{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/solarwinds-web-help-desk/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SolarWinds Web Help Desk"],"_cs_severities":["medium"],"_cs_tags":["velociraptor","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["SolarWinds"],"content_html":"\u003cp\u003eVelociraptor is a legitimate open-source endpoint visibility and response tool. Threat actors are abusing Velociraptor by installing it on compromised Windows systems and using it to execute shell commands (cmd, PowerShell, rundll32), effectively hiding their malicious activity within normal system processes. This allows attackers to perform various actions on the compromised host, such as data exfiltration, lateral movement, and credential access, while evading traditional detection methods. The activity was observed in relation to exploitation of CVE-2025-26399, a vulnerability in SolarWinds Web Help Desk. Defenders need to differentiate between legitimate and malicious use of Velociraptor to prevent further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through exploitation of a vulnerability (e.g., CVE-2025-26399 in SolarWinds Web Help Desk).\u003c/li\u003e\n\u003cli\u003eVelociraptor is installed on the compromised Windows host, potentially using a script or other automated method.\u003c/li\u003e\n\u003cli\u003eThe attacker configures Velociraptor with malicious artifacts or uses it to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eVelociraptor spawns a shell process (cmd.exe, powershell.exe, or rundll32.exe) to execute the attacker's commands.\u003c/li\u003e\n\u003cli\u003eThe shell process executes malicious commands, such as downloading additional tools, performing reconnaissance, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the shell to perform lateral movement to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges using further commands executed via Velociraptor's spawned shells.\u003c/li\u003e\n\u003cli\u003eThe final objective is achieved, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on compromised Windows systems, leading to data theft, system compromise, and potential lateral movement within the network. The use of Velociraptor makes detection challenging, as the activity blends in with legitimate system administration tasks. The scope of impact depends on the level of access gained and the attacker's objectives. While specific victim numbers are unknown, observed use alongside CVE-2025-26399 suggests widespread potential.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the execution of shell processes and their command lines, allowing for detection of malicious activity (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious shell executions spawned by Velociraptor, and tune for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Velociraptor installations from unusual paths (e.g., temp directories) to identify potentially unauthorized deployments (see Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Velociraptor processes for suspicious destinations or unusual protocols, indicating potential data exfiltration or C2 communication.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2025-26399 on affected SolarWinds Web Help Desk instances (see References).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-velociraptor-shell-execution/","summary":"Attackers are abusing the Velociraptor endpoint visibility and response tool to execute shell commands (cmd, PowerShell, rundll32) on compromised Windows systems, blending in with legitimate system processes.","title":"Suspicious Shell Execution via Velociraptor","url":"https://feed.craftedsignal.io/briefs/2024-01-velociraptor-shell-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - SolarWinds Web Help Desk","version":"https://jsonfeed.org/version/1.1"}