What You'll Learn
- Use Velociraptor to remotely collect running processes, network connections, and scheduled tasks from a Windows endpoint
- Identify suspicious artifacts by comparing collected data against known-good baselines
- Investigate pre-planted C2 beacons, crypto miners, webshells, and persistence mechanisms
- Document endpoint collection findings in an annotated investigation report
- Understand the workflow from artifact selection to collection to analysis in Velociraptor
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-velociraptor |
| Containers | Velociraptor Server, Velociraptor Client |
| Estimated Time | 55 minutes |
| Difficulty | Intermediate |
| Browser Access | Velociraptor GUI (port 8889) |
| Pre-Loaded Data | Windows client with planted suspicious artifacts |
| Deliverable | Annotated collection results identifying at least 3 suspicious items |
Why Endpoint Collection Matters. SIEM alerts tell you something happened. Endpoint collection tells you exactly what is on the machine right now. Velociraptor lets you reach into any endpoint on your network and pull back detailed forensic data — running processes, open network sockets, scheduled tasks, file listings — without needing physical access or an RDP session.
The Scenario
Your SOC received an alert from Wazuh about suspicious outbound connections from a Linux endpoint (velociraptor-client). The alert flagged periodic connections to an unusual external IP. Rather than remoting into the machine directly, you'll use Velociraptor to remotely investigate what's running on the endpoint.
Unbeknownst to you, the endpoint has been compromised. Multiple artifacts have been planted:
- A C2 beacon script phoning home periodically
- An encoded payload used during initial access
- A crypto miner consuming CPU resources
- A webshell for persistent web access
- An SSH backdoor for alternative access
- Cron persistence to survive reboots
- A systemd service for additional persistence
Your job: use Velociraptor's collection artifacts to find at least 3 of these suspicious items and document your findings.
Part 1: Accessing Velociraptor and Finding the Client
Step 1: Log Into the Velociraptor GUI
Open the Velociraptor web interface:
- URL: Provided via the "Open Lab" button (port 8889)
- Username:
admin - Password:
cyberblue
After logging in, you'll see the Velociraptor dashboard showing server status and connected clients.
Step 2: Locate the Client
- Click the magnifying glass icon (🔍) in the left sidebar or click "Show All" in the search bar
- You should see one connected client: the pre-configured Linux endpoint
- Click on the client name to open its detail view
Record the following:
- Client ID
- Hostname
- Operating system
- Last seen timestamp
Client Status. A green dot next to the client name means it's currently connected and responding to queries. A grey dot means it was previously seen but is not currently reachable. For this lab, the client should always show green.
Part 2: Collecting Running Processes
Step 3: Create a New Collection
- With the client selected, click the "Collected Artifacts" tab
- Click the "New Collection" button (+ icon)
- In the artifact search bar, type:
Linux.Sys.Pslist - Select the artifact and click "Launch"
Step 4: Analyze Process Results
Once the collection completes (usually 5-10 seconds), click on the result to view the data. Look for:
- Unusual process names — anything that doesn't match standard system services
- Suspicious paths — processes running from
/tmp,/var/tmp, or hidden directories (starting with.) - High CPU usage — crypto miners often show elevated CPU
- Network-facing processes — web servers or listeners you didn't expect
Create a table of suspicious processes:
PROCESS COLLECTION RESULTS
═══════════════════════════
PID | Name | Path | CPU % | Suspicious?
-------|------------- |-------------------------------|-------|------------
[pid] | [name] | [path] | [cpu] | [Yes/No + reason]
Part 3: Collecting Network Connections
Step 5: Collect Network Data
- Create a new collection using artifact:
Linux.Sys.Netstat - Launch and wait for results
Step 6: Analyze Network Results
Look for:
- Outbound connections to external IPs (not 10.x.x.x, 172.16-31.x.x, or 192.168.x.x)
- Listening services on unexpected ports
- Connections from suspicious processes (cross-reference with your process list)
- Periodic or beaconing patterns (same destination, regular intervals)
Document any suspicious connections:
NETWORK CONNECTION RESULTS
══════════════════════════
PID | Local Address | Remote Address | State | Process | Suspicious?
-------|------------------|--------------------|-------------|-------------|------------
[pid] | [local:port] | [remote:port] | [state] | [name] | [Yes/No + reason]
Part 4: Collecting Scheduled Tasks and Persistence
Step 7: Collect Cron Jobs
- Create a new collection using artifact:
Linux.Sys.Crontab - Launch and review results
Step 8: Collect Systemd Services
- Create a new collection for systemd services
- Look for any non-standard services
Step 9: Check for Additional Persistence
Collect the following artifacts to check more persistence locations:
Linux.Sys.BashHistory— command historyLinux.Sys.SSHKeys— authorized SSH keys
Document ALL persistence mechanisms you find:
PERSISTENCE MECHANISMS FOUND
═════════════════════════════
Type | Location | Details | Risk
---------------|-----------------------------|-----------------------------|------
Cron job | [crontab location] | [schedule + command] | [H/M/L]
Systemd svc | [service file] | [service details] | [H/M/L]
SSH key | [authorized_keys path] | [key fingerprint] | [H/M/L]
Hidden Directories Matter. Attackers commonly hide files in directories starting with a dot (.) like /tmp/.cache/ or /var/tmp/.fonts/. These directories don't appear in standard ls output unless you use ls -la. Velociraptor's file listing artifacts will reveal them.
Part 5: Building the Investigation Report
Step 10: Compile Your Findings
Combine all your collection results into a single investigation report:
ENDPOINT COLLECTION REPORT
═══════════════════════════
Endpoint: [client hostname]
Client ID: [Velociraptor client ID]
Investigation Date: [today's date]
Analyst: [your name]
SUMMARY OF FINDINGS
───────────────────
Total suspicious items identified: [count]
FINDING 1: [Title]
Category: [Process / Network / Persistence]
Evidence: [specific data from collection]
Risk Level: [Critical / High / Medium / Low]
Recommendation: [what should be done]
FINDING 2: [Title]
Category: [Process / Network / Persistence]
Evidence: [specific data from collection]
Risk Level: [Critical / High / Medium / Low]
Recommendation: [what should be done]
FINDING 3: [Title]
Category: [Process / Network / Persistence]
Evidence: [specific data from collection]
Risk Level: [Critical / High / Medium / Low]
Recommendation: [what should be done]
TIMELINE
────────
[Reconstruct a timeline of how the compromise likely occurred based on your findings]
Deliverable Checklist
Before completing the lab, ensure you have:
- Process Collection — ran
Linux.Sys.Pslistand identified suspicious processes - Network Collection — ran
Linux.Sys.Netstatand identified suspicious connections - Persistence Collection — checked cron, systemd, SSH keys, and bash history
- At Least 3 Suspicious Items — documented with evidence from Velociraptor collections
- Investigation Report — compiled findings with risk levels and recommendations
Key Takeaways
- Velociraptor enables remote forensic collection without needing direct access to the endpoint
- The artifact-based collection model lets you pull exactly the data you need (processes, network, files, persistence)
- Attackers hide in plain sight — suspicious processes in hidden directories, encoded payloads, and disguised service names
- Cross-referencing process data with network data reveals the full picture (which process is making which connection)
- Every collection should result in a structured report that other analysts can act on
What's Next
In Lab 8.2 — Process Tree Investigation, you'll dive deeper into process analysis. Instead of just listing running processes, you'll trace parent-child relationships to reconstruct execution chains and determine how a suspicious process was launched.
Lab Challenge: Endpoint Collection
10 questions · 70% to pass
After logging into Velociraptor and finding the connected client, which artifact would you collect FIRST to see all running processes on a Linux endpoint?
You collected processes and see one running from '/var/tmp/.fonts/xmr-stak'. What type of malicious activity does this most likely represent?
You find a process running from '/tmp/.cache/update.sh'. What makes this path suspicious from a security perspective?
Using the Linux.Sys.Netstat artifact, you see an ESTABLISHED connection to 185.220.101.42:4445. How would you cross-reference this with your process collection?
You discover an unauthorized SSH key in /root/.ssh/authorized_keys. What type of persistence mechanism is this?
The crontab collection reveals an entry: '*/5 * * * * /tmp/.cache/update.sh > /dev/null 2>&1'. What does this cron schedule mean?
You find a systemd service file that starts a binary from /opt/.hidden/backdoor. What Velociraptor artifact would help you examine the actual service configuration?
When documenting your findings, why is it important to record the PID, path, and user context for each suspicious process — not just the process name?
You've identified a C2 beacon, a crypto miner, and an SSH backdoor. In your investigation report, what risk level should you assign to the C2 beacon?
After completing all collections, what is the MOST important next step before closing your investigation?
0/10 answered