CobaltStrike Service Installations - Security

 1title: CobaltStrike Service Installations - Security
 2id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
 3related:
 4    - id: 5a105d34-05fc-401e-8553-272b45c1522d
 5      type: derived
 6status: test
 7description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 8references:
 9    - https://www.sans.org/webcasts/119395
10    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
11    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
12author: Florian Roth (Nextron Systems), Wojciech Lesicki
13date: 2021-05-26
14modified: 2022-11-27
15tags:
16    - attack.persistence
17    - attack.execution
18    - attack.privilege-escalation
19    - attack.lateral-movement
20    - attack.t1021.002
21    - attack.t1543.003
22    - attack.t1569.002
23logsource:
24    product: windows
25    service: security
26    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
27detection:
28    event_id:
29        EventID: 4697
30    selection1:
31        ServiceFileName|contains|all:
32            - 'ADMIN$'
33            - '.exe'
34    selection2:
35        ServiceFileName|contains|all:
36            - '%COMSPEC%'
37            - 'start'
38            - 'powershell'
39    selection3:
40        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
41    selection4:
42        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
43    condition: event_id and 1 of selection*
44falsepositives:
45    - Unknown
46level: high

References

• Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis | SANS Institute

  Tech Tuesday Workshop Cobalt Strike Detection via Log Analysis

  
  Read More

• Getting the Bacon from Cobalt Strike's Beacon | CrowdStrike

  Discover how CrowdStrike identified host-based indicators generated from Cobalt Strike’s Beacon and how they can be used to create detection and prevention signatures.

  
  Read More

• Cobalt Strike, a Defender’s Guide

  

  Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat act…

  
  Read More

Related rules

• CobaltStrike Service Installations - System
• Potential CobaltStrike Service Installations - Registry
• CosmicDuke Service Installation
• ProcessHacker Privilege Elevation
• Remote Access Tool Services Have Been Installed - Security