Process Creation Using Sysnative Folder

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Sigma rule (View on GitHub)

 1title: Process Creation Using Sysnative Folder
 2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
 3status: test
 4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
 5references:
 6    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 7author: Max Altgelt (Nextron Systems)
 8date: 2022-08-23
 9modified: 2025-10-08
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1055
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - CommandLine|contains: ':\Windows\Sysnative\'
20        - Image|contains: ':\Windows\Sysnative\'
21    filter_main_ngen:
22        Image|contains:
23            - 'C:\Windows\Microsoft.NET\Framework64\v'
24            - 'C:\Windows\Microsoft.NET\Framework\v'
25            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
26            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
27        Image|endswith: '\ngen.exe'
28        CommandLine|contains: 'install'
29    filter_optional_xampp:
30        CommandLine|contains|all:
31            - '"C:\Windows\sysnative\cmd.exe"'
32            - '\xampp\'
33            - '\catalina_start.bat'
34    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top