Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Sigma rule (View on GitHub)
1title: Process Creation Using Sysnative Folder
2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
3status: test
4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
5references:
6 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
7author: Max Altgelt (Nextron Systems)
8date: 2022-08-23
9modified: 2025-10-08
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - CommandLine|contains: ':\Windows\Sysnative\'
20 - Image|contains: ':\Windows\Sysnative\'
21 filter_main_ngen:
22 Image|contains:
23 - 'C:\Windows\Microsoft.NET\Framework64\v'
24 - 'C:\Windows\Microsoft.NET\Framework\v'
25 - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
26 - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
27 Image|endswith: '\ngen.exe'
28 CommandLine|contains: 'install'
29 filter_optional_xampp:
30 CommandLine|contains|all:
31 - '"C:\Windows\sysnative\cmd.exe"'
32 - '\xampp\'
33 - '\catalina_start.bat'
34 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36 - Unknown
37level: medium
References
-
Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat act…
Read More
Related rules
- HackTool - CoercedPotato Execution
- Remote Thread Creation By Uncommon Source Image
- Suspicious Child Process Of Wermgr.EXE
- HackTool - EfsPotato Named Pipe Creation
- HackTool - CoercedPotato Named Pipe Creation