Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Sigma rule (View on GitHub)
1title: Process Creation Using Sysnative Folder
2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
3status: test
4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
5references:
6 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
7author: Max Altgelt (Nextron Systems)
8date: 2022-08-23
9modified: 2025-10-08
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - CommandLine|contains: ':\Windows\Sysnative\'
20 - Image|contains: ':\Windows\Sysnative\'
21 filter_main_ngen:
22 Image|contains:
23 - 'C:\Windows\Microsoft.NET\Framework64\v'
24 - 'C:\Windows\Microsoft.NET\Framework\v'
25 - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
26 - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
27 Image|endswith: '\ngen.exe'
28 CommandLine|contains: 'install'
29 filter_optional_xampp:
30 CommandLine|contains|all:
31 - '"C:\Windows\sysnative\cmd.exe"'
32 - '\xampp\'
33 - '\catalina_start.bat'
34 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36 - Unknown
37level: medium
References
Related rules
- HackTool - CoercedPotato Execution
- Rare Remote Thread Creation By Uncommon Source Image
- Remote Thread Creation By Uncommon Source Image
- Suspicious Child Process Of Wermgr.EXE
- HackTool - EfsPotato Named Pipe Creation