CobaltStrike Service Installations - System

calendar Oct 23, 2025 · attack.persistence attack.execution attack.privilege-escalation attack.lateral-movement attack.t1021.002 attack.t1543.003 attack.t1569.002  ·
Share on: linkedin copy

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sigma rule (View on GitHub)

 1title: CobaltStrike Service Installations - System
 2id: 5a105d34-05fc-401e-8553-272b45c1522d
 3status: test
 4description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 5references:
 6    - https://www.sans.org/webcasts/119395
 7    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
 8    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 9author: Florian Roth (Nextron Systems), Wojciech Lesicki
10date: 2021-05-26
11modified: 2022-11-27
12tags:
13    - attack.persistence
14    - attack.execution
15    - attack.privilege-escalation
16    - attack.lateral-movement
17    - attack.t1021.002
18    - attack.t1543.003
19    - attack.t1569.002
20logsource:
21    product: windows
22    service: system
23detection:
24    selection_id:
25        Provider_Name: 'Service Control Manager'
26        EventID: 7045
27    selection1:
28        ImagePath|contains|all:
29            - 'ADMIN$'
30            - '.exe'
31    selection2:
32        ImagePath|contains|all:
33            - '%COMSPEC%'
34            - 'start'
35            - 'powershell'
36    selection3:
37        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
38    selection4:
39        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
40    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
41falsepositives:
42    - Unknown
43level: critical

References

Related rules

to-top