CobaltStrike Service Installations - Security

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sigma rule (View on GitHub)

 1title: CobaltStrike Service Installations - Security
 2id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
 3related:
 4    - id: 5a105d34-05fc-401e-8553-272b45c1522d
 5      type: derived
 6status: test
 7description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 8references:
 9    - https://www.sans.org/webcasts/119395
10    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
11    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
12author: Florian Roth (Nextron Systems), Wojciech Lesicki
13date: 2021-05-26
14modified: 2022-11-27
15tags:
16    - attack.execution
17    - attack.privilege-escalation
18    - attack.lateral-movement
19    - attack.t1021.002
20    - attack.t1543.003
21    - attack.t1569.002
22logsource:
23    product: windows
24    service: security
25    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
26detection:
27    event_id:
28        EventID: 4697
29    selection1:
30        ServiceFileName|contains|all:
31            - 'ADMIN$'
32            - '.exe'
33    selection2:
34        ServiceFileName|contains|all:
35            - '%COMSPEC%'
36            - 'start'
37            - 'powershell'
38    selection3:
39        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
40    selection4:
41        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
42    condition: event_id and 1 of selection*
43falsepositives:
44    - Unknown
45level: high

References

Related rules

to-top