Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

Sigma rule (View on GitHub)

 1title: Potential CobaltStrike Process Patterns
 2id: f35c5d71-b489-4e22-a115-f003df287317
 3status: test
 4description: Detects potential process patterns related to Cobalt Strike beacon activity
 5references:
 6    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
 7    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2021/07/27
10modified: 2023/03/29
11tags:
12    - attack.execution
13    - attack.t1059
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_generic_1:
19        CommandLine|endswith: 'cmd.exe /C whoami'
20        ParentImage|startswith: 'C:\Temp\'
21    selection_generic_2:
22        ParentImage|endswith:
23            - '\runonce.exe'
24            - '\dllhost.exe'
25        CommandLine|contains|all:
26            - 'cmd.exe /c echo'
27            - '> \\\\.\\pipe'
28    selection_conhost_1:
29        ParentCommandLine|contains|all:
30            - 'cmd.exe /C echo'
31            - ' > \\\\.\\pipe'
32        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
33    selection_conhost_2:
34        ParentCommandLine|endswith: '/C whoami'
35        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
36    condition: 1 of selection_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top