Using Velociraptor as C2
Velociraptor repurposed as C2: explore its powers, risks, and real-world misuse in red team operations.
I came across an interesting news article yesterday which piqued my interest for today’s topic. The article was about attackers leveraging Velociraptor, a digital forensics tool, as a Command and Control (C2) tool. As I was reading more about it, I came across another article, published almost a month prior to this news, which discussed in detail how Velociraptor can be used a C2. Then there was this tweet by Vincent Yiu from two years back:
So, turns out that idea of using Velociraptor as C2 was not new but, as far as I can recall, this was the first instance of Velociraptor being leveraged as a C2 in a real-world cyber attack. Wonder why that is? Keep reading!
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
What is Velociraptor?
Velociraptor is a live forensics and incident response platform built around a client-server architecture. It allows broad data collection and querying through Velociraptor Query Language (VQL) and pre-built “artifacts.” The tool is open-source and purpose-built for blue-team investigations.
Velociraptor’s C2-like capabilities
Though not designed as a C2, Velociraptor can perform several typical C2 functions:
Command execution
Executes commands via artifacts like
Generic.Client.VQL,Windows.System.PowerShell,Windows.System.CmdShell, andLinux.Sys.BashShell(which works anywhere/bin/bashexists). These rely on theexecveplugin.
File transfer
Retrieve files using
System.VFS.DownloadFileorGeneric.Collectors.File.Uploading (push) files using
http_clientplugin andGeneric.Utils.FetchBinary, which caches files on disk.
File searching
Use
Windows.Search.FileFinder,MacOS.Search.FileFinder, orLinux.Search.FileFinder. These allow pattern, filename, or YARA-based searches, and can retrieve findings directly.
Secure communication channels
Supports HTTPS and secure WebSocket for communication between client and server.
Configuration updates
The
Admin.Client.UpdateClientConfigartifact enables updating client configurations on the fly.
Monitoring & visibility
Offers rich telemetry: artifacts for detecting service creation (
Windows.Events.ServiceCreation), process creations (Windows.Events.ProcessCreation, enhanced with ETW viaWindows.Events.ETWProcesses), generic process tracking across platforms (Generic.Events.Processes), account logons (Windows.Events.Trackaccount), and high-privilege logons (Windows.Events.HighPrivilegedLogon)
These behaviors illustrate how Velociraptor can function in several core C2 domains: executing commands, transferring files, monitoring processes, persisting, and communicating securely.
Pros & cons of using Velociraptor as a C2
Pros
Legitimate, trusted binaries (especially on Windows/mac) can bypass naive detections.
Powerful, flexible querying (VQL + artifacts) enables custom operations across platforms.
Pre-built artifacts support core C2 functions: command execution, file transfer, monitoring.
TLS-based channels with mTLS support are available for communications.
Extensible and modifiable—teams can customize artifacts or binaries to expand capability.
Cons
Requires high privileges and local installation, which increases detection risk.
Not designed for stealth, so artifacts, logs, and AV/EDR coverage make detection likely.
DLL hijack risks if running from non-trusted locations.
Config includes infrastructure information, making server discovery easier.
Shared client certificates limit operational flexibility and opsec.
Security products often detect it, and defenders may proactively alert on its presence.
The incident reported shows how quickly real use can be triaged and blocked.
Ultimately, whether using Velociraptor as C2 is a good or bad approach for red teams depends on the operator’s priorities—stealth, flexibility, trust, or tool-reuse—and the target environment. That judgment is left to the reader to decide.
TL;DR
- Velociraptor, a blue-team IR tool, can double as a Command-and-Control (C2) with capabilities like command execution, file transfer, monitoring, and persistence.
- Pros: trusted binaries, flexible VQL artifacts, TLS comms; Cons: high privilege needs, weak stealth, shared certs, easy detection.Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.