Operator Bloopers Cobalt Strike Modules

 1title: Operator Bloopers Cobalt Strike Modules
 2id: 507249b7-7adc-4cda-8edd-8577b431bee3
 3status: experimental
 4description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
 8  - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
 9date: 2022/05/06
10modified: 2022/05/06
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    CommandLine|contains:
17      - Invoke-UserHunter
18      - Invoke-ShareFinder
19      - Invoke-Kerberoast
20      - Invoke-SMBAutoBrute
21      - Invoke-Nightmare
22      - zerologon
23      - av_query
24    Image|endswith:
25      - '\cmd.exe'
26  condition: selection
27fields:
28  - CommandLine
29falsepositives:
30  - Unknown
31level: high
32tags:
33  - attack.execution
34  - attack.t1059.003

References

• «G—mÿl6 
  µµ>™ ÀL £&JFåŒ�<\ÔAÆKº­ £Ç˺ƒ‡çû}1N+h(¢jĉ€mð–;SÊûÍeØ!ºm= ¢×dùóósp!lšTFi»e~ìè÷)[b´Y[hJO\#È�¯<<•¬C°î”¤íKBÃŽd ášcISµ •¶ÿ M¥žÙ×`]+NF¥öºp0 §‚œª-¸mDúáàðÌCDÁT¢±ÔÖ9(‡ ÕÓU ,...

  
  Read More

• BazarLoader and the Conti Leaks

  

  Intro In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while lo…

  
  Read More

Related rules

• Operator Bloopers Cobalt Strike Commands
• Command Shell Bypassing Security Controls
• Command Shell Obfuscated Commands
• Command Shell Unusual or Suspicious Process Ancestry
• Powershell Obfuscation and Escape Characters