Velociraptor

Velociraptor is an endpoint visibility tool for live forensics, artifact collection, and threat hunting. Use it to collect evidence from live systems and run VQL queries across your fleet.

Aithroyz deploys the Velociraptor binary as a systemd service (no Docker — Velociraptor works best bare metal). The server UI and client enrollment are pre-configured. Version 0.73.3.

Access

URL: https://velociraptor.<env-name>.ops.aithroyz.com

Port: 8889 (proxied via Caddy to 443)

Enrolling an endpoint

In the Velociraptor UI, go to Clients → Add Client. Download the client installer for your OS. Run it on the target endpoint with the enrollment token. The client will appear in the Clients view within seconds.

For endpoints inside the Aithroyz environment VPC (e.g. the endpoint-vm module), the Velociraptor client is pre-installed and auto-enrolled.

Common VQL artifacts

Windows.System.Pslist

List running processes on a Windows endpoint

Linux.Sys.Users

Enumerate user accounts and last login times

Windows.Persistence.PersistenceChecker

Check common persistence mechanisms (registry, scheduled tasks, services)

Generic.Collectors.File

Collect specific files from an endpoint (e.g. browser history, prefetch)

Windows.EventLogs.EVTX

Collect Windows Event Log files

TheHive & DFIR-IRISRead article →IR / DFIR Lab PresetRead article →