Velociraptor

Lifted from Velociraptor quick start guide. Nice sample hunt in about an hour by Eric Capuano, and a gist to go along with it!

Install quick temporary server (Debian-based server with Windows clients)

Download velociraptor excutable
Run chmod +x velociraptor
Generate server config: ./velociraptor config generate -i
Answer the questions, then fire up the server sudo ./velociraptor gui --config ./server.config.yaml
Click Home and under Current Orgs download the client config file. Or do:

/velociraptor config client --org "root" --config server.config.yaml > client.root.config.yaml

Deploy to other systems with velociraptor.exe --config client.config.yaml client -v

Install full server component (Debian-based)

Grab the server binary

Download from here.

Make it executable

chmod +x velociraptor

Generate server config file

./velociraptor config generate -i

Tips:

Make the local address of server_urls to be the local IP and not localhost (public_url is for proxying the GUI to a different URL)
When the config file is generated, edit it so that frontend bind_address is also 0.0.0.0

Install

sudo dpkg -i nameoffile.deb

Fire up https://yourip:8889.

Generate server OS client installs

Go to Hamburger icon > Server Artifacts.
Click the +
Search for the word MSI - click Server.Utils.CreateMSI in the search results
In the menu that appears to the right, click the appropriate MSI file
Click Launch tab in the lower right
A new menu will pop up with the MSI build process. When done, click the artifact, click Uploaded Files and then download the MSI file.

Generate workstation OS installs

Click the Home icon
Scroll down and you should see a file like client.root.config.yaml to download

Edit the config file (optional)

If you're going to run client instances in agentless mode, in client.root.config.yaml change writeback_windows: $TEMP\\velociraptor.writeback.yaml

Deploying agentless clients

Run client instance standalone

velociraptor.exe --config client.root.config.yaml client --mutant ninja --verbose

--verbose is handy because I've had some client instances never check into the server, and the verbose flag helped identify issues (cert expiration, time sync issue, etc.)

Deploy via GPO

This covers it pretty well, but key information in the setup to remember when making an immediate task (at least Windows 7):

General tab

Give the task a name
Run as NT AUTHORITY\SYSTEM (I found it easier to just type this in, not try to resolve it)
Tick Run whether user is logged on or not
Tick Run with highest privileges
Tick the Hidden box

Actions tab

Click New...
Under Action, choose Start a program
Under Program/script enter a UNC path where the velociraptor.exe lives, such as \\dc-ac\share\velociraptor.exe
In the Add arguments(optional) field, enter --config \\dc-ac\share\name.of.your.config.file client --mutant ninja --verbose

The client install documentation notes:

"In our experience GPO deployments are not very reliable - we often find the Velociraptor client will be launched multiple times on the endpoint. It is highly recommended that you use the --mutant flag to specify a mutant preventing the client from starting multiple times."

Settings tab

Tick If the task fails, restart every: 1 minute
Tick Stop the task if it runs longer than: 3 days
If task is already running, then the following rule applies: Do not start a new instance

Last updated on 2026-03-20