CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
46b0594150f79a15992cc451384f4e204c673dd3
hayabusa/rules/sigma/process_creation/win_cobaltstrike_process_patterns.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

52 lines
1.4 KiB
YAML
Raw Blame History

title: CobaltStrike Process Patterns
ruletype: Sigma
author: Florian Roth
date: 2021/07/27
description: Detects process patterns found in Cobalt Strike beacon activity (see
reference for more details)
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
ParentCommandLine: '*\runonce.exe'
SELECTION_2:
CommandLine: '*\cmd.exe /C whoami*'
SELECTION_3:
ParentImage: C:\Temp*
SELECTION_4:
CommandLine: '*conhost.exe 0xffffffff -ForceV1*'
SELECTION_5:
ParentCommandLine:
- '*/C whoami*'
- '*cmd.exe /C echo*'
- '* > \\.\pipe*'
SELECTION_6:
CommandLine:
- '*cmd.exe /c echo*'
- '*> \\.\pipe*'
- '*\whoami.exe*'
SELECTION_7:
ParentImage: '*\dllhost.exe'
SELECTION_8:
Image: '*\cmd.exe'
SELECTION_9:
ParentImage: '*\runonce.exe'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3) or (SELECTION_4 and SELECTION_5)
or (SELECTION_6 and SELECTION_7) or (SELECTION_8 and SELECTION_9 and SELECTION_10)))
falsepositives:
- Other programs that cause these patterns (please report)
id: f35c5d71-b489-4e22-a115-f003df287317
level: high
logsource:
category: process_creation
product: windows
modified: 2021/08/30
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
status: experimental
tags:
- attack.execution
- attack.t1059
Reference in New Issue View Git Blame Copy Permalink