Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Sigma rule (View on GitHub)
1title: Potential CobaltStrike Service Installations - Registry
2id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
3status: test
4description: |
5 Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
6references:
7 - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
8author: Wojciech Lesicki
9date: 2021-06-29
10modified: 2024-03-25
11tags:
12 - attack.persistence
13 - attack.execution
14 - attack.privilege-escalation
15 - attack.lateral-movement
16 - attack.t1021.002
17 - attack.t1543.003
18 - attack.t1569.002
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection_key:
24 - TargetObject|contains: '\System\CurrentControlSet\Services'
25 - TargetObject|contains|all:
26 - '\System\ControlSet'
27 - '\Services'
28 selection_details:
29 - Details|contains|all:
30 - 'ADMIN$'
31 - '.exe'
32 - Details|contains|all:
33 - '%COMSPEC%'
34 - 'start'
35 - 'powershell'
36 condition: all of selection_*
37falsepositives:
38 - Unlikely
39level: high
References
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation
- ProcessHacker Privilege Elevation
- Remote Access Tool Services Have Been Installed - Security