Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Sigma rule (View on GitHub)
1title: Process Creation Using Sysnative Folder
2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
3status: test
4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
5references:
6 - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
7author: Max Altgelt (Nextron Systems)
8date: 2022/08/23
9modified: 2023/12/14
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 sysnative:
19 - CommandLine|contains: ':\Windows\Sysnative\'
20 - Image|contains: ':\Windows\Sysnative\'
21 condition: sysnative
22falsepositives:
23 - Unknown
24level: medium
References
-
As you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. Some of the most common droppers we see are IcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot.
Read More
Related rules
- Malicious Named Pipe Created
- HackTool - EfsPotato Named Pipe Creation
- Malware Shellcode in Verclsid Target Process
- Suspect Svchost Activity
- HackTool - CoercedPotato Named Pipe Creation