Cobalt Strike Beacon Getsystem Pattern (RedCanary Threat Detection Report)
Detects command line pattern indicating the use of Cobalt Strike GetSystem feature. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Cobalt Strike Beacon Getsystem Pattern (RedCanary Threat Detection Report)
2id: 187c05df-debd-40ed-a59e-1163703bb1de
3status: experimental
4description: Detects command line pattern indicating the use of Cobalt Strike GetSystem feature. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/cobalt-strike/
7 - https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/
8author: RedCanary, Sigma formatting by Micah Babinski
9date: 2023/05/10
10tags:
11 - attack.s0154
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\cmd.exe'
18 CommandLine|re: '^.*echo\s+[0-9a-f]{11}\s+\>\;?\s+\\\\\.\\pipe\\[0-9a-f]{6}.*$'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low```
References
-
Cobalt Strike is a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
Read More -
Meterpreter’s getsystem command elevates you from a local administrator to the SYSTEM user. Learn the 3 techniques for the getsystem command.
Read More
Related rules
- Cobalt Strike Beacon Implant Command Issued via Named Pipe (RedCanary Threat Detection Report)
- Cobalt Strike UAC Bypass Using SQL Server Client Configuration Utility (RedCanary Threat Detection Report)
- Default Cobalt Strike Certificate