frack113
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
title: CobaltStrike Process Patterns
|
|
id: f35c5d71-b489-4e22-a115-f003df287317
|
|
status: experimental
|
|
description: Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)
|
|
author: Florian Roth
|
|
references:
|
|
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
|
|
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
|
|
date: 2021/07/27
|
|
modified: 2021/08/30
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection1:
|
|
CommandLine|contains: '\cmd.exe /C whoami'
|
|
ParentImage|startswith: 'C:\Temp'
|
|
selection2:
|
|
CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
|
|
ParentCommandLine|contains:
|
|
- '/C whoami'
|
|
- 'cmd.exe /C echo'
|
|
- ' > \\.\pipe'
|
|
selection3:
|
|
CommandLine|contains:
|
|
- 'cmd.exe /c echo'
|
|
- '> \\.\pipe'
|
|
- '\whoami.exe'
|
|
ParentImage|endswith: '\dllhost.exe'
|
|
selection4:
|
|
Image|endswith: '\cmd.exe'
|
|
ParentImage|endswith: '\runonce.exe'
|
|
ParentCommandLine|endswith: '\runonce.exe'
|
|
condition: 1 of them
|
|
falsepositives:
|
|
- Other programs that cause these patterns (please report)
|
|
level: high
|
|
|