Blog Details

EvilRaptor: Using Velociraptor as a C2 during Red Team Engagements

Raptor

In the recent past, it was a significant challenge to create undetectable C2 agents. Our red team spent the majority of their time making these agents covert to get a foothold on our clients' infrastructure. This led us to shift toward non-traditional C2 tools during engagements.

We began using legitimate Microsoft tools like Teams and OneDrive for data exfiltration and infiltaration. This technique was highly successful and went undetected approximately 90% of the time. This confirmed our strategy to use trusted, common tools and applications during our engagements.

We now spend more time in the information gathering stage to identify the applications and tools our clients use. We also focus on finding vulnerable web servers that are prone to host header redirection. Since several vendor products are vulnerable to this, we started to make use of those trusted web applications as our redirectors.

In modern Red Team Assessments, the goal isn't just to gain access; it's to operate undetected, mirroring the techniques of Advanced Persistent Threats (APTs). This requires a Command and Control (C2) framework that is both flexible and difficult to detect. While traditional C2s are common, we here at Hackyde Red Team are increasingly turning to dual-use tools—legitimate software with powerful capabilities that can be repurposed for offensive operations.

Velociraptor is a powerful, open-source endpoint visibility and digital forensics platform. It’s typically used by Blue Teams for incident response, threat hunting, and data collection. However, its architecture—a centralised server communicating with lightweight, persistent agents (clients)—makes it an exceptional, low-risk C2 channel for a red team engagement.

Using Velociraptor for C2 allows red teams to leverage a living off the land approach, using tooling that is often already whitelisted or trusted within the target environment, making detection significantly harder.

Why Velociraptor Excels as a Covert C2?

Unlike high-frequency, anomalous traffic generated by typical C2 malware, Velociraptor clients communicate using a "pull" model and can be configured for a very low heartbeat frequency. This traffic often looks like standard internal management or update communication, helping it blend in with normal network noise.

                           
  • Asynchronous Communication: The client initiates the connection to the server and checks for new commands, reducing the chance of an immediate detection from firewall or IDS alerts looking for persistent incoming connections.
    •                                
  • TLS Encryption: All communications are encrypted with TLS, which is standard practice for legitimate business applications, providing a level of obscurity.
    •                            
                           
The Power of VQL and Artifacts
                           

The platform’s custom query language, VQL (Velociraptor Query Language), and its vast library of built-in Artifacts are the real game-changers. This allows red teams to execute complex operations without deploying custom binaries on the endpoint.

                           
  • Remote Code Execution: VQL includes functions to run commands (`execve`) or PowerShell scripts, effectively giving you a remote shell to operate within the environment, all channeled through the trusted Velociraptor agent.
    •                                
  • Pre-built Capabilities: Red teams can leverage existing artifacts to perform tasks like dumping password hashes, executing file system searches, and even memory forensics—activities that usually require dropping and running specific attack tools.
    •                                
  • Data Exfiltration: Velociraptor's core function is data collection, so exfiltration is a native, built-in feature, making it straightforward to transfer collected loot back to the C2 server without raising alarms.
    •                            

The best and most efficient way to get BloodHound-like data using Velociraptor is to run the official built-in artifact:

Windows.ActiveDirectory.BloodHound

This artifact is specifically designed to deploy and execute the SharpHound collector (the official BloodHound data collection tool) on a target host. It then gathers the output and uploads the resulting JSON files back to the Velociraptor server.

How to Use the Artifact
  1. Start a New Hunt/Collection: On your Velociraptor server, create a new Hunt (for a group of machines) or a new Collection (for a single host).
  2. Select the Artifact: Search for and select the artifact: Windows.ActiveDirectory.BloodHound.
  3. Configure Parameters:
    • You can set the standard SharpHound collection methods (e.g., All, Default, Group, Session, etc.) via the artifact's parameters.
    • Crucially: You should only run this artifact on a few, carefully selected domain-joined hosts or your domain controllers. Running it on every endpoint in a large domain is unnecessary and can be inefficient.
  4. Launch the Hunt: Execute the collection. The artifacts will run the SharpHound binary on the target endpoints and collect the zipped JSON data.
  5. Retrieve Data: Once the hunt completes, download the ZIP file containing the BloodHound JSON data from the collection results.
  6. Analyze in BloodHound: You can then load this ZIP file directly into the BloodHound GUI or Neo4j database for analysis and graph visualization of attack paths.
                           
Client Deployment Considerations
                           

To fully leverage Velociraptor as a C2, the agent must first be deployed on the target endpoints. This often forms part of the initial access phase of the red team engagement.

                           
  • Trojanized Installer: The client binary can be packaged with another legitimate application, or deployed using existing administration tools (e.g., SCCM, GPO) if access is achieved.
    •                                
  • Persistence: Ensuring the client runs as a service or through a user-level persistence mechanism is key to maintaining control throughout the assessment.
    •                                
  • Naming Conventions: Using a benign-sounding name for the client executable (e.g., `SystemUtility.exe` instead of `veloraptor.exe`) can further aid in evading host-based detections.
    •                            

Repurposing tools like Velociraptor for C2 is a testament to the ever-evolving nature of red teaming. It forces blue teams to go beyond signature-based detection and focus on behavioral analysis—hunting for misuse of legitimate tools rather than just malicious code.

Hackyde's Approach to Red Team & Attack Simulation

Want to test your defensive capabilities against the most advanced covert techniques?. Our Red Teaming and Attack Simulation services leverage cutting-edge C2 strategies, including dual-use platforms like Velociraptor. Contact us today to benchmark your security operations centre against real-world APTs.

Adversary Attack Simulation & Red Team is the most effective way to validate your security investments and prepare your team for a real incident. To learn more about how Hackyde can help you strengthen your cyber resilience, explore our Red Teaming & Attack Simulation services or contact us for a consultation.