Skills ir-velociraptor
🔍

ir-velociraptor

Safe 🌐 Network access⚙️ External commands📁 Filesystem access🔑 Env variables⚡ Contains scripts

Collect endpoint evidence with Velociraptor VQL

Conduct forensic investigations and threat hunting across enterprise endpoints. Use VQL queries to collect process artifacts, network connections, registry data, and event logs for incident analysis and compromise detection.

Supports: Claude Codex Code(CC)
🥉 76 Bronze
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "ir-velociraptor". Find processes with suspicious parent-child relationships indicating potential injection

Expected outcome:

  • Processes spawned by Office applications running PowerShell or cmd.exe
  • Processes from AppData/Temp directories with hidden or bypass flags
  • LOLBin abuse (certutil, bitsadmin, mshta) for code execution
  • Memory regions with RWX protections in non-JIT processes

Using "ir-velociraptor". Hunt for persistence mechanisms used by attackers

Expected outcome:

  • Scheduled tasks with suspicious PowerShell command lines
  • Registry run keys modified in the last 7 days
  • WMI event subscriptions for persistent execution
  • Startup folder executables with unknown publishers

Using "ir-velociraptor". Detect lateral movement activity in the network

Expected outcome:

  • Process executions originating from remote IP addresses
  • Authentication events from unusual source locations
  • SMB shares accessed during off-hours
  • RDP connections from non-standard endpoints

Security Audit

Safe
v5 • 1/16/2026

Pure documentation skill containing only markdown reference files and YAML templates for the legitimate open-source Velociraptor DFIR platform. All patterns detected are false positives: VQL queries (not shell commands), detection patterns (not C2 code), forensic artifacts (not credential theft), and documentation links. This is incident response documentation for security professionals.

13
Files scanned
5,140
Lines analyzed
5
findings
5
Total audits

Risk Factors

🌐 Network access (56)
assets/artifact-template.yaml:126 assets/artifact-template.yaml:127 assets/artifact-template.yaml:132 assets/ci-config-template.yml:240 assets/hunt-template.yaml:138 assets/hunt-template.yaml:138 assets/rule-template.yaml:43 assets/rule-template.yaml:44 assets/rule-template.yaml:45 assets/rule-template.yaml:73 assets/rule-template.yaml:118 assets/rule-template.yaml:119 assets/rule-template.yaml:151 assets/rule-template.yaml:191 assets/rule-template.yaml:192 assets/rule-template.yaml:193 assets/rule-template.yaml:217 assets/rule-template.yaml:260 assets/rule-template.yaml:261 assets/rule-template.yaml:288 references/artifact-development.md:594 references/artifact-development.md:595 references/artifact-development.md:627 references/artifact-development.md:410 references/artifact-development.md:411 references/deployment-guide.md:77 references/deployment-guide.md:110 references/deployment-guide.md:200 references/deployment-guide.md:325 references/deployment-guide.md:117 references/deployment-guide.md:122 references/deployment-guide.md:126 references/deployment-guide.md:127 references/deployment-guide.md:128 references/deployment-guide.md:132 references/deployment-guide.md:357 references/deployment-guide.md:358 references/deployment-guide.md:359 references/deployment-guide.md:370 references/deployment-guide.md:371 references/deployment-guide.md:372 references/deployment-guide.md:385 references/deployment-guide.md:411 references/mitre-attack-mapping.md:419 skill-report.json:6 SKILL.md:19 SKILL.md:20 SKILL.md:21 SKILL.md:43 SKILL.md:48 SKILL.md:329 SKILL.md:330 SKILL.md:331 SKILL.md:332 SKILL.md:333 SKILL.md:48
⚙️ External commands (427)
assets/ci-config-template.yml:298 assets/ci-config-template.yml:301 assets/ci-config-template.yml:304 assets/ci-config-template.yml:307 assets/ci-config-template.yml:310 assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 assets/hunt-template.yaml:36 assets/hunt-template.yaml:115 assets/hunt-template.yaml:183 references/artifact-development.md:17-51 references/artifact-development.md:51-72 references/artifact-development.md:72-78 references/artifact-development.md:78-82 references/artifact-development.md:82-88 references/artifact-development.md:88-92 references/artifact-development.md:92-98 references/artifact-development.md:98-102 references/artifact-development.md:102-108 references/artifact-development.md:108-112 references/artifact-development.md:112-123 references/artifact-development.md:123-127 references/artifact-development.md:127-135 references/artifact-development.md:135-143 references/artifact-development.md:143-150 references/artifact-development.md:150-156 references/artifact-development.md:156-164 references/artifact-development.md:164-170 references/artifact-development.md:170-183 references/artifact-development.md:183-191 references/artifact-development.md:191-203 references/artifact-development.md:203-209 references/artifact-development.md:209-222 references/artifact-development.md:222-228 references/artifact-development.md:228-246 references/artifact-development.md:246-252 references/artifact-development.md:252-268 references/artifact-development.md:268-274 references/artifact-development.md:274-289 references/artifact-development.md:289-295 references/artifact-development.md:295-322 references/artifact-development.md:322-326 references/artifact-development.md:326-353 references/artifact-development.md:353-357 references/artifact-development.md:357-398 references/artifact-development.md:398-402 references/artifact-development.md:402-435 references/artifact-development.md:435-439 references/artifact-development.md:439-472 references/artifact-development.md:472-478 references/artifact-development.md:478-485 references/artifact-development.md:485-489 references/artifact-development.md:489-501 references/artifact-development.md:501-507 references/artifact-development.md:507-517 references/artifact-development.md:517-537 references/artifact-development.md:537-546 references/artifact-development.md:546-550 references/artifact-development.md:550-562 references/artifact-development.md:562-566 references/artifact-development.md:566-576 references/artifact-development.md:576-582 references/artifact-development.md:582-596 references/artifact-development.md:596-602 references/artifact-development.md:602-608 references/artifact-development.md:608-612 references/artifact-development.md:612-618 references/artifact-development.md:105 references/artifact-development.md:509 references/artifact-development.md:512 references/deployment-guide.md:38-40 references/deployment-guide.md:40-43 references/deployment-guide.md:43-47 references/deployment-guide.md:47-50 references/deployment-guide.md:50-54 references/deployment-guide.md:54-75 references/deployment-guide.md:75-82 references/deployment-guide.md:82-86 references/deployment-guide.md:86-98 references/deployment-guide.md:98-102 references/deployment-guide.md:102-139 references/deployment-guide.md:139-143 references/deployment-guide.md:143-183 references/deployment-guide.md:183-187 references/deployment-guide.md:187-195 references/deployment-guide.md:195-199 references/deployment-guide.md:199-202 references/deployment-guide.md:202-207 references/deployment-guide.md:207-210 references/deployment-guide.md:210-213 references/deployment-guide.md:213-224 references/deployment-guide.md:224-227 references/deployment-guide.md:227-237 references/deployment-guide.md:237-243 references/deployment-guide.md:243-247 references/deployment-guide.md:247-253 references/deployment-guide.md:253-261 references/deployment-guide.md:261-265 references/deployment-guide.md:265-273 references/deployment-guide.md:273-278 references/deployment-guide.md:278-284 references/deployment-guide.md:285-290 references/deployment-guide.md:290-293 references/deployment-guide.md:293-317 references/deployment-guide.md:317-321 references/deployment-guide.md:321-339 references/deployment-guide.md:339-346 references/deployment-guide.md:346-373 references/deployment-guide.md:373-378 references/deployment-guide.md:378-389 references/deployment-guide.md:389-392 references/deployment-guide.md:392-399 references/deployment-guide.md:399-406 references/deployment-guide.md:406-416 references/deployment-guide.md:416-419 references/deployment-guide.md:419-426 references/deployment-guide.md:426-431 references/deployment-guide.md:431-443 references/deployment-guide.md:443-456 references/deployment-guide.md:456-468 references/deployment-guide.md:468-471 references/deployment-guide.md:471-480 references/deployment-guide.md:480-487 references/deployment-guide.md:487-498 references/deployment-guide.md:498-501 references/deployment-guide.md:501-509 references/deployment-guide.md:509-514 references/deployment-guide.md:514-536 references/deployment-guide.md:536-539 references/deployment-guide.md:539-551 references/deployment-guide.md:551-556 references/deployment-guide.md:556-564 references/deployment-guide.md:564-567 references/deployment-guide.md:567-576 references/deployment-guide.md:576-583 references/deployment-guide.md:583-600 references/deployment-guide.md:600-603 references/deployment-guide.md:603-615 references/deployment-guide.md:615-636 references/deployment-guide.md:636-639 references/deployment-guide.md:639-652 references/deployment-guide.md:652-657 references/deployment-guide.md:520 references/deployment-guide.md:514-536 references/deployment-guide.md:278 references/deployment-guide.md:515 references/deployment-guide.md:81 references/deployment-guide.md:145 references/deployment-guide.md:173 references/deployment-guide.md:176 references/deployment-guide.md:177 references/deployment-guide.md:180 references/deployment-guide.md:181 references/deployment-guide.md:182 references/deployment-guide.md:215 references/deployment-guide.md:218 references/deployment-guide.md:272 references/deployment-guide.md:295 references/deployment-guide.md:296 references/deployment-guide.md:299 references/deployment-guide.md:315 references/deployment-guide.md:316 references/deployment-guide.md:380 references/deployment-guide.md:381 references/deployment-guide.md:382 references/deployment-guide.md:388 references/deployment-guide.md:408 references/deployment-guide.md:411 references/deployment-guide.md:412 references/deployment-guide.md:415 references/EXAMPLE.md:54-74 references/EXAMPLE.md:74-95 references/EXAMPLE.md:95-108 references/EXAMPLE.md:108-111 references/EXAMPLE.md:111-118 references/EXAMPLE.md:118-122 references/EXAMPLE.md:122-129 references/EXAMPLE.md:129-135 references/EXAMPLE.md:135-151 references/EXAMPLE.md:151-154 references/EXAMPLE.md:154-162 references/EXAMPLE.md:162-296 references/EXAMPLE.md:296-306 references/EXAMPLE.md:306-309 references/EXAMPLE.md:309-318 references/EXAMPLE.md:318-333 references/EXAMPLE.md:333-342 references/EXAMPLE.md:342-346 references/EXAMPLE.md:346-354 references/EXAMPLE.md:354-358 references/EXAMPLE.md:358-361 references/EXAMPLE.md:361-371 references/EXAMPLE.md:371-404 references/EXAMPLE.md:404-414 references/EXAMPLE.md:414-447 references/EXAMPLE.md:447-451 references/EXAMPLE.md:451-472 references/EXAMPLE.md:472-476 references/EXAMPLE.md:476-537 references/mitre-attack-mapping.md:23 references/mitre-attack-mapping.md:24 references/mitre-attack-mapping.md:27-41 references/mitre-attack-mapping.md:41-46 references/mitre-attack-mapping.md:46-47 references/mitre-attack-mapping.md:47-50 references/mitre-attack-mapping.md:50-61 references/mitre-attack-mapping.md:61-68 references/mitre-attack-mapping.md:68-69 references/mitre-attack-mapping.md:69-72 references/mitre-attack-mapping.md:72-81 references/mitre-attack-mapping.md:81-86 references/mitre-attack-mapping.md:86-87 references/mitre-attack-mapping.md:87-90 references/mitre-attack-mapping.md:90-100 references/mitre-attack-mapping.md:100-105 references/mitre-attack-mapping.md:105-106 references/mitre-attack-mapping.md:106-109 references/mitre-attack-mapping.md:109-120 references/mitre-attack-mapping.md:120-127 references/mitre-attack-mapping.md:127-128 references/mitre-attack-mapping.md:128-131 references/mitre-attack-mapping.md:131-145 references/mitre-attack-mapping.md:145-150 references/mitre-attack-mapping.md:150-151 references/mitre-attack-mapping.md:151-154 references/mitre-attack-mapping.md:154-168 references/mitre-attack-mapping.md:168-173 references/mitre-attack-mapping.md:173-176 references/mitre-attack-mapping.md:176-189 references/mitre-attack-mapping.md:189-196 references/mitre-attack-mapping.md:196-199 references/mitre-attack-mapping.md:199-212 references/mitre-attack-mapping.md:212-217 references/mitre-attack-mapping.md:217-220 references/mitre-attack-mapping.md:220-228 references/mitre-attack-mapping.md:228-235 references/mitre-attack-mapping.md:235-238 references/mitre-attack-mapping.md:238-246 references/mitre-attack-mapping.md:246-251 references/mitre-attack-mapping.md:251-252 references/mitre-attack-mapping.md:252-255 references/mitre-attack-mapping.md:255-270 references/mitre-attack-mapping.md:270-275 references/mitre-attack-mapping.md:275-276 references/mitre-attack-mapping.md:276-279 references/mitre-attack-mapping.md:279-291 references/mitre-attack-mapping.md:291-298 references/mitre-attack-mapping.md:298-299 references/mitre-attack-mapping.md:299-302 references/mitre-attack-mapping.md:302-313 references/mitre-attack-mapping.md:313-318 references/mitre-attack-mapping.md:318-319 references/mitre-attack-mapping.md:319-322 references/mitre-attack-mapping.md:322-333 references/mitre-attack-mapping.md:333-338 references/mitre-attack-mapping.md:338-339 references/mitre-attack-mapping.md:339-342 references/mitre-attack-mapping.md:342-352 references/mitre-attack-mapping.md:352-359 references/mitre-attack-mapping.md:359-360 references/mitre-attack-mapping.md:360-363 references/mitre-attack-mapping.md:363-370 references/mitre-attack-mapping.md:370-375 references/mitre-attack-mapping.md:375-378 references/mitre-attack-mapping.md:378-385 references/mitre-attack-mapping.md:385-390 references/mitre-attack-mapping.md:390-393 references/mitre-attack-mapping.md:393-399 references/mitre-attack-mapping.md:399-406 references/mitre-attack-mapping.md:406-407 references/mitre-attack-mapping.md:407-410 references/mitre-attack-mapping.md:410-421 references/mitre-attack-mapping.md:421-426 references/mitre-attack-mapping.md:426-429 references/mitre-attack-mapping.md:429-439 references/mitre-attack-mapping.md:439-444 references/mitre-attack-mapping.md:444-445 references/mitre-attack-mapping.md:445-448 references/mitre-attack-mapping.md:448-460 references/mitre-attack-mapping.md:460-467 references/mitre-attack-mapping.md:467-468 references/mitre-attack-mapping.md:468-471 references/mitre-attack-mapping.md:471-485 references/mitre-attack-mapping.md:485-490 references/mitre-attack-mapping.md:490-491 references/mitre-attack-mapping.md:491-494 references/mitre-attack-mapping.md:494-500 references/mitre-attack-mapping.md:500-507 references/mitre-attack-mapping.md:507-508 references/mitre-attack-mapping.md:508-511 references/mitre-attack-mapping.md:511-523 references/mitre-attack-mapping.md:523-528 references/mitre-attack-mapping.md:528-529 references/mitre-attack-mapping.md:529-532 references/mitre-attack-mapping.md:532-540 references/mitre-attack-mapping.md:540-547 references/mitre-attack-mapping.md:547-548 references/mitre-attack-mapping.md:548-551 references/mitre-attack-mapping.md:551-563 references/mitre-attack-mapping.md:563-568 references/mitre-attack-mapping.md:568-571 references/mitre-attack-mapping.md:571-582 references/mitre-attack-mapping.md:582-587 references/mitre-attack-mapping.md:587-588 references/mitre-attack-mapping.md:588-591 references/mitre-attack-mapping.md:591-597 references/mitre-attack-mapping.md:59 references/mitre-attack-mapping.md:65 references/mitre-attack-mapping.md:68 references/mitre-attack-mapping.md:69 references/mitre-attack-mapping.md:73 references/mitre-attack-mapping.md:77 references/mitre-attack-mapping.md:165 references/mitre-attack-mapping.md:188 references/mitre-attack-mapping.md:91 references/mitre-attack-mapping.md:94 references/vql-patterns.md:21-36 references/vql-patterns.md:36-40 references/vql-patterns.md:40-57 references/vql-patterns.md:57-61 references/vql-patterns.md:61-71 references/vql-patterns.md:71-77 references/vql-patterns.md:77-92 references/vql-patterns.md:92-96 references/vql-patterns.md:96-107 references/vql-patterns.md:107-111 references/vql-patterns.md:111-128 references/vql-patterns.md:128-134 references/vql-patterns.md:134-148 references/vql-patterns.md:148-152 references/vql-patterns.md:152-165 references/vql-patterns.md:165-169 references/vql-patterns.md:169-178 references/vql-patterns.md:178-184 references/vql-patterns.md:184-198 references/vql-patterns.md:198-202 references/vql-patterns.md:202-213 references/vql-patterns.md:213-217 references/vql-patterns.md:217-227 references/vql-patterns.md:227-233 references/vql-patterns.md:233-243 references/vql-patterns.md:243-247 references/vql-patterns.md:247-259 references/vql-patterns.md:259-265 references/vql-patterns.md:265-276 references/vql-patterns.md:276-280 references/vql-patterns.md:280-289 references/vql-patterns.md:289-293 references/vql-patterns.md:293-302 references/vql-patterns.md:302-308 references/vql-patterns.md:308-332 references/vql-patterns.md:332-336 references/vql-patterns.md:336-344 references/vql-patterns.md:344-350 references/vql-patterns.md:350-362 references/vql-patterns.md:362-366 references/vql-patterns.md:366-376 references/vql-patterns.md:376-380 references/vql-patterns.md:380-390 references/vql-patterns.md:390-396 references/vql-patterns.md:396-410 references/vql-patterns.md:410-414 references/vql-patterns.md:414-421 references/vql-patterns.md:421-425 references/vql-patterns.md:425-436 references/vql-patterns.md:436-442 references/vql-patterns.md:442-460 references/vql-patterns.md:460-464 references/vql-patterns.md:464-471 references/vql-patterns.md:471-475 references/vql-patterns.md:475-488 references/vql-patterns.md:488-494 references/vql-patterns.md:494-512 references/vql-patterns.md:512-516 references/vql-patterns.md:516-535 references/vql-patterns.md:28 references/vql-patterns.md:476 references/WORKFLOW_CHECKLIST.md:74 skill-report.json:116 skill-report.json:128 skill-report.json:128 SKILL.md:41-50 SKILL.md:50-54 SKILL.md:54-66 SKILL.md:66-85 SKILL.md:85-86 SKILL.md:86-87 SKILL.md:87-88 SKILL.md:88-89 SKILL.md:89-90 SKILL.md:90-127 SKILL.md:127-137 SKILL.md:137-145 SKILL.md:145-151 SKILL.md:151-157 SKILL.md:157-169 SKILL.md:169-175 SKILL.md:175-181 SKILL.md:181-187 SKILL.md:187-194 SKILL.md:194-202 SKILL.md:202-221 SKILL.md:221-244 SKILL.md:244-245 SKILL.md:245-253 SKILL.md:253-284 SKILL.md:284-286 SKILL.md:286-293 SKILL.md:293-303 SKILL.md:303-308 SKILL.md:308-310 SKILL.md:310-311 SKILL.md:311-312 SKILL.md:312-314 SKILL.md:314-316 SKILL.md:316-317 SKILL.md:317-318 SKILL.md:318-319 SKILL.md:319-321 SKILL.md:321-323 SKILL.md:323-324 SKILL.md:324-325 SKILL.md:111 SKILL.md:149 SKILL.md:193 SKILL.md:209
📁 Filesystem access (3)
assets/ci-config-template.yml:323 assets/ci-config-template.yml:323 references/deployment-guide.md:246
🔑 Env variables (29)
assets/ci-config-template.yml:164 assets/ci-config-template.yml:164 assets/rule-template.yaml:148 assets/rule-template.yaml:148 assets/rule-template.yaml:147 assets/rule-template.yaml:162 assets/rule-template.yaml:132 assets/rule-template.yaml:147 assets/rule-template.yaml:148 assets/rule-template.yaml:156 assets/rule-template.yaml:157 assets/rule-template.yaml:162 assets/rule-template.yaml:162 assets/rule-template.yaml:163 assets/rule-template.yaml:164 assets/rule-template.yaml:165 references/deployment-guide.md:231 references/deployment-guide.md:236 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:424 references/EXAMPLE.md:425 references/EXAMPLE.md:427 references/EXAMPLE.md:430 references/EXAMPLE.md:432 references/EXAMPLE.md:437 references/EXAMPLE.md:437 references/EXAMPLE.md:444
⚡ Contains scripts (2)
references/EXAMPLE.md:138 references/EXAMPLE.md:137
Audited by: claude View Audit History →

Quality Score

59
Architecture
100
Maintainability
85
Content
21
Community
100
Security
100
Spec Compliance

What You Can Build

Investigate security breaches

Collect and analyze forensic evidence to determine scope and root cause of security incidents

Proactively hunt for threats

Deploy organization-wide hunts to detect suspicious process execution and persistence mechanisms

Build forensic artifacts

Create custom VQL artifacts tailored to specific threat scenarios and detection requirements

Try These Prompts

Basic VQL Query 
Write a VQL query to find processes running from temp directories with obfuscated command lines
Registry Persistence 
Show me the VQL to hunt for suspicious registry run keys and startup locations
Threat Hunt 
What VQL queries detect PowerShell execution techniques mapped to ATT&CK T1059.001
Artifact Development 
Create a custom Velociraptor artifact YAML that collects recent executables with SHA256 hashes

Best Practices

  • Use preconditions to verify OS compatibility before artifact execution
  • Implement rate limiting and CPU limits to prevent endpoint performance impact
  • Document chain of custody and investigation scope for compliance

Avoid

  • Running filesystem glob queries without time or size limits
  • Collecting all artifacts without defining specific investigation scope
  • Storing collected evidence without encryption or access controls

Frequently Asked Questions

What platforms does Velociraptor support?
Windows (primary), Linux, and macOS. Most artifacts target Windows for enterprise incident response.
How many endpoints can Velociraptor manage?
Single server handles up to 10,000 clients. Multi-frontend deployments support 100,000+ endpoints.
Can Velociraptor work offline?
Yes. Offline collectors can gather evidence without server connectivity for air-gapped or initial triage scenarios.
Is collected data encrypted?
Enable encryption in collector configuration. Use TLS for server communications and secure output storage.
Why are queries returning no results?
Verify path syntax uses forward slashes, test queries in notebook mode first, and check client permissions.
How does this compare to commercial EDR?
Velociraptor provides deeper forensic capabilities and customization. Best used alongside EDR for comprehensive coverage.

Developer Details

License

MIT

Repository

https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/ir-velociraptor

Ref

main

File structure

📁 assets/

📄 artifact-template.yaml

📄 ci-config-template.yml

📄 hunt-template.yaml

📄 offline-collector-config.yaml

📄 rule-template.yaml

📁 references/

📄 artifact-development.md

📄 deployment-guide.md

📄 EXAMPLE.md

📄 mitre-attack-mapping.md

📄 vql-patterns.md

📄 WORKFLOW_CHECKLIST.md

📄 SKILL.md