Process Creation Using Sysnative Folder

calendar Aug 12, 2024 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
Share on: linkedin copy

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Sigma rule (View on GitHub)

 1title: Process Creation Using Sysnative Folder
 2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
 3status: test
 4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
 5references:
 6    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 7author: Max Altgelt (Nextron Systems)
 8date: 2022-08-23
 9modified: 2023-12-14
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1055
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    sysnative:
19        - CommandLine|contains: ':\Windows\Sysnative\'
20        - Image|contains: ':\Windows\Sysnative\'
21    condition: sysnative
22falsepositives:
23    - Unknown
24level: medium

References

  • Cobalt Strike, a Defender’s Guide

    Intro In our research, we expose adversarial Tactics, Techniques and Procedures (TTPs) as well as the tools they use to execute their mission objectives. In most of our cases, we see the threat act…


    Read More

Related rules

to-top