Sigma rules for CVE-2026-6290
1 rules · scoped to cve · back to CVE-2026-6290
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\Velociraptor.exe'
selection_child_vscode_tunnel:
CommandLine|contains|all:
- 'code.exe'
- 'tunnel'
- '--accept-server-license-terms'
selection_child_msiexec:
CommandLine|contains|all:
- 'msiexec'
- '/i'
- 'http'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
- '.DownloadFile'
- '.DownloadString'
# Add more child process patterns as needed
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high