Suspicious Velociraptor Child Process

 1title: Suspicious Velociraptor Child Process
 2id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
 3status: experimental
 4description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
 5references:
 6    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
 7author: Swachchhanda Shrawan Poudel (Nextron Systems)
 8date: 2025-08-29
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.t1219
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_parent:
18        ParentImage|endswith: '\Velociraptor.exe'
19    selection_child_vscode_tunnel:
20        CommandLine|contains|all:
21            - 'code.exe'
22            - 'tunnel'
23            - '--accept-server-license-terms'
24    selection_child_msiexec:
25        CommandLine|contains|all:
26            - 'msiexec'
27            - '/i'
28            - 'http'
29    selection_child_powershell:
30        Image|endswith:
31            - '\powershell.exe'
32            - '\powershell_ise.exe'
33            - '\pwsh.exe'
34        CommandLine|contains:
35            - 'Invoke-WebRequest '
36            - 'IWR '
37            - '.DownloadFile'
38            - '.DownloadString'
39    # Add more child process patterns as needed
40    condition: selection_parent and 1 of selection_child_*
41falsepositives:
42    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
43level: high