Velociraptor Forensic Use Case: Sys.Services
This Velociraptor forensic use case highlights how the Acorn enables live analysis of rogue Linux services, uncovering hidden threats and persistence mechanisms. Together, Velociraptor and the Acorn accelerate threat detection and response, helping investigators act fast across Linux endpoints.
Context
Cyber Security expert, John Smith, has detected potential malicious activity on a compromised Linux endpoint. To further analyse suspicious background processes and system services, he uses Velociraptor’s “Sys.Services” hunt on the Acorn forensic workstation. This allows her to enumerate all active services, flagging any unrecognised or tampered daemons for deeper investigation.
Initiating the "Sys.Services" Hunt
• John launches Velociraptor on the Acorn and navigates to the Hunts interface.
• He selects “Sys.Services”, which is designed to enumerate and analyse active system services across Linux endpoints.
• To narrow the scope, he configures the hunt to focus on:
– Unrecognised or unsigned services that could be rogue processes.
– Services running under non-standard accounts, indicating possible privilege escalation.
– Processes linked to known Indicators of Compromise (IOCs).
• John deploys the hunt to multiple endpoints, ensuring a wider scan of the organisation’s Linux infrastructure.
Executing the Hunt & Collecting Data
• Velociraptor systematically queries each targeted endpoint, retrieving details of all active system services and daemons.
• The collected data is pulled into the Acorn’s local database, where it is indexed for further analysis.
• The hunt flags anomalies such as:
– Services with unusual start-up commands.
– Background processes linked to suspicious network activity.
– Tampered service binaries that do not match system baselines.
Analysing Results & Investigating Malicious Services
• John accesses the Velociraptor Notebook Overview, where he reviews the Sys.Services results.
• He filters the dataset to focus on services with irregular behaviors, such as:
– Persistence mechanisms used by malware (e.g., unauthorised cron jobs, modified systemd units).
– Rogue daemons communicating with external servers (potential C2 activity).
– Recently created services without legitimate software associations.
• Using Velociraptor’s query capabilities, he correlates suspicious findings with known Linux threat intelligence databases.
Forensic Reporting & Next Steps
• John compiles a forensic report summarising:
– Identified suspicious services and their associated metadata.
– Potential threats & Indicators of Compromise (IOCs).
– Recommendations for containment and remediation.
• He drafts the report in LibreOffice, embedding Velociraptor screenshots and analysis results, and exports it as a secure PDF.
• The findings are shared with the incident response team, who take immediate steps to neutralise malicious services on affected endpoints.
Why the Acorn Wins Here
• Rapid System Service Enumeration – Sys.Services hunts provide fast, automated listing of active services, helping forensic investigators detect threats quickly.
• Hidden Threat Detection – Velociraptor flags tampered or malicious services, making threat containment faster and more precise.
• Scalability Across Endpoints – The Acorn’s Velociraptor deployment allows investigators to hunt across multiple Linux systems simultaneously.
• Integrated DFIR Workflow – The Acorn enables collection, analysis, and reporting in one platform, streamlining forensic investigations.
Learn more about Velociraptor
