DFIR on Linux: Live Triage with UAC and Velociraptor

Three in the morning, a Debian 12 box exposes a suspicious cron rewriting /etc/ld.so.preload every 90 seconds. The wrong reflex is to power off the machine; the right one is to open the triage runbook and capture live state before the attacker notices the lights coming on. At Basilisk this scenario shows up monthly in simulation labs, and the rule is simple: order of volatility first, hypotheses later. Memory, connections, processes, open file descriptors and kernel modules are top priority, because a reboot or a misplaced `kill -9` destroys 80% of what matters.

Our default toolbox starts with UAC (Unix-like Artifacts Collector) by Tulpa Security and Velociraptor by Rapid7. UAC is perfect for offline one-shot triage: drop a ~6MB tar.gz, run `./uac -p ir_triage /mnt/evidence`, and in 8 to 15 minutes you have hashes, /proc dumps, journald, every user bash_history, cron listings and SSH configuration compressed. Velociraptor shines when we need VQL across a fleet: one hundred and twenty hosts in a DMZ, an orchestrated hunt, artifacts `Linux.Sys.BashHistory` and `Linux.Detection.Yara.Process` running in parallel. If you have not built the base lab yet, review Web Pentesting From Scratch: Building a Safe Lab with DVWA, Juice Shop and Burp Suite before simulating real incidents.

Memory acquisition remains the most fragile step on Linux. On kernel 6.x, AVML from Microsoft Research is the most consistent option when LiME fails to compile against missing headers. Real command: `avml --compress /evidence/memdump.lime`. Reserve at least twice the RAM on disk and never write to the victim disk; mount a read-write NFS at /mnt/triage or a LUKS encrypted USB. After capture, analysis moves to Volatility 3 with auto-detected profile, which is where the pipeline meets Memory Forensics with Volatility 3: Analyzing Dumps in a Reproducible Lab. Without a memory dump any LD_PRELOAD rootkit becomes urban legend in the report.

Persistence on Linux rarely lives in a single place. In recent Kinsing miner cases we found four simultaneous vectors: a systemd unit at /etc/systemd/system/.cache.service, a root crontab entry, a modified /etc/rc.local and a SUID wrapper at /usr/local/sbin/ssh. UAC catches all of that with the `ir_triage` profile, but it pays to also run `find / -newermt '2026-06-01' -type f -mtime -8 2>/dev/null` to close gaps. To correlate with equivalent Windows tradecraft, the team consults Windows Persistence: 10 Documented Techniques and Their Countermeasures, because opportunistic attackers reuse patterns across platforms.

Velociraptor changes the game once we move from a single host to a fleet. We stand up a server on t3.medium, generate Linux clients with `velociraptor config client`, push them via Ansible, and in 20 minutes we have visibility. The most useful hunts in our playbook are `Linux.Network.NetstatEnriched` for active sessions, `Linux.Sys.SUID` for suspicious binaries, and a compiled Yara rule with signatures for Pupy, Sliver and Merlin. When an IOC hits, we export a signed collection zip and pivot to static analysis in an isolated sandbox, as described in Malware Analysis in an Isolated Lab: Safe Setup with FlareVM and REMnux. The trick is never skipping SHA-256 hashing before moving artifacts.

Post-triage threat hunting closes the loop. We turn detections into Sigma rules and push them into Elastic, converting the incident into permanent defensive capability, a flow detailed in Threat Hunting with Sigma and Elastic: From Indicator to Detection Rule. We also document every decision in a chain of custody with UTC timestamp, hash and operator, because even in a lab the discipline builds the muscle needed for real engagements. For hosts that survive the incident, we apply hardening following Linux Server Hardening: Applying CIS Benchmark Without Breaking Production and review SSH per SSH Hardening 2026: Algorithms, Certificates and Bastion Hosts before returning them to simulated production.

Practical takeaway: build a LUKS pendrive today with UAC, AVML and a preconfigured Velociraptor client pointing at your hunt server. Test it on a clean Debian VM, time it, tune the profile and version the tar.gz in your internal repository. When the pager rings at 3 AM you do not want to be reading documentation, you want to be collecting evidence. Live triage is not art, it is a disciplined checklist executed under pressure.