rule: Cobalt Strike patterns

rules/windows/process_creation/win_cobaltstrike_process_patterns.yml

@@ -0,0 +1,34 @@
+title: CobaltStrike Process Patterns
+id: f35c5d71-b489-4e22-a115-f003df287317
+status: experimental
+description: Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)
+author: Florian Roth
+references:
+    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
+date: 2021/07/27
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1: 
+        CommandLine|contains: '\cmd.exe /C whoami'
+        ParentImage|startswith: 'C:\Temp'
+    selection2:
+        CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1'
+        ParentCommandLine|contains: 
+            - '/C whoami'
+            - 'cmd.exe /C echo'
+            - ' > \\.\pipe'
+    selection3:
+        CommandLine|contains: 
+            - 'cmd.exe /c echo'
+            - '> \\.\pipe'
+            - '\whoami.exe'
+        ParentImage|endswith: '\dllhost.exe'
+    condition: 1 of them
+falsepositives:
+    - Other programs that cause these patterns (please report)
+level: high
+