Operator Bloopers Cobalt Strike Commands

calendar Jan 8, 2023 · attack.execution attack.t1059.003  ·
Share on: linkedin copy

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Sigma rule (View on GitHub)

 1title: Operator Bloopers Cobalt Strike Commands
 2id: f127a4d7-5246-4e22-aa8d-a97d05e4f1a7
 3status: experimental
 4description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
 8date: 2022/05/06
 9modified: 2022/05/06
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    CommandLine|contains:
16      - psinject
17      - spawnas
18      - socks
19      - make_token
20      - remote-exec
21      - rev2self
22      - shell
23      - dcsync
24      - upload
25      - sleep
26      - ls
27      - logonpasswords
28      - ps
29      - execute-assembly
30      - pth
31      - getsystem
32    Image|endswith:
33      - '\cmd.exe'
34  condition: selection
35fields:
36  - CommandLine
37falsepositives:
38  - Unknown
39level: high
40tags:
41  - attack.execution
42  - attack.t1059.003

References

  • «G—mÿl6  µµ>™ ÀL £&JFåŒ�<\ÔAÆKº­ £Ç˺ƒ‡çû}1N+ h(¢jĉ€mð–;SÊûÍeØ!ºm= ¢×dùóósp!lšTFi»e~ìè÷)[b´Y[hJO\#È�¯<<•¬C°î”¤íKBÃŽd ášcISµ •¶ÿ M¥žÙ×`]+NF¥öºp0 §‚œª-¸mDúáàðÌCDÁT¢±ÔÖ9(‡ ÕÓU ,...


    Read More

Related rules

to-top