Velociraptor’s client communications

In the latest point release of the Velociraptor IR tool (0.2.3) we have improved upon GRR’s client communications protocol to deliver a fast and efficient, yet extremely responsive client communication. This post explains the design of the client communication and how it solves the problems with the old GRR’s client communication.


Velociraptor Artifacts

We are super excited to introduce this point release of Velociraptor (0.2.2) which introduces the concept of Velociraptor Artifacts for the first time. This post is about what artifacts are, what they do and how can you use them.


Files, files everything is just a file!

GRR’s original design abstracted the data storage to a simple key/value store originally based around Bigtable. For open source deployments various key value stores were used starting from MongoDB, to SQLite and finally MySQL. Although the original idea was to use a simple key/value implementation, due to locking requirements the data store implementation became very complex.

As Velociraptor introduced a major redesign of the underlying data store architecture, we are now able to relax our demands of the datastore and use a true key/value model (since we have no requirements for locking and synchronization). The default data store is now the FileBasedDataStore which stores all data in flat files.


Browsing around the filesystem.

Browsing the client’s filesystem is probably the first thing responders do. Both GRR and Velociraptor have a nice VFS abstraction that allows users to browse files interactively. However, in order to make Velociraptor much faster we made some tradeoffs and improved the way that the VFS is stored in the datastore.


Hunting - What Velociraptors do best!

A hunt is a feature where a single flow may be run on multiple clients at the same time. Typically a hunt looks for a particular indicator of compromise across the entire deployment, or maybe collect the same files from every deployed agent. By their nature, hunts cause multiple flows to run simultaneously and so this creates a large contention of shared state.

Velociraptor has completely redesigned the way that hunts are implemented in order to avoid database locking and increase hunt processing efficiency.


Interrogation - Make the endpoint tell us what it knows!

Interrogation is the process of learning general information about the endpoint we are monitoring. Each endpoint is automatically interrogated when it first joins the Velociraptor server, and the GUI shows this general information about each client.

When writing Velociraptor we decided to keep things very simple - we did away with a lot of the information gathered during interrogate in favor of a much simpler data model.


Design differences between Velociraptor and GRR

One of the main motivators for developing Velociraptor is the opportunity to try different approaches than GRR. Velociraptor has a number of fundamental design differences in contrast with the GRR design which improve overall performance and scalability. We tried to keep it light weight cutting out the features we think we did not need and leaving behind a fast, lean and mean raptor!


Velocidex Query Language (VQL)

Velociraptor is powered by VQL and VQL is the killer feature which makes it so powerful. But what exactly is VQL? This section is a quick overview of VQL.


Introducing Velociraptor

Hunting and responding like a raptor!

At Velocidex we have been running open source endpoint monitoring tools for our clients in order to detect and respond to incidents. One of our favorite tools is GRR, developed by Google internally and then released as open source. GRR is a very powerful tool, with a polished UI and good documentation.

Unfortunately the open source version released by Google suffers from some shortcomings and so we have decided to develop a new project, built on the shoulders of giants called Velociraptor.