Velociraptor Abuse via Suspicious PowerShell Commands

Rule Info

Name
Velociraptor Abuse via Suspicious PowerShell Commands
Author
X__Junior
Description
Detects Velociraptor.exe being abused to execute suspicious PowerShell or command-line activity indicative of post-exploitation behavior.
Reference
https://www.huntress.com/blog/velociraptor-misuse-part-two-eye-of-the-storm
Date
2026-01-27 00:00:00
Modified
None
Id
29ad8ccf-9b07-40cd-bda9-0d5d1f9c0efd
Tags
attack.command-and-control attack.persistence attack.defense-evasion attack.t1219
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022