Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Sigma rule (View on GitHub)

 1title: Potential CobaltStrike Service Installations - Registry
 2id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
 3status: test
 4description: |
 5        Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
 6references:
 7    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
 8author: Wojciech Lesicki
 9date: 2021-06-29
10modified: 2024-03-25
11tags:
12    - attack.execution
13    - attack.privilege-escalation
14    - attack.lateral-movement
15    - attack.t1021.002
16    - attack.t1543.003
17    - attack.t1569.002
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    selection_key:
23        - TargetObject|contains: '\System\CurrentControlSet\Services'
24        - TargetObject|contains|all:
25              - '\System\ControlSet'
26              - '\Services'
27    selection_details:
28        - Details|contains|all:
29              - 'ADMIN$'
30              - '.exe'
31        - Details|contains|all:
32              - '%COMSPEC%'
33              - 'start'
34              - 'powershell'
35    condition: all of selection_*
36falsepositives:
37    - Unlikely
38level: high

References

Related rules

to-top