Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
Sigma rule (View on GitHub)
1title: Potential CobaltStrike Process Patterns
2id: f35c5d71-b489-4e22-a115-f003df287317
3status: test
4description: Detects potential process patterns related to Cobalt Strike beacon activity
5references:
6 - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
7 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
9date: 2021-07-27
10modified: 2023-03-29
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_generic_1:
19 CommandLine|endswith: 'cmd.exe /C whoami'
20 ParentImage|startswith: 'C:\Temp\'
21 selection_generic_2:
22 ParentImage|endswith:
23 - '\runonce.exe'
24 - '\dllhost.exe'
25 CommandLine|contains|all:
26 - 'cmd.exe /c echo'
27 - '> \\\\.\\pipe'
28 selection_conhost_1:
29 ParentCommandLine|contains|all:
30 - 'cmd.exe /C echo'
31 - ' > \\\\.\\pipe'
32 CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
33 selection_conhost_2:
34 ParentCommandLine|endswith: '/C whoami'
35 CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
36 condition: 1 of selection_*
37falsepositives:
38 - Unknown
39level: high
References
-
It’s been known that some built-in commands in Cobalt Strike are major op-sec no-no’s, but why are they bad? The goal of this post isn’t to teach you “good” op-sec, as I feel that is a bit subjecti…
Read More -
Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat act…
Read More
Related rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Atlassian Confluence CVE-2022-26134
- Azure New CloudShell Created