← Back to SOC feed Coverage →

Suspicious Velociraptor Child Process

sigma HIGH SigmaHQ
T1219
imProcessCreate
apt
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-22T11:00:00Z · Confidence: low

Hunt Hypothesis

Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attack

Detection Rule

Sigma (Original)

title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\Velociraptor.exe'
    selection_child_vscode_tunnel:
        CommandLine|contains|all:
            - 'code.exe'
            - 'tunnel'
            - '--accept-server-license-terms'
    selection_child_msiexec:
        CommandLine|contains|all:
            - 'msiexec'
            - '/i'
            - 'http'
    selection_child_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest '
            - 'IWR '
            - '.DownloadFile'
            - '.DownloadString'
    # Add more child process patterns as needed
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\Velociraptor.exe" or ActingProcessName endswith "\\Velociraptor.exe") and ((TargetProcessCommandLine contains "code.exe" and TargetProcessCommandLine contains "tunnel" and TargetProcessCommandLine contains "--accept-server-license-terms") or (TargetProcessCommandLine contains "msiexec" and TargetProcessCommandLine contains "/i" and TargetProcessCommandLine contains "http") or ((TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\powershell_ise.exe" or TargetProcessName endswith "\\pwsh.exe") and (TargetProcessCommandLine contains "Invoke-WebRequest " or TargetProcessCommandLine contains "IWR " or TargetProcessCommandLine contains ".DownloadFile" or TargetProcessCommandLine contains ".DownloadString")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml