This walkthrough demonstrates how to use Velociraptor for incident response during a Mimikatz infection.
An alert was triggered for Mimikatz on the wrk-price VM.
Your tasks are to:
- Quarantine the infected machine.
- Retrieve the malware for analysis.
- Search across the network for other instances of Mimikatz.
You receive the following alert from Wazuh:
Quarantine the host wrk-price in Velociraptor:
- Navigate to the Client tab.
- Select the Quarantine button.
A popup will appear. Add a reason for quarantining and confirm.
Once quarantined, the client icon updates to reflect its status:
Using VFS, navigate to the Downloads folder where Mimikatz was reported.
Collect mimikatz.exe to your Velociraptor server (note: Velociraptor server is Linux; Mimikatz runs only on Windows).
When collection is complete, download the file:
Verify in the Downloads directory that Mimikatz was retrieved.
Get the SHA256 hash of the file:
sha256sum mimikatz.exe
Result: Confirmed as Mimikatz.
Since the alert is a true positive, check for the presence of the file across other systems.
- Create a new hunt.
-
Assign a tag and description, ensuring it runs across all clients.
-
Select the artifact:
Windows.Search.FileFinder.
- Configure search parameters:
-
Provide the path where the file was found on
wrk-price. -
Use double wildcards
**for recursive search.
-
- Leave default settings for Specify Resources and continue to Review.
- Launch the hunt and start execution.
- After a few seconds, the hunt completes across two clients (note:
wrk-priceis still quarantined).
Open the Notebook tab for quick results review.
The results confirm:
- Mimikatz was also detected on wrk-colby.
- Quarantine wrk-colby.
- Clean the system.
- Analyze logs from both wrk-colby and wrk-price for persistence, lateral movement, and exfiltration attempts.

















