Custom Cobalt Strike Command Execution
Detects the execution of a specific OneLiner to Invoke PowerShell commands.
Sigma rule (View on GitHub)
1title: Custom Cobalt Strike Command Execution
2id: 782de568-fadb-4e7f-b89a-64247a606830
3status: experimental
4description: Detects the execution of a specific OneLiner to Invoke PowerShell commands.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection:
16 Image|endswith: '\powershell.exe'
17 CommandLine|contains|all:
18 - 'http://127.0.0.1'
19 - '%{(IRM $_)}'
20 - 'Invoke'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
25tags:
26 - attack.defense-evasion
27 - attack.t1562.001
28 - attack.execution
29 - attack.t1059.001
yaml
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- Obfuscated PowerShell OneLiner Execution
- Potential BlackByte Ransomware Activity
- HackTool - Stracciatella Execution
- Remote Thread Creation Via PowerShell In Uncommon Target
- AMSI Bypass Pattern Assembly GetType