Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
Sigma rule (View on GitHub)
1title: Operator Bloopers Cobalt Strike Modules
2id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
3related:
4 - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
5 type: similar
6status: test
7description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
8references:
9 - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
10 - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
11 - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
12author: _pete_0, TheDFIRReport
13date: 2022/05/06
14modified: 2023/01/30
15tags:
16 - attack.execution
17 - attack.t1059.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - OriginalFileName: 'Cmd.Exe'
24 - Image|endswith: '\cmd.exe'
25 selection_cli:
26 CommandLine|contains:
27 - 'Invoke-UserHunter'
28 - 'Invoke-ShareFinder'
29 - 'Invoke-Kerberoast'
30 - 'Invoke-SMBAutoBrute'
31 - 'Invoke-Nightmare'
32 - 'zerologon'
33 - 'av_query'
34 condition: all of selection_*
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Operator Bloopers Cobalt Strike Commands
- HackTool - CrackMapExec Execution Patterns
- Potential Baby Shark Malware Activity
- Potential CommandLine Path Traversal Via Cmd.EXE
- Sofacy Trojan Loader Activity