“( null ), ( null ), ( null ), ( null ), ( null ), velociraptor was installed via the following binary path : velociraptor / 1000 ; " velociraptor startup argv : [ " " c : \ program files \ velociraptor \ velociraptor. exe " ", " " - - config " ", " " c : \ program files \ velocir…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
84%
“as the following : c : \ windows \ system32 \ windowspowershell \ v1. 0 \ powershell. exe - executionpolicy unrestricted - encodedcommand cqb1ahmazqbyaa = = each of the observed powershell commands varied only in the encoded commands ; the command line switches and their position…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1087.002Domain Account
75%
“as the following : c : \ windows \ system32 \ windowspowershell \ v1. 0 \ powershell. exe - executionpolicy unrestricted - encodedcommand cqb1ahmazqbyaa = = each of the observed powershell commands varied only in the encoded commands ; the command line switches and their position…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
47%
“, more recently in 2025 there ’ s been a significant uptick in the past three months of incidents involving the use of the velociraptor to facilitate remote access into the compromised endpoint. in part one of this two - part series, we will break down a recent incident we observ…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1047Windows Management Instrumentation
39%
“velociraptor wsus exploitation, pt. i : wsus - up? acknowledgments : special thanks to ben folland for his contributions to this investigation and writeup. in november, huntress analysts detected an incident where threat actors likely exploited a recently patched remote code exec…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
34%
“##sing the tool in attacks. for example, the cisco talos team in october found velociraptor activity that they attributed with medium confidence to storm - 2603. while the researchers did not observe the actor ’ s initial access in this incident, they said the vector was likely a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
30%
“( null ), ( null ), ( null ), ( null ), ( null ), velociraptor was installed via the following binary path : velociraptor / 1000 ; " velociraptor startup argv : [ " " c : \ program files \ velociraptor \ velociraptor. exe " ", " " - - config " ", " " c : \ program files \ velocir…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress has seen an uptick in threat actors abusing the Velociraptor open-source DFIR tool in a range of attacks, including a recent incident involving WSUS exploitation.