Custom Cobalt Strike Command Execution
Detects the execution of a specific OneLiner to Invoke PowerShell commands.
Sigma rule (View on GitHub)
1title: Custom Cobalt Strike Command Execution
2id: 782de568-fadb-4e7f-b89a-64247a606830
3status: experimental
4description: Detects the execution of a specific OneLiner to Invoke PowerShell commands.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
9date: 2022-05-09
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 Image|endswith:
17 - '\powershell.exe'
18 CommandLine|contains|all:
19 - 'http://127.0.0.1'
20 - '%{(IRM $_)}'
21 - 'Invoke'
22 condition: selection1
23falsepositives:
24 - Unknown
25level: high
26tags:
27 - attack.defense_evasion
28 - attack.t1562.001
29 - attack.execution
30 - attack.t1059.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- PowerShell ShellCode
- Remote Thread Creation Via PowerShell In Uncommon Target
- Invoke-Obfuscation CLIP+ Launcher - System
- Service StartupType Change Via PowerShell Set-Service
- Service StartupType Change Via Sc.EXE