From 2e7aed526286329212587dcd22543c361d724da1 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sat, 19 Jun 2021 23:45:01 +0200 Subject: [PATCH 1/5] Added space in "Service File Name" field as it was in the previous version. --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 9834aee86..96ceb2673 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -20,11 +20,11 @@ detection: selection1: EventID: 7045 selection2: - ServiceFileName|contains|all: + Service File Name|contains|all: - 'ADMIN$' - '.exe' selection3: - ServiceFileName|contains|all: + Service File Name|contains|all: - '%COMSPEC%' - 'start' - 'powershell' From f816ed4f5ede21cdd9a25fca2dcf6da88673eaea Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Sun, 20 Jun 2021 00:11:55 +0200 Subject: [PATCH 2/5] Update for "modified" date. --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 96ceb2673..64d12bbc1 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -5,7 +5,7 @@ author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 date: 2021/05/26 -modified: 2021/06/03 +modified: 2021/06/20 tags: - attack.execution - attack.privilege_escalation From 8b2881328f30133c60c73dcf5c814394e06f36ca Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 29 Jun 2021 10:52:10 +0200 Subject: [PATCH 3/5] CobaltStrike Service Installations in Registry --- .../sysmon_cobaltstrike_service_installs.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml diff --git a/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml new file mode 100644 index 000000000..9d7818cbf --- /dev/null +++ b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml @@ -0,0 +1,37 @@ +title: CobaltStrike Service Installations in Registry +id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. + We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) + In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. +status: experimental +date: 2021/06/29 +author: Wojciech Lesicki +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 +references: + - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 +logsource: + category: registry_event + product: windows +detection: + selection1: + EventType: SetValue + TargetObject|contains: 'HKLM\System\CurrentControlSet\Services' + selection2: + Details|contains|all: + - 'ADMIN$' + - '.exe' + selection3: + Details|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + condition: selection1 and (selection2 or selection3) +falsepositives: + - unknown +level: critical \ No newline at end of file From 364cfe56c280e86f5845f131b1182084f5fc6d4e Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 29 Jun 2021 10:57:36 +0200 Subject: [PATCH 4/5] Base to upstream version --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 64d12bbc1..7d8813abc 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -20,11 +20,11 @@ detection: selection1: EventID: 7045 selection2: - Service File Name|contains|all: + ServiceFileName|contains|all: - 'ADMIN$' - '.exe' selection3: - Service File Name|contains|all: + ServiceFileName|contains|all: - '%COMSPEC%' - 'start' - 'powershell' From ae317652f7e1a3245dcfd99f2bc667b0dd969d53 Mon Sep 17 00:00:00 2001 From: WojciechLesicki Date: Tue, 29 Jun 2021 11:02:55 +0200 Subject: [PATCH 5/5] Back to upstream version. --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 7d8813abc..9834aee86 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -5,7 +5,7 @@ author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 date: 2021/05/26 -modified: 2021/06/20 +modified: 2021/06/03 tags: - attack.execution - attack.privilege_escalation