Cobalt Strike UAC Bypass Using SQL Server Client Configuration Utility (RedCanary Threat Detection Report)
Detects a possible Cobalt Strike UAC bypass attempt using cliconfg.exe, the SQL Server Client Configuration Utility. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Cobalt Strike UAC Bypass Using SQL Server Client Configuration Utility (RedCanary Threat Detection Report)
2id: 405ec76f-7d77-464d-b28b-4f5d9131346b
3status: experimental
4description: Detects a possible Cobalt Strike UAC bypass attempt using cliconfg.exe, the SQL Server Client Configuration Utility. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/threats/cobalt-strike/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.s0154
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 ParentImage|endswith: '\rundll32.exe'
17 Image|endswith: '\cliconfg.exe'
18 condition: selection
19falsepositives:
20 - Unknown
21level: low```
References
-
Cobalt Strike is a favorite C2 tool among adversaries, as many rely on its functionality to maintain a foothold into victim organizations.
Read More
Related rules
- Cobalt Strike Beacon Getsystem Pattern (RedCanary Threat Detection Report)
- Cobalt Strike Beacon Implant Command Issued via Named Pipe (RedCanary Threat Detection Report)
- Default Cobalt Strike Certificate