Custom Cobalt Strike Command Execution
Detects the execution of a specific OneLiner to Invoke PowerShell commands.
Sigma rule (View on GitHub)
1title: Custom Cobalt Strike Command Execution
2id: 782de568-fadb-4e7f-b89a-64247a606830
3status: experimental
4description: Detects the execution of a specific OneLiner to Invoke PowerShell commands.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 Image|endswith:
17 - '\powershell.exe'
18 CommandLine|contains|all:
19 - 'http://127.0.0.1'
20 - '%{(IRM $_)}'
21 - 'Invoke'
22 condition: selection1
23falsepositives:
24 - Unknown
25level: high
26tags:
27 - attack.defense_evasion
28 - attack.t1562.001
29 - attack.execution
30 - attack.t1059.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation RUNDLL LAUNCHER
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation VAR+ Launcher