valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rules: cobalt strike rules refactored

Browse Source
This commit is contained in:
Florian Roth 2021-08-30 15:10:30 +02:00
parent f78225c394
commit 1ded4eb913
No known key found for this signature in database
GPG Key ID: 5C328E4878049D7A
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/windows/builtin/win_cobaltstrike_service_installs.yml
View File

@ -5,8 +5,9 @@ author: Florian Roth, Wojciech Lesicki
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
date: 2021/05/26
modified: 2021/08/09
modified: 2021/08/30
tags:
- attack.execution
- attack.privilege_escalation
@ -19,7 +20,9 @@ logsource:
service: system
detection:
selection_id:
EventID: 7045
EventID:
- 7045
- 4697
selection1:
ServiceFileName|contains|all:
- 'ADMIN$'

6
rules/windows/process_creation/win_cobaltstrike_process_patterns.yml
View File

@ -5,7 +5,9 @@ description: Detects process patterns found in Cobalt Strike beacon activity (se
author: Florian Roth
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
date: 2021/07/27
modified: 2021/08/30
tags:
- attack.execution
logsource:
@ -27,6 +29,10 @@ detection:
- '> \\.\pipe'
- '\whoami.exe'
ParentImage|endswith: '\dllhost.exe'
selection4:
Image|endswith: '\cmd.exe'
ParentImage|endswith: '\runonce.exe'
ParentCommandLine|endswith: '\runonce.exe'
condition: 1 of them
falsepositives:
- Other programs that cause these patterns (please report)