Module 8: Endpoint Visibility & Response
The endpoint is where attacks land. Learn to look inside it.
Lessons
Why Endpoint Visibility Matters
What endpoints reveal that SIEM can't
Velociraptor: Endpoint Investigation
Artifacts, VQL basics
Process Analysis
Suspicious processes, parent-child trees
Persistence Mechanisms
Tasks, services, registry, startup
Endpoint Triage Workflow
SIEM alert → Velociraptor → confirm
Labs
Lab 8.1 — Endpoint Collection
Use Velociraptor to remotely collect running processes, network connections, and scheduled tasks from a compromised endpoint. Identify C2 beacons, crypto miners, and persistence mechanisms.
Lab 8.2 — Process Tree Investigation
Trace parent-child process relationships using Velociraptor to reconstruct a suspicious execution chain. Analyze command lines, user context, and timing to determine if the activity is malicious.
Lab 8.3 — Persistence Hunt
Systematically search a compromised endpoint for all persistence mechanisms — cron jobs, systemd services, SSH keys, shell config backdoors, and init scripts — using Velociraptor.
Lab 8.4 — SIEM to Endpoint
Start from a Wazuh alert, pivot to Velociraptor for endpoint investigation, and build a complete incident narrative connecting SIEM detection to endpoint forensic evidence.