Suspicious Shell Execution via Velociraptor

  1[metadata]
  2creation_date = "2026/03/18"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects shell executions (cmd, PowerShell, rundll32) spawned by Velociraptor. Threat actors have been observed
 11installing Velociraptor to execute shell commands on compromised systems, blending in with legitimate system processes.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Suspicious Shell Execution via Velociraptor"
 27note = """## Triage and analysis
 28
 29### Investigating Suspicious Shell Execution via Velociraptor
 30
 31Velociraptor is a legitimate endpoint visibility and response tool. Threat actors have been observed deploying it on compromised systems to run shell commands (cmd, PowerShell, rundll32), making their activity look like normal Velociraptor-collector behavior.
 32
 33### Possible investigation steps
 34
 35- Confirm the parent process name matches a Velociraptor binary (e.g. velociraptor.exe, Velociraptor.exe) and the child is cmd.exe, powershell.exe, or rundll32.exe.
 36- Review the child process command line for suspicious or interactive commands (e.g. download, lateral movement, credential access) versus known Velociraptor artifact scripts (Get-LocalGroupMember, Get-Date, registry queries, Velociraptor Tools module).
 37- Identify how Velociraptor was installed (dropped by another process, scheduled task, service); correlate with earlier process or file events on the host.
 38- Check whether the Velociraptor executable path and code signature are expected (e.g. Program Files vs. temp or user writable); unauthorized installs are often from non-standard paths.
 39- Correlate with other alerts for the same host or user (initial access, persistence, C2) to determine if this is abuse vs. legitimate IR/DFIR use.
 40
 41### False positive analysis
 42
 43- Legitimate Velociraptor artifacts that run Get-LocalGroupMember, Get-Date, registry Run key checks, or Velociraptor Tools PowerShell module are excluded by the rule; remaining FPs may be custom artifacts. Allowlist by command-line pattern or host if you use Velociraptor for authorized IR and see known-good artifacts.
 44
 45### Response and remediation
 46
 47- If abuse is confirmed: isolate the host, terminate the Velociraptor and child shell processes, and remove the Velociraptor installation (binary, service, config).
 48- Determine how Velociraptor was deployed and close the initial access vector; rotate credentials for affected accounts.
 49- If the deployment was authorized (IR/DFIR), document and tune the rule or add an exception to reduce noise.
 50"""
 51
 52setup = """## Setup
 53
 54This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 55
 56Setup instructions: https://ela.st/install-elastic-defend
 57
 58### Additional data sources
 59
 60This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 61
 62- [CrowdStrike](https://ela.st/crowdstrike-integration)
 63- [Microsoft Defender XDR](https://ela.st/m365-defender)
 64- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 65- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
 66- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
 67"""
 68
 69references = [
 70    "https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399",
 71    "https://attack.mitre.org/techniques/T1219/",
 72]
 73risk_score = 47
 74rule_id = "9aeca498-1e3d-4496-9e12-6ef40047eb23"
 75severity = "medium"
 76tags = [
 77    "Domain: Endpoint",
 78    "OS: Windows",
 79    "Use Case: Threat Detection",
 80    "Tactic: Command and Control",
 81    "Tactic: Execution",
 82    "Tactic: Defense Evasion",
 83    "Resources: Investigation Guide",
 84    "Data Source: Elastic Defend",
 85    "Data Source: Sysmon",
 86    "Data Source: SentinelOne",
 87    "Data Source: Microsoft Defender XDR",
 88    "Data Source: Crowdstrike",
 89    "Data Source: Elastic Endgame", 
 90    "Data Source: Windows Security Event Logs"
 91]
 92timestamp_override = "event.ingested"
 93type = "eql"
 94
 95query = '''
 96process where host.os.type == "windows" and event.type == "start" and process.command_line != null and
 97 process.parent.name : "velociraptor.exe" and
 98 process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
 99 not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBMAG8AYwBhAGwARwByAG8AdQBwAE0AZQBtAGIAZQBy*") and
100 not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBEAGEAdABl*" and process.command_line : "*-Format*") and
101 not (process.name : "cmd.exe" and process.command_line : "*start*127.0.0.1:8889*") and
102 not (process.name : "powershell.exe" and process.command_line : "*RwBlAHQALQBJAHQAZQBt*" and process.command_line : "*UgBlAGcAaQBzAHQAcgB5*" and process.command_line : "*UgB1AG4A*") and
103 not (process.name : "powershell.exe" and
104      process.args : ("RwBlAHQALQ*", "UgBlAG0AbwB2AGUALQBJAHQAZQBtACA*", "C:\\Program Files\\Velociraptor\\thor.db",
105                      "import-module \"C:\\Program Files\\Velociraptor\\Tools\\*"))
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[[rule.threat.technique]]
113id = "T1219"
114name = "Remote Access Tools"
115reference = "https://attack.mitre.org/techniques/T1219/"
116
117[[rule.threat.technique.subtechnique]]
118id = "T1219.002"
119name = "Remote Desktop Software"
120reference = "https://attack.mitre.org/techniques/T1219/002/"
121
122[rule.threat.tactic]
123id = "TA0011"
124name = "Command and Control"
125reference = "https://attack.mitre.org/tactics/TA0011/"
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[[rule.threat.technique]]
131id = "T1218"
132name = "System Binary Proxy Execution"
133reference = "https://attack.mitre.org/techniques/T1218/"
134
135[[rule.threat.technique.subtechnique]]
136id = "T1218.011"
137name = "Rundll32"
138reference = "https://attack.mitre.org/techniques/T1218/011/"
139
140[rule.threat.tactic]
141id = "TA0005"
142name = "Defense Evasion"
143reference = "https://attack.mitre.org/tactics/TA0005/"
144
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147
148[[rule.threat.technique]]
149id = "T1059"
150name = "Command and Scripting Interpreter"
151reference = "https://attack.mitre.org/techniques/T1059/"
152
153[[rule.threat.technique.subtechnique]]
154id = "T1059.001"
155name = "PowerShell"
156reference = "https://attack.mitre.org/techniques/T1059/001/"
157
158[[rule.threat.technique.subtechnique]]
159id = "T1059.003"
160name = "Windows Command Shell"
161reference = "https://attack.mitre.org/techniques/T1059/003/"
162
163[rule.threat.tactic]
164id = "TA0002"
165name = "Execution"
166reference = "https://attack.mitre.org/tactics/TA0002/"