Velociraptor 0.77 Release

Mike Cohen 2026-05-31

I am very excited to announce that the latest Velociraptor release 0.77 RC1 is now available for testing.

In this post I will discuss some of the new features introduced by this release.

New Features

  • Interactive shell sessions. The shell is no longer a one-shot affair. Commands now run inside persistent sessions where each command builds on the last, with all output visible in a single scrollable view. Each command appends to the same flow, replacing the previous approach where each interaction ran as a separate flow. Graceful timeouts, CSS improvements, and proper stdin lifecycle management have also been added.

  • Datastore object limits Flow requests are now stored in a separate data store file making flow and hunt objects a lot smaller. Additionally, limits were placed on the size of frequently accessed datastore files, such as hunt objects, flow objects and client tasks.

    This limit is essential to maintain performance and stability but it might affect the following two use cases:

    1. Artifacts that contain a lot of data internally for example Windows.Hayabusa.Rules contains all the Sigma rules inside the artifact.
    2. Artifacts that can accept very large parameters, for example Generic.Detection.Yara.Glob can include large yara rules as a parameter when launched.

    Going forward, such collections can be refactored:

    • For artifacts that include large data blobs internally, they can be compressed or extracted into a tool (see Managing external tools ).
    • Artifacts that include large parameters (e.g. Yara rulesets) can be changed to include a URL to the ruleset which can be fetched by the client (for example Generic.Detection.Yara.Glob has the YaraUrl parameter instead of the YaraRules parameter).

  • User messaging. Messages can now be sent to GUI users via the user_message() VQL function, which means they can be packaged into server artifacts and set up by server operators. A new Server.Monitoring.RSSFeeds artifact is provided as an example: it polls RSS feeds (such as Velociraptor’s own CVE and blog feeds) and automatically emits user notifications when new items appear.

    This means users will be notified inside the application about new releases and important announcements (like CVE reports). Users can also use the same mechanism to distribute custom messages to their users. For example via the VQL

    SELECT user_message(user="admin",
                    Message="Hello user",
                    Date=timestamp(epoch=now()))
FROM scope()

    User notifications contain arbitrary key/value pairs
    User notifications contain arbitrary key/value pairs

    User notifications accumulate in the GUI and can all be cleared when acknowledged.

  • Azure Data Explorer (ADX) upload. A new adx_upload() VQL plugin uploads rows to Azure Data Explorer for KQL-based analysis, along with a ADX Creds secret type for securely managing credentials. A corresponding server event artifact (ADX.Flows.Upload) is provided that uses this plugin to forward flow results to ADX. This mirrors the existing Splunk and Elastic upload integrations, and has been tested in production engagements.

  • Artifact verifier overrides. The artifact verifier now emits structured errors and warnings that can be selectively disabled on a per-artifact basis. To suppress a specific linter error, add a // linter: comment to the VQL snippet with the error name and an optional subject regex.

  • Loading artifact packs from zips. Zip files can now be imported directly with the --definitions flag, avoiding the need to manually unzip them first. This is especially useful when distributing collections of artifacts as a single archive file.

  • OIDC role assignment rework. Automated OIDC role assignment now supports removing access from users (roles are no longer treated as a minimum floor). Custom claims from Azure ID tokens can also be used for more granular role mapping.

  • Velociraptor Docker container. An officially supported Docker-based container is now available, and a Dockerfile, compose.yaml, and supporting configuration files. This makes it easier to deploy Velociraptor in containerized environments.

GUI Improvements

This release improves a number of GUI features.

  • Redesigned Shell interface now uses sessions where each command builds on the previous one.

  • User messaging system for sending notifications directly in the GUI.

    image
    image

    The new Server.Monitoring.RSSFeeds artifact polls RSS feeds and alerts users about new items, such as critical CVEs or blog posts.

  • GUI state stored in sessionStorage, preserving state when switching between screens.

  • Filters added to the user management screen for easier user lookup.

CLI Improvements

  • New CLI run syntax with reworked command line parser.

    The CLI has a new syntax for running artifacts from the command line. The new --api_config flag supports collecting artifacts remotely and fetching results via the API.

  • API support for the artifacts collect command, allowing remote collection and result fetching over the API. Also added the artifacts fetch command for fetching remote artifact results.

  • Zip file import with the --definitions flag for loading artifact packs.

Performance and operational improvements

  • Memory allocation limits. Velociraptor now places limits on memory allocations to prevent out of memory errors during large collections or data processing tasks.

  • EVTX preferred message language. The EVTX parser has been updated to support a preferred message language, allowing Windows event log messages to be rendered in the specified language when available.

  • Refactored hunt dispatcher. The hunt dispatcher internals have been reworked for improved tracking and reliability of hunt state management.

  • Refactored journal service. The journal service has been updated with more efficient artifact type discovery and stricter validation of forwarded messages, ensuring messages reach only the artifact types they are authorized for.

  • Removed hunt dispatcher housekeeping thread. The periodic housekeeping thread that tallied hunt stats has been removed, reducing IO overhead. The same functionality can now be triggered on demand via a VQL query when needed.

  • Removed old client API support. Support for legacy client API versions has been removed, simplifying the server codebase. The server now falls back to Frontend.Hostname when API.Hostname is not specified.

  • Email client compatibility. The SendEmail artifact now supports an alphanumeric-only MIME boundary mode. Some email clients (such as Evolution) struggle with the standard boundary characters prescribed by RFC 2045, so this option improves compatibility when sending multipart emails from Velociraptor.

  • Background dispatcher startup. The dispatcher now starts in the background, avoiding pauses at server startup and making the initialization sequence faster and more responsive.

Security improvements

  • Refactored event queues with caller tagging. Each event is now tagged with the caller’s ID, enabling listeners to verify the sender and reject messages from untrusted sources. This prevents users from sending events to privileged queues intended only for server- originated messages.

  • Zip directory traversal prevention. The unzip() plugin has been hardened against directory traversal attacks, preventing malicious zip files from writing files outside the intended extraction directory.

  • YAML field validation for Secrets. The secrets service now validates YAML fields more rigorously when creating or updating secrets, catching misconfigurations earlier.

Artifact changes

New Artifacts

  • Server.Monitoring.RSSFeeds. Polls RSS feeds at a configurable interval and alerts users about new items via GUI messages.

  • ADX.Flows.Upload. Forwards flow results to Azure Data Explorer (ADX) for analysis using KQL queries.

  • Generic.Utils.Crypto. Utility artifact providing HMAC-SHA256 and other custom hash functions.

Removed Artifacts

  • Server.Internal.Enrollment, Server.Internal.FrontendMetrics, Server.Internal.Label, Server.Internal.Notifications, Server.Internal.Ping, Server.Internal.Pong, Server.Internal.TimelineAdd, and System.Hunt.Participation were removed as part of event queue refactoring where each event is now tagged with the caller’s ID for security.
  • Server.Import.ArtifactExchange. Renamed to Server.Import.ArtifactBundle (old name aliased for backward compatibility).

Changes to VQL Plugins, Functions, and Accessors

New

  • user_message(). Sends messages to GUI users from VQL queries.

  • user_messages(). Emits user console messages as a plugin.

  • adx_upload(). Uploads rows to Azure Data Explorer (ADX).

Improved

  • cache(). Updated to use disk-based LRU, allowing persistent caches across different queries. API updated to use VQL lambda for more intuitive usage.

  • memoize(). Updated to use disk-based LRU for persistence. Added period parameter for stale data refresh and filename parameter for file-backed storage.

  • index(). Changed to batch mode, providing much faster indexing performance.

Conclusions

There are many more new features and bug fixes in the latest release.

If you like the new features, take Velociraptor for a spin!

It is available on GitHub under an open source license. As always please file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com. You can also chat with us directly on Discord.