# Investigate Endpoints with Velociraptor

Incident responders need fast endpoint visibility during active investigations. This skill provides Velociraptor VQL patterns, collector guidance, and hunt templates for authorized forensic work.

## Install

```bash
npx skillstore add agentsecops/ir-velociraptor
```

## Metadata

- - Slug: agentsecops-ir-velociraptor
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/ir-velociraptor
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: network, external\_commands, filesystem, env\_access, scripts
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-ir-velociraptor
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-ir-velociraptor/manifest

## Capabilities

- Explains Velociraptor collect, monitor, and hunt workflows for incident response.
- Provides VQL examples for process, network, file system, registry, and timeline investigations.
- Includes templates for hunts, custom artifacts, offline collectors, and security scan CI workflows.
- Maps investigation queries to MITRE ATT&CK techniques and common response scenarios.
- Documents deployment, access control, evidence handling, and operational safety considerations.

## Use Cases

- Triage Active Incidents: Build a scoped Velociraptor collection plan for affected endpoints, then review process, network, event log, and file timeline evidence.
- Develop Threat Hunts: Create VQL hunts for suspicious PowerShell, persistence, lateral movement, credential access indicators, and unusual network activity.
- Prepare Forensic Collection: Design an offline collector with resource limits, chain-of-custody notes, and evidence protection controls for approved investigations.

## Prompt Templates

### Plan a Basic Collection

```
Create a Velociraptor collection plan for one Windows endpoint after suspicious login activity. Include scope, artifacts, safety limits, and expected outputs.
```

### Write a Focused VQL Hunt

```
Draft a VQL hunt for suspicious PowerShell execution across production Windows clients. Include parameters, triage fields, and false positive review steps.
```

### Build an Offline Collector

```
Design an offline Velociraptor collector for a ransomware investigation. Limit collection to approved artifacts, set resource controls, and include chain-of-custody handling.
```

### Map Findings to ATT&CK

```
Review these Velociraptor findings and map them to MITRE ATT&CK tactics. Separate confirmed evidence, assumptions, and recommended follow-up collections.
```

## Limitations

- Requires an existing Velociraptor environment or local binary to run queries.
- Does not verify user authorization or legal approval before endpoint collection.
- Examples may need tuning for each operating system, artifact version, and network design.
- Some guidance can collect sensitive data and must be restricted to approved investigations.

## Best Practices

- Run hunts only on approved client labels and document the investigation scope before collection.
- Minimize sensitive data collection and encrypt evidence archives during transfer and storage.
- Test VQL in a lab or notebook before running it across production endpoints.

## Anti Patterns

- Do not run broad enterprise hunts without resource limits and change approval.
- Do not collect credential stores, browser data, or registry hives unless the case requires them.
- Do not paste webhook URLs, API keys, or private keys into shared artifacts or reports.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-28T05:41:01.324\+00:00
- - Summary: Static findings are mostly explained by the skill being a Velociraptor DFIR guide, not by hidden malicious code. However, the content includes templates for broad endpoint collection, credential-adjacent artifact discovery, privileged service deployment, webhook notification, and shell-based installation patterns, so publication should require human review and strong warnings.

## Stats

- - Views: 565
- - Downloads: 6
- - Favorites: 0
- - Popularity score: 0