Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent:
ParentImage|endswith: '\Velociraptor.exe'
selection_child_vscode_tunnel:
CommandLine|contains|all:
- 'code.exe'
- 'tunnel'
- '--accept-server-license-terms'
selection_child_msiexec:
CommandLine|contains|all:
- 'msiexec'
- '/i'
- 'http'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
- '.DownloadFile'
- '.DownloadString'
# Add more child process patterns as needed
condition: selection_parent and 1 of selection_child_*Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.