title: CobaltStrike Process Patterns
ruletype: Sigma
author: Florian Roth
date: 2021/07/27
description: Detects process patterns found in Cobalt Strike beacon activity (see
  reference for more details)
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_10:
    ParentCommandLine: '*\runonce.exe'
  SELECTION_2:
    CommandLine: '*\cmd.exe /C whoami*'
  SELECTION_3:
    ParentImage: C:\Temp*
  SELECTION_4:
    CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
  SELECTION_5:
    ParentCommandLine:
    - '*/C whoami*'
    - '*cmd.exe /C echo*'
    - '* > \\.\pipe*'
  SELECTION_6:
    CommandLine:
    - '*cmd.exe /c echo*'
    - '*> \\.\pipe*'
    - '*\whoami.exe*'
  SELECTION_7:
    ParentImage: '*\dllhost.exe'
  SELECTION_8:
    Image: '*\cmd.exe'
  SELECTION_9:
    ParentImage: '*\runonce.exe'
  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
    or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
falsepositives:
- Other programs that cause these patterns (please report)
id: f35c5d71-b489-4e22-a115-f003df287317
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/08/30
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
status: experimental
tags:
- attack.execution
- attack.t1059