Suspicious Velociraptor Child Process

 1title: Suspicious Velociraptor Child Process
 2id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
 3status: experimental
 4description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
 5references:
 6    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-08-29
 9tags:
10    - attack.command-and-control
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.t1219
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_parent:
19        ParentImage|endswith: '\Velociraptor.exe'
20    selection_child_vscode_tunnel:
21        CommandLine|contains|all:
22            - 'code.exe'
23            - 'tunnel'
24            - '--accept-server-license-terms'
25    selection_child_msiexec:
26        CommandLine|contains|all:
27            - 'msiexec'
28            - '/i'
29            - 'http'
30    selection_child_powershell:
31        Image|endswith:
32            - '\powershell.exe'
33            - '\powershell_ise.exe'
34            - '\pwsh.exe'
35        CommandLine|contains:
36            - 'Invoke-WebRequest '
37            - 'IWR '
38            - '.DownloadFile'
39            - '.DownloadString'
40    # Add more child process patterns as needed
41    condition: selection_parent and 1 of selection_child_*
42falsepositives:
43    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
44level: high