CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Sigma rule (View on GitHub)

 1title: CobaltStrike Service Installations - System
 2id: 5a105d34-05fc-401e-8553-272b45c1522d
 3status: test
 4description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 5references:
 6    - https://www.sans.org/webcasts/119395
 7    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
 8    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 9author: Florian Roth (Nextron Systems), Wojciech Lesicki
10date: 2021/05/26
11modified: 2022/11/27
12tags:
13    - attack.execution
14    - attack.privilege_escalation
15    - attack.lateral_movement
16    - attack.t1021.002
17    - attack.t1543.003
18    - attack.t1569.002
19logsource:
20    product: windows
21    service: system
22detection:
23    selection_id:
24        Provider_Name: 'Service Control Manager'
25        EventID: 7045
26    selection1:
27        ImagePath|contains|all:
28            - 'ADMIN$'
29            - '.exe'
30    selection2:
31        ImagePath|contains|all:
32            - '%COMSPEC%'
33            - 'start'
34            - 'powershell'
35    selection3:
36        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
37    selection4:
38        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
39    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
40falsepositives:
41    - Unknown
42level: critical

References

Related rules

to-top