Megaraptor MCP

Search and list Velociraptor clients (endpoints).

Args: search: Optional search query. Supports prefixes like 'label:' and 'host:'. Examples: 'label:production', 'host:workstation-01', 'windows' limit: Maximum number of clients to return (default 100)

Returns: List of clients with their ID, hostname, OS, labels, and last seen time.

Get detailed information about a specific Velociraptor client.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef')

Returns: Detailed client information including hardware, OS, IP addresses.

Add or remove labels from a Velociraptor client.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') labels: List of label names to add or remove operation: Either 'add' or 'remove' (default: 'add')

Returns: Updated client labels.

Quarantine or unquarantine a Velociraptor client.

Quarantining a client isolates it from the network while maintaining communication with the Velociraptor server.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') quarantine: True to quarantine, False to unquarantine (default: True) message: Optional message to include with the quarantine action

Returns: Quarantine status of the client.

List available Velociraptor artifacts.

Args: search: Optional search term to filter artifacts by name or description artifact_type: Optional type filter: 'CLIENT', 'SERVER', or 'NOTEBOOK' limit: Maximum number of artifacts to return (default 100)

Returns: List of artifacts with their names, descriptions, and types.

Get the full definition of a Velociraptor artifact.

Args: artifact_name: The name of the artifact (e.g., 'Windows.System.Pslist')

Returns: Complete artifact definition including parameters, sources, and VQL.

Schedule artifact collection on a Velociraptor client.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') artifacts: List of artifact names to collect parameters: Optional dict of parameters for the artifacts. Format: {"ArtifactName": {"param1": "value1"}} timeout: Query timeout in seconds (default 600) urgent: If True, prioritize this collection (default False)

Returns: Flow ID for tracking the collection.

Create a new Velociraptor hunt to collect artifacts across multiple clients.

Args: artifacts: List of artifact names to collect description: Description of the hunt's purpose parameters: Optional parameters for artifacts. Format: {"ArtifactName": {"param": "value"}} include_labels: Only include clients with these labels exclude_labels: Exclude clients with these labels os_filter: Filter by OS: 'windows', 'linux', 'darwin' timeout: Query timeout per client in seconds (default 600) expires_hours: Hunt expiration in hours (default 24) paused: Create hunt in paused state (default True for safety)

Returns: Hunt ID and details.

List Velociraptor hunts.

Args: state: Optional filter by state: 'RUNNING', 'PAUSED', 'STOPPED', 'COMPLETED' limit: Maximum number of hunts to return (default 50)

Returns: List of hunts with their status and statistics.

Get results from a Velociraptor hunt.

Args: hunt_id: The hunt ID (e.g., 'H.1234567890') artifact: Optional specific artifact to get results for limit: Maximum number of result rows to return (default 1000)

Returns: Hunt results data from all clients.

Modify a Velociraptor hunt state.

Args: hunt_id: The hunt ID (e.g., 'H.1234567890') action: Action to perform: 'start', 'pause', 'stop', 'archive'

Returns: Updated hunt status.

List collection flows for a Velociraptor client.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') limit: Maximum number of flows to return (default 50)

Returns: List of flows with their status and artifacts.

Get results from a specific Velociraptor collection flow.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') flow_id: The flow ID (e.g., 'F.1234567890') artifact: Optional specific artifact to get results for limit: Maximum number of result rows to return (default 1000)

Returns: Collection results data.

Get the status of a specific collection flow.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') flow_id: The flow ID (e.g., 'F.1234567890')

Returns: Flow status including state, progress, and any errors.

Cancel a running collection flow.

Args: client_id: The client ID (e.g., 'C.1234567890abcdef') flow_id: The flow ID (e.g., 'F.1234567890')

Returns: Cancellation status.

Execute an arbitrary VQL (Velociraptor Query Language) query.

VQL is the query language used by Velociraptor for forensic analysis. It follows a SQL-like syntax with plugins instead of tables.

Common VQL patterns:

• SELECT * FROM info() -- Get server info

• SELECT * FROM clients() -- List all clients

• SELECT * FROM pslist() -- List processes (client artifact)

• SELECT * FROM Artifact.Windows.System.Pslist() -- Run artifact

Args: query: The VQL query to execute env: Optional environment variables to pass to the query. Use this to safely pass dynamic values instead of string interpolation. max_rows: Maximum number of rows to return (default 10000) org_id: Optional organization ID for multi-tenant deployments

Returns: Query results as JSON.

Get help on VQL (Velociraptor Query Language).

Args: topic: Optional topic to get help on. Options: - 'syntax': VQL syntax basics - 'plugins': Common VQL plugins - 'functions': Common VQL functions - 'examples': Example queries

Returns: Help text for the requested topic.

Deploy a Velociraptor server for incident response.

Args: deployment_type: Deployment target - 'docker', 'binary', 'aws', or 'azure' profile: Deployment profile - 'rapid' (auto-destroys in 72h), 'standard', or 'enterprise' server_hostname: Hostname for the server (used in certificates and config) gui_port: Port for GUI/API access (default 8889) frontend_port: Port for client connections (default 8000) target_host: Target host for binary deployment (required for binary type) ssh_user: SSH username for binary deployment ssh_key_path: Path to SSH private key for binary deployment

Returns: Deployment details including server URL, API URL, and admin credentials. IMPORTANT: Admin password is shown only once - save it immediately.

Deploy Velociraptor server using Docker (fastest method).

Optimized for rapid incident response. Server will be operational within 2-5 minutes.

Args: profile: Deployment profile ('rapid', 'standard', 'enterprise') server_hostname: Hostname for server access gui_port: GUI/API port (default 8889) frontend_port: Client connection port (default 8000) memory_limit: Container memory limit (default 4g) cpu_limit: Container CPU limit (default 2)

Returns: Deployment details including URLs and one-time admin password.

Deploy Velociraptor server on cloud infrastructure.

Deploys using CloudFormation (AWS) or ARM templates (Azure).

Args: cloud_provider: Cloud provider - 'aws' or 'azure' profile: Deployment profile ('standard' or 'enterprise') region: Cloud region (defaults to us-east-1 for AWS, eastus for Azure) instance_type: VM instance type (auto-selected based on profile) server_hostname: Hostname for server (defaults to public IP)

Returns: Deployment details including cloud resource IDs and URLs.

Check the status and health of a deployment.

Args: deployment_id: The deployment identifier (e.g., 'vr-20240115-a1b2c3d4')

Returns: Current deployment status including health checks and metrics.

Destroy a Velociraptor deployment and clean up resources.

WARNING: This action is irreversible. All data will be lost.

Args: deployment_id: The deployment identifier to destroy confirm: Must be True to confirm destruction

Returns: Destruction status and cleanup details.

List all managed Velociraptor deployments.

Args: profile_filter: Filter by profile name ('rapid', 'standard', 'enterprise') include_destroyed: Include destroyed deployments

Returns: List of deployments with their current status.

Generate an agent installer package with embedded configuration.

Creates platform-specific installers that can be deployed without additional configuration.

Args: deployment_id: The deployment to generate installer for os_type: Target OS - 'windows', 'linux', or 'macos' installer_type: Installer format - 'msi', 'deb', 'rpm', or 'pkg' (auto-selected based on os_type if not specified) labels: Labels to apply to agents installed with this package

Returns: Path to generated installer and installation instructions.

Create an offline collection package for air-gapped systems.

Generates a self-contained package that collects forensic artifacts without requiring network connectivity to a Velociraptor server.

Args: artifacts: List of artifacts to collect (e.g., ['Windows.System.Pslist']) target_os: Target OS - 'windows', 'linux', or 'macos' artifact_set: Use predefined artifact set instead of listing artifacts. Options: 'windows_triage', 'windows_quick', 'linux_triage', 'macos_triage', 'memory', 'ransomware' encrypt_output: Encrypt collection output with a generated password deployment_id: Optional deployment ID for tracking

Returns: Path to generated collector package and usage instructions.

Generate a GPO deployment bundle for Windows domain environments.

Creates MSI installer, configuration files, and step-by-step GPO setup documentation.

Args: deployment_id: The deployment to generate package for domain_controller: Name of the domain controller (for share paths) labels: Labels to apply to deployed agents

Returns: Path to GPO package and deployment instructions.

Generate Ansible playbook for agent deployment.

Creates a complete Ansible role with tasks for all selected platforms.

Args: deployment_id: The deployment to generate playbook for include_windows: Include Windows deployment tasks include_linux: Include Linux deployment tasks include_macos: Include macOS deployment tasks labels: Labels to apply to deployed agents

Returns: Path to generated playbook directory and usage instructions.

Push Velociraptor agents to Windows systems via WinRM.

Args: deployment_id: The deployment to connect agents to targets: List of target hostnames or IPs username: Windows username (DOMAIN\user or user@domain) password: Windows password labels: Labels to apply to deployed agents use_ssl: Use HTTPS for WinRM (default True) port: WinRM port (default 5986 for HTTPS)

Returns: Deployment results for each target.

Push Velociraptor agents to Linux/macOS systems via SSH.

Args: deployment_id: The deployment to connect agents to targets: List of target hostnames or IPs username: SSH username key_path: Path to SSH private key (preferred) password: SSH password (if not using key) target_os: Target OS - 'linux' or 'macos' labels: Labels to apply to deployed agents port: SSH port (default 22)

Returns: Deployment results for each target.

Verify agent enrollment status for a deployment.

Checks which agents have successfully enrolled with the server.

Args: deployment_id: The deployment to check client_search: Optional search filter for client hostname/ID labels: Filter by client labels

Returns: List of enrolled clients and their status.

Generate Velociraptor server configuration file.

Args: deployment_id: The deployment to generate config for output_format: Output format - 'yaml' or 'json'

Returns: Server configuration content.

Generate API client credentials for MCP connection.

Creates a new API client certificate for connecting this MCP server to a Velociraptor deployment.

Args: deployment_id: The deployment to generate credentials for client_name: Name for the API client validity_days: Certificate validity in days

Returns: API credentials in Velociraptor config file format. IMPORTANT: Save these credentials - they can only be displayed once.

Rotate certificates for a deployment.

WARNING: Rotating CA certificate will require re-enrollment of all agents.

Args: deployment_id: The deployment to rotate certificates for rotate_ca: Also rotate the CA certificate (requires re-enrollment) validity_days: Validity period for new certificates

Returns: New certificate fingerprints and re-enrollment instructions.

Run comprehensive security and health validation on a deployment.

Checks:

• Server accessibility

• Certificate validity

• Service health

• Security configuration

Args: deployment_id: The deployment to validate

Returns: Detailed validation report with any issues found.

Generate comprehensive deployment documentation.

Creates documentation including:

• Server access details

• Agent deployment guides

• Security configuration

• Troubleshooting guides

Args: deployment_id: The deployment to document output_path: Optional path for documentation files

Returns: Path to generated documentation.