Operator Bloopers Cobalt Strike Modules

 1title: Operator Bloopers Cobalt Strike Modules
 2id: 507249b7-7adc-4cda-8edd-8577b431bee3
 3status: experimental
 4description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell
 5author: _pete_0, TheDFIRReport
 6references:
 7    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
 8    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
 9date: 2022-05-06
10modified: 2022-05-06
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        Image|endswith: '\cmd.exe'
17        CommandLine|contains:
18            - Invoke-UserHunter
19            - Invoke-ShareFinder
20            - Invoke-Kerberoast
21            - Invoke-SMBAutoBrute
22            - Invoke-Nightmare
23            - zerologon
24            - av_query
25    condition: selection
26fields:
27    - CommandLine
28falsepositives:
29    - Unknown
30level: high
31tags:
32    - attack.execution
33    - attack.t1059.003

References

• «G—mÿl6 
  µµ>™ ÀL £&JFåŒ�<\ÔAÆKº­ £Ç˺ƒ‡çû}1N+h(¢jĉ€mð–;SÊûÍeØ!ºm= ¢×dùóósp!lšTFi»e~ìè÷)[b´Y[hJO\#È�¯<<•¬C°î”¤íKBÃŽd ášcISµ •¶ÿ M¥žÙ×`]+NF¥öºp0 §‚œª-¸mDúáàðÌCDÁT¢±ÔÖ9(‡ ÕÓU ,...

  
  Read More

• BazarLoader and the Conti Leaks

  

  Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while lo…

  
  Read More

Related rules

• Bypassing Security Controls - Command Shell
• Obfuscated Commands - Command Shell
• Service Control Manager Spawning Command Shell with Suspect Strings
• Unusual or Suspicious Process Ancestry - Command Shell
• Windows Explorer Spawning Command Shell with Start and Exit Commands