security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1749 from SigmaHQ/rule-devel

Browse Source 
CobaltStrike Process Patterns and minor fixes
This commit is contained in:
Florian Roth
2021-07-27 12:52:22 +02:00
committed by GitHub
parent 90ca1a8ad2 5d039dd138
commit ee85fdfa3f
3 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/file_event/win_hivenightmare_file_exports.yml
+1 -1
View File
@@ -25,7 +25,7 @@ detection:
- '\SAM-haxx' # Early C++ versions
- '\Sam.save' # PowerShell version
- TargetFilename:
- 'C:\windows\temp\sam'
- 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
fields:
- CommandLine
rules/windows/process_creation/win_cobaltstrike_process_patterns.yml
+34
View File
@@ -0,0 +1,34 @@
title: CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: experimental
description: Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)
author: Florian Roth
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
date: 2021/07/27
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\cmd.exe /C whoami'
ParentImage|startswith: 'C:\Temp'
selection2:
CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
ParentCommandLine|contains:
- '/C whoami'
- 'cmd.exe /C echo'
- ' > \\.\pipe'
selection3:
CommandLine|contains:
- 'cmd.exe /c echo'
- '> \\.\pipe'
- '\whoami.exe'
ParentImage|endswith: '\dllhost.exe'
condition: 1 of them
falsepositives:
- Other programs that cause these patterns (please report)
level: high
rules/windows/process_creation/win_tools_relay_attacks.yml
+2
View File
@@ -4,6 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
author: Florian Roth
date: 2021/07/24
modified: 2021/07/26
references:
- https://attack.mitre.org/techniques/T1557/001/
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
@@ -39,6 +40,7 @@ detection:
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- 'Invoke-PetitPotam'
condition: selection_pe or selection_script
falsepositives:
- Legitimate files with these rare hacktool names