Process Creation Using Sysnative Folder

Mar 5, 2023 · attack.t1055 ·

Share on:

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Sigma rule (View on GitHub)

 1title: Process Creation Using Sysnative Folder
 2id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
 3status: experimental
 4description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
 5references:
 6    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 7author: Max Altgelt (Nextron Systems)
 8date: 2022/08/23
 9tags:
10    - attack.t1055
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    sysnative:
16        CommandLine|startswith: 'C:\Windows\Sysnative\'
17    condition: sysnative
18fields:
19    - CommandLine
20    - ParentCommandLine
21falsepositives:
22    - Unknown
23level: medium

Related rules

Suspect Svchost Activity
DotNet CLR DLL Loaded By Scripting Applications
Dllhost.EXE Execution Anomaly
Potential Process Injection Via Msra.EXE
Suspicious Rundll32 Invoking Inline VBScript