EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Suspicious Velociraptor Child Process

Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.

MITRE ATT&CK

T1219
command-and-controlpersistencedefense-evasion

Detection Query

selection_parent:
  ParentImage|endswith: \Velociraptor.exe
selection_child_vscode_tunnel:
  CommandLine|contains|all:
    - code.exe
    - tunnel
    - --accept-server-license-terms
selection_child_msiexec:
  CommandLine|contains|all:
    - msiexec
    - /i
    - http
selection_child_powershell:
  Image|endswith:
    - \powershell.exe
    - \powershell_ise.exe
    - \pwsh.exe
  CommandLine|contains:
    - "Invoke-WebRequest "
    - "IWR "
    - .DownloadFile
    - .DownloadString
condition: selection_parent and 1 of selection_child_*

Author

Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2025-08-29

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.command-and-controlattack.persistenceattack.defense-evasionattack.t1219
Raw Content
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.defense-evasion
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\Velociraptor.exe'
    selection_child_vscode_tunnel:
        CommandLine|contains|all:
            - 'code.exe'
            - 'tunnel'
            - '--accept-server-license-terms'
    selection_child_msiexec:
        CommandLine|contains|all:
            - 'msiexec'
            - '/i'
            - 'http'
    selection_child_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest '
            - 'IWR '
            - '.DownloadFile'
            - '.DownloadString'
    # Add more child process patterns as needed
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high