CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Sigma rule (View on GitHub)
1title: CobaltStrike Service Installations - Security
2id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
3related:
4 - id: 5a105d34-05fc-401e-8553-272b45c1522d
5 type: derived
6status: test
7description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
8references:
9 - https://www.sans.org/webcasts/119395
10 - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
11 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
12author: Florian Roth (Nextron Systems), Wojciech Lesicki
13date: 2021/05/26
14modified: 2022/11/27
15tags:
16 - attack.execution
17 - attack.privilege_escalation
18 - attack.lateral_movement
19 - attack.t1021.002
20 - attack.t1543.003
21 - attack.t1569.002
22logsource:
23 product: windows
24 service: security
25 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
26detection:
27 event_id:
28 EventID: 4697
29 selection1:
30 ServiceFileName|contains|all:
31 - 'ADMIN$'
32 - '.exe'
33 selection2:
34 ServiceFileName|contains|all:
35 - '%COMSPEC%'
36 - 'start'
37 - 'powershell'
38 selection3:
39 ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
40 selection4:
41 ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
42 condition: event_id and 1 of selection*
43falsepositives:
44 - Unknown
45level: high
References
Related rules
- Malicious Service Installations
- First Time Seen Remote Named Pipe - Zeek
- Suspicious PsExec Execution - Zeek
- Potential DCOM InternetExplorer.Application DLL Hijack
- PowerShell Scripts Installed as Services - Security