Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Sigma rule (View on GitHub)
1title: Process Creation Using Sysnative Folder
2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
3status: test
4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
5references:
6 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
7author: Max Altgelt (Nextron Systems)
8date: 2022-08-23
9modified: 2023-12-14
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 sysnative:
19 - CommandLine|contains: ':\Windows\Sysnative\'
20 - Image|contains: ':\Windows\Sysnative\'
21 condition: sysnative
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- APT PRIVATELOG Image Load Pattern
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- CobaltStrike Named Pipe Patterns
- Malicious Named Pipe Created