I came across an interesting news article yesterday which piqued my interest for today’s topic. The article was about attackers leveraging Velociraptor, a digital forensics tool, as a Command and Control (C2) tool. As I was reading more about it, I came across another article, published almost a month prior to this news, which discussed in detail how Velociraptor can be used a C2. Then there was this tweet by Vincent Yiu from two years back:

So, turns out that idea of using Velociraptor as C2 was not new but, as far as I can recall, this was the first instance of Velociraptor being leveraged as a C2 in a real-world cyber attack. Wonder why that is? Keep reading!

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

What is Velociraptor?

Velociraptor is a live forensics and incident response platform built around a client-server architecture. It allows broad data collection and querying through Velociraptor Query Language (VQL) and pre-built “artifacts.” The tool is open-source and purpose-built for blue-team investigations.

Velociraptor’s C2-like capabilities

Though not designed as a C2, Velociraptor can perform several typical C2 functions:

1. Command execution

   • Executes commands via artifacts like Generic.Client.VQL, Windows.System.PowerShell, Windows.System.CmdShell, and Linux.Sys.BashShell (which works anywhere /bin/bash exists). These rely on the execve plugin.

2. File transfer

   • Retrieve files using System.VFS.DownloadFile or Generic.Collectors.File.

   • Uploading (push) files using http_client plugin and Generic.Utils.FetchBinary, which caches files on disk.

3. File searching

   • Use Windows.Search.FileFinder, MacOS.Search.FileFinder, or Linux.Search.FileFinder. These allow pattern, filename, or YARA-based searches, and can retrieve findings directly.

4. Secure communication channels

   • Supports HTTPS and secure WebSocket for communication between client and server.

5. Configuration updates

   • The Admin.Client.UpdateClientConfig artifact enables updating client configurations on the fly.

6. Monitoring & visibility

   • Offers rich telemetry: artifacts for detecting service creation (Windows.Events.ServiceCreation), process creations (Windows.Events.ProcessCreation, enhanced with ETW via Windows.Events.ETWProcesses), generic process tracking across platforms (Generic.Events.Processes), account logons (Windows.Events.Trackaccount), and high-privilege logons (Windows.Events.HighPrivilegedLogon)

These behaviors illustrate how Velociraptor can function in several core C2 domains: executing commands, transferring files, monitoring processes, persisting, and communicating securely.

Pros & cons of using Velociraptor as a C2

Pros

• Legitimate, trusted binaries (especially on Windows/mac) can bypass naive detections.

• Powerful, flexible querying (VQL + artifacts) enables custom operations across platforms.

• Pre-built artifacts support core C2 functions: command execution, file transfer, monitoring.

• TLS-based channels with mTLS support are available for communications.

• Extensible and modifiable—teams can customize artifacts or binaries to expand capability.

Cons

• Requires high privileges and local installation, which increases detection risk.

• Not designed for stealth, so artifacts, logs, and AV/EDR coverage make detection likely.

• DLL hijack risks if running from non-trusted locations.

• Config includes infrastructure information, making server discovery easier.

• Shared client certificates limit operational flexibility and opsec.

• Security products often detect it, and defenders may proactively alert on its presence.

• The incident reported shows how quickly real use can be triaged and blocked.

Ultimately, whether using Velociraptor as C2 is a good or bad approach for red teams depends on the operator’s priorities—stealth, flexibility, trust, or tool-reuse—and the target environment. That judgment is left to the reader to decide.

TL;DR
- Velociraptor, a blue-team IR tool, can double as a Command-and-Control (C2) with capabilities like command execution, file transfer, monitoring, and persistence.
- Pros: trusted binaries, flexible VQL artifacts, TLS comms; Cons: high privilege needs, weak stealth, shared certs, easy detection.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.