Module 8: Endpoint Visibility & Response

The endpoint is where attacks land. Learn to look inside it.

Tools:Velociraptor
5
Lessons
4
Hands-on Labs
Operation Shadow Broker Thread

You'll pivot from the Wazuh LSASS access alert to Velociraptor — confirming credential theft on the endpoint.

Lessons & Labs

Why Endpoint Visibility Matters

What endpoints reveal that SIEM can't

Velociraptor: Endpoint Investigation

Artifacts, VQL basics

Lab 8.1 — Endpoint Collection

Collect processes, connections, tasks.

Intermediate

Live Process Investigation with VQL

Using Velociraptor to investigate suspicious processes, parent-child trees, and process anomalies in real time

Lab 8.2 — Process Tree Investigation

Investigate suspicious powershell.exe.

Advanced

Hunting Persistence with Velociraptor

Using VQL artifacts to discover attacker persistence: tasks, services, registry, startup items across endpoints

Lab 8.3 — Persistence Hunt

Find attacker's persistence mechanism.

Advanced

Endpoint Triage Workflow

SIEM alert → Velociraptor → confirm

Lab 8.4 — SIEM to Endpoint

Wazuh alert → Velociraptor investigation.

Advanced