Threat Hunting & Incident Response with Velociraptor with Eric Capuano and Whitney Champion

This hands-on course, led by industry experts Eric Capuano and Whitney Champion, goes beyond the basics—unlocking Velociraptor’s full potential for rapid triage, deep forensic analysis, and proactive threat detection. Through immersive labs and real-world attack simulations, you’ll learn to craft custom queries, isolate compromised systems, and contain threats with precision. Dive into advanced features and customization, ensuring Velociraptor fits seamlessly into your security operations. Whether you’re refining your existing skills or exploring new strategies, this course equips you with immediately applicable expertise to stay ahead of evolving threats.

Who Should Attend:

This course goes beyond basic tool usage, focusing on practical application and mastery of Velociraptor in the context of threat hunting and incident response. By the end of this training, you will have a solid understanding of how to deploy Velociraptor effectively in your security operations, allowing you to respond to incidents swiftly and accurately. Whether you are a seasoned security professional or looking to enhance your incident response capabilities, this course will provide you with valuable insights and hands-on experience.

Key Takeaways:

Introduction to Velociraptor

• Get an overview of Velociraptor’s architecture and capabilities. Learn how to set up and configure Velociraptor in various environments to maximize its effectiveness.
  Effective Threat Hunting Techniques
• Discover how to proactively search for indicators of compromise using Velociraptor. Learn how to craft and execute custom queries to detect suspicious activity across multiple endpoints.
  Incident Response Workflow
• Develop a comprehensive incident response strategy leveraging Velociraptor’s powerful features. Learn to quickly triage and isolate compromised systems, collect critical forensic data, and contain active threats.
  Advanced Features and Customization
• Explore the latest enhancements to Velociraptor that nearly double its potential as an IR tool. Understand how to customize and extend Velociraptor to fit your specific organizational needs.
  Real-World Scenarios and Hands-On Labs
• Engage in practical exercises that simulate real-world attacks. Apply what you’ve learned to identify, analyze, and respond to complex threats using Velociraptor in a controlled environment.

Applicable Business Skills

Participants will leave this course with immediately applicable skills in advanced threat hunting, forensic investigation, and incident response using Velociraptor. They will develop expertise in crafting and executing custom queries, automating data collection and analysis, and rapidly identifying and containing threats across enterprise environments. This training also emphasizes methodical investigation techniques, efficient triage workflows, and real-world incident response strategies that can be seamlessly integrated into security operations. By mastering Velociraptor’s advanced features and customization, attendees will enhance their organization’s ability to detect, analyze, and respond to security incidents faster and more effectively.

Audience Skill Level:

Intermediate

Course Learning Objectives:

Upon successful completion of this course, students will be able to:

• Deploy and configure Velociraptor in various environments, including local and cloud-based deployments
• Utilize Velociraptor for proactive threat hunting and real-time incident response
• Execute custom Velociraptor Query Language (VQL) queries to collect forensic artifacts and analyze endpoint data
• Automate detection, triage, and remediation workflows to streamline incident response operations
• Conduct deep forensic investigations, including persistence analysis, binary hunting, and network anomaly detection
• Leverage advanced Velociraptor features such as scheduled hunts, telemetry streaming, and automated labeling

Course Outline

Section 1: Getting Started with Velociraptor

• Introduction to Velociraptor (Lecture)
  • Overview of Velociraptor’s capabilities and architecture
  • Understanding the server-client model
• Deploying a Velociraptor Server (Lecture)
  • Local deployment on WSL
  • Cloud deployment options (AWS, self-hosted)
• Deploying Velociraptor Clients (Lecture)
  • Methods for deploying endpoint agents (EXE vs. MSI)
  • Automating agent deployment at scale
• Introduction to the Velociraptor GUI (Lecture)
  • Navigating the interface
  • Executing queries and analyzing results

🔬 Lab 1.0 – Deploying Local Velociraptor Server on WSL
🔬 Lab 1.0b (Optional) – Deploying Cloud Hosted Velociraptor Server
🔬 Lab 1.1 – Prepare to Collect Volatile Data
🔬 Lab 1.2 – Build and Deploy Client MSI
🔬 Lab 1.3 (Optional) – Building Custom MSIs

Section 2: Working with Artifacts and Notebooks

• Understanding Velociraptor Artifacts (Lecture)
  • Client vs. Server artifacts
  • How artifacts facilitate data collection and automation
• Using Notebooks for Analysis (Lecture)
  • Creating and modifying notebooks
  • Automating data correlation with VQL

Section 3: Advanced Data Collection & Threat Hunting

• Manual and Automated Binary Deployments (Lecture)
  • Deploying security tools (Sysmon, EDR) via Velociraptor
  • Automating deployments with hunts and real-time monitoring
• Real-time Eventing & Telemetry Streaming (Lecture)
  • Leveraging event-based artifacts for proactive monitoring
  • Using Windows ETW and Sysmon forwarding
• Scheduling Hunts and Automating Detection (Lecture)
  • Setting up scheduled hunts for continuous monitoring
  • Integrating Velociraptor with existing security workflows
• Auto-labeling Systems for Efficient Investigations (Lecture)
  • Automating endpoint classification based on behavioral data

🔬 Lab 3.1 – Deploy Sysmon
🔬 Lab 3.2 – Enable Eventing & Telemetry Streaming
🔬 Lab 3.3 (Optional, Recommended) – Deploy LimaCharlie EDR
🔬 Lab 3.4 (Optional) – Critical Service Deployment & Monitoring
🔬 Lab 3.5 (Optional) – Scheduled Hunts
🔬 Lab 3.6 (Optional) – Pushing Client Data to a CMDB
🔬 Lab 3.7 – Auto Labeling Systems

Section 4: Incident Response and Forensic Analysis

• Stacking Analysis & Baselining Systems (Lecture)
  • Identifying anomalies in processes, network connections, and services
• Real-time Event & Telemetry Analysis (Lecture)
  • Analyzing Sysmon logs, ETW events, and DNS queries in real-time
• Analyzing Event Logs with Sigma (Lecture)
  • Running Sigma rules for historical and real-time threat detection
• Scoping an Intrusion (Lecture)
  • Using artifacts to identify compromised hosts
  • Correlating known indicators of compromise (IOCs)
• Deep Forensic Investigation (Lecture)
  • Analyzing process execution timelines
  • Identifying persistence mechanisms
  • Uncovering untrusted binaries and malware
• Hunting Covert C2 Beacons (Lecture)
  • Using YARA rules for in-memory malware detection
• Eradication & Remediation (Lecture)
  • Removing persistence mechanisms and active threats
  • Ensuring complete containment and recovery

🔬 Lab 4.1 – Stacking Analysis with Notebooks
🔬 Lab 4.2 – Real-time Event & Telemetry Analysis
🔬 Lab 4.3 – Analyzing Event Logs with Sigma
🔬 Lab 4.4 – Initial Scoping
🔬 Lab 4.5 – Process & Network Analysis
🔬 Lab 4.6 – Binary Presence & Evidence of Execution
🔬 Lab 4.7 – Finding Persistence
🔬 Lab 4.8 – Malware Discovery
🔬 Lab 4.9 (Optional) – Identifying Initial Access
🔬 Lab 4.10 – Hunting Covert C2 Beacons
🔬 Lab 4.11 – Eradication

Section 5: Additional Considerations & Deprovisioning

• Hardening Velociraptor Deployments (Lecture)
  • Implementing authentication, encryption, and secure configurations
• Deprovisioning & Cleanup (Lecture)
  • Removing lab infrastructure (optional for cloud users)

🔬 Lab 5.0 (Optional) – Deprovision Cloud Resources

Wild West Hackin’ Fest – Deadwood (Oct 7th – Oct 8th, 2025) – Deadwood, SD

• October 7th – 8:30 AM to 5:00 PM MDT
• October 8th – 8:30 AM to 5:00 PM MDT

Blue Team Summit (Aug 28th – Aug 29th, 2025)

• August 28th – 9:00 AM to 6:00 PM EDT
• August 29th – 9:00 AM to 6:00 PM EDT

FAQ:

Do I need to set up my own Velociraptor server before the course?
No, we provide pre-configured lab environments, but we will guide you through deploying your own Velociraptor server during the course.

Do I need prior experience with Velociraptor to take this course?
No prior experience is required. We start with the fundamentals and progressively move into advanced use cases.

Is programming or scripting knowledge necessary?
Basic familiarity with command-line usage is helpful, but no programming or scripting experience is required. We will cover Velociraptor Query Language (VQL), but prior knowledge is not assumed.

What operating systems will we work with?
The course covers Velociraptor deployment and investigations across Windows, Linux, and macOS environments.

Will I need a cloud account to follow along?
No, but an optional lab includes cloud deployment steps if you want to set up your own cloud-hosted Velociraptor server.

Can I take what I learn and apply it to my organization’s environment immediately?
Yes, everything covered in this course is designed to be practical and directly applicable to real-world incident response and threat hunting.

Will we cover live incident response scenarios?
Yes, we include hands-on labs with real-world attack simulations, allowing you to apply what you’ve learned in a realistic environment.

System Requirements:

Any computer with a web browser will suffice, even a Chromebook. All lab VMs are hosted in the cloud.

Student Resources:

No student provided resources required.

Knowledge Requirements:

This course is designed for security practitioners with a foundational understanding of incident response, digital forensics, or threat hunting. While no prior experience with Velociraptor is required, familiarity with command-line interfaces (Windows CMD, PowerShell, Linux terminal) will be beneficial.

Recommended Prerequisites:

• Basic understanding of endpoint security concepts, system logs, and forensic artifacts
• Familiarity with cybersecurity fundamentals such as the MITRE ATT&CK framework and common attack techniques
• Experience with SIEMs, EDR tools, or forensic analysis platforms is helpful but not required
• Some exposure to YARA, Sigma, or query-based data analysis is useful but will be covered in class

Optional Pre-Class Materials:
To get the most out of this course, students can explore:

• The Velociraptor Documentation (docs.velociraptor.app) for an overview of its capabilities
• Introduction to Velociraptor Query Language (VQL) from the official Velociraptor resources for those wanting a head start on custom queries

This course provides everything needed to learn Velociraptor from the ground up, but having the above knowledge will help students maximize their learning experience.