title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: experimental
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt
date: 2022/08/23
tags:
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    sysnative:
        CommandLine|startswith: 'C:\Windows\Sysnative\'
    condition: sysnative
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Unknown
level: medium