Suspicious Velociraptor Spwaned Processes

Rule Info

Name
Suspicious Velociraptor Spwaned Processes
Author
X__Junior
Description
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Reference
https://www.huntress.com/blog/velociraptor-misuse-part-two-eye-of-the-storm
Date
2026-01-27 00:00:00
Modified
None
Id
5946f32a-7e9e-4a3b-8687-676a900c65aa
Tags
attack.command-and-control attack.persistence attack.defense-evasion attack.t1219
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022