security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
587da70c9449b5901e862ec4e21acfaba574da7b
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml
T
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-10-17 14:35:26 +02:00

24 lines
641 B
YAML
Raw Blame History

title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: test
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt (Nextron Systems)
date: 2022/08/23
tags:
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
sysnative:
CommandLine|startswith: 'C:\Windows\Sysnative\'
condition: sysnative
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink