/download/velociraptor-linux-amd64
# 生成服务器配置
./velociraptor-linux-amd64 config generate -i
# 启动服务器
./velociraptor-linux-amd64 --config server.config.yaml frontend
# 或作为 systemd 服务运行
sudo cp velociraptor-linux-amd64 /usr/local/bin/velociraptor
sudo velociraptor --config /etc/velociraptor/server.config.yaml service install
# 重新打包 Windows 部署的客户端 MSI
velociraptor --config server.config.yaml config client > client.config.yaml
velociraptor config repack --msi velociraptor-windows-amd64.msi client.config.yaml output.msi
# 通过 Group Policy、SCCM 或 Intune 部署
# 客户端作为 Windows 服务运行:"Velociraptor"
# Linux 客户端部署
velociraptor --config client.config.yaml client -v
# macOS 客户端部署
velociraptor --config client.config.yaml client -v
docker run --name velociraptor \
-v /opt/velociraptor:/velociraptor/data \
-p 8000:8000 -p 8001:8001 -p 8889:8889 \
velocidex/velociraptor
-- 采集 Windows 事件日志
SELECT * FROM Artifact.Windows.EventLogs.EvtxHunter(
EvtxGlob="C:/Windows/System32/winevt/Logs/*.evtx",
IDRegex="4624|4625|4648|4672|4688|4698|4769|7045"
)
-- 采集 Prefetch 文件(执行证据)
SELECT * FROM Artifact.Windows.Forensics.Prefetch()
-- 采集 Shimcache 条目
SELECT * FROM Artifact.Windows.Registry.AppCompatCache()
-- 采集 Amcache 条目
SELECT * FROM Artifact.Windows.Forensics.Amcache()
-- 采集 UserAssist 数据
SELECT * FROM Artifact.Windows.Forensics.UserAssist()
-- 采集 NTFS MFT 时间戳
SELECT * FROM Artifact.Windows.NTFS.MFT(
MFTFilename="C:/$MFT",
FileRegex=".(exe|dll|ps1|bat|cmd)$"
)
-- 采集计划任务
SELECT * FROM Artifact.Windows.System.TaskScheduler()
-- 采集带哈希的运行中进程
SELECT * FROM Artifact.Windows.System.Pslist()
-- 采集网络连接
SELECT * FROM Artifact.Windows.Network.Netstat()
-- 采集 DNS 缓存
SELECT * FROM Artifact.Windows.Network.DNSCache()
-- 采集浏览器历史
SELECT * FROM Artifact.Windows.Applications.Chrome.History()
-- 采集 PowerShell 历史
SELECT * FROM Artifact.Windows.Forensics.PowerShellHistory()
-- 采集自启动/持久化
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.Services()
SELECT * FROM Artifact.Windows.System.StartupItems()
-- 采集认证日志
SELECT * FROM Artifact.Linux.Sys.AuthLogs()
-- 采集 bash 历史
SELECT * FROM Artifact.Linux.Forensics.BashHistory()
-- 采集 crontab 条目
SELECT * FROM Artifact.Linux.Sys.Crontab()
-- 采集运行中的进程
SELECT * FROM Artifact.Linux.Sys.Pslist()
-- 采集网络连接
SELECT * FROM Artifact.Linux.Network.Netstat()
-- 采集 SSH 授权密钥
SELECT * FROM Artifact.Linux.Ssh.AuthorizedKeys()
-- 采集 systemd 服务
SELECT * FROM Artifact.Linux.Services()
-- Windows 分类采集产物
-- 采集事件日志、Prefetch、注册表、浏览器数据等
SELECT * FROM Artifact.Windows.KapeFiles.Targets(
Device="C:",
_AllFiles=FALSE,
_EventLogs=TRUE,
_Prefetch=TRUE,
_RegistryHives=TRUE,
_WebBrowsers=TRUE,
_WindowsTimeline=TRUE
)
1. 在 Velociraptor Web UI 中导航到 Hunt Manager
2. 点击 "New Hunt"
3. 配置:
- 描述:"IR Triage - Case 2025-001"
- 包含/排除标签以定向目标
- 产物选择(如 Windows.Forensics.Prefetch)
- 资源限制(CPU、IOPS、超时)
4. 启动 Hunt
5. 实时监控进度
-- 在所有端点搜索特定文件哈希
SELECT * FROM Artifact.Generic.Detection.HashHunter(
Hashes="e99a18c428cb38d5f260853678922e03"
)
-- 在内存中搜索 YARA 签名
SELECT * FROM Artifact.Windows.Detection.Yara.Process(
YaraRule='rule malware { strings: $s1 = "malicious_string" condition: $s1 }'
)
-- 搜索 Sigma 规则匹配的事件日志
SELECT * FROM Artifact.Server.Import.SigmaRules()
-- 搜索可疑计划任务
SELECT * FROM Artifact.Windows.System.TaskScheduler()
WHERE Command =~ "powershell|cmd|wscript|mshta|rundll32"
-- 搜索与可疑 IP 有网络连接的进程
SELECT * FROM Artifact.Windows.Network.Netstat()
WHERE RemoteAddr =~ "10\\.13\\.37\\."
-- 监控新进程创建
SELECT * FROM watch_etw(guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}")
WHERE EventData.ImageName =~ "powershell|cmd|wscript"
-- 监控文件系统变更
SELECT * FROM watch_directory(path="C:/Windows/Temp/")
-- 监控注册表变更
SELECT * FROM watch_registry(key="HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/**")
Velociraptor Server --> Elastic/OpenSearch --> Splunk HEC
--> 直接 syslog 转发
--> Velociraptor API --> 自定义脚本 --> Splunk
# Velociraptor 服务器配置 - Elastic 输出
Monitoring:
elastic:
addresses:
- https://elastic.local:9200
username: velociraptor
password: secure_password
index: velociraptor
| 技术 | VQL 产物 |
|---|---|
| T1059 - 命令脚本 | Windows.EventLogs.EvtxHunter (4104, 4688) |
| T1053 - 计划任务 | Windows.System.TaskScheduler |
| T1547 - 启动/登录自动启动 | Windows.Persistence.PermanentWMIEvents |
| T1003 - OS 凭据转储 | Windows.Detection.Yara.Process |
| T1021 - 远程服务 | Windows.EventLogs.EvtxHunter (4624 Type 3/10) |
| T1070 - 指标删除 | Windows.EventLogs.Cleared |