split global win_cobaltstrike_service_installs.yml

rules/windows/builtin/win_cobaltstrike_service_installs.yml

@@ -1,5 +1,5 @@
-action: global
 title: CobaltStrike Service Installations
+id: 5a105d34-05fc-401e-8553-272b45c1522d
 description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
 author: Florian Roth, Wojciech Lesicki
 references:
@@ -7,6 +7,7 @@ references:
     - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
     - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
 date: 2021/05/26
+modified: 2021/09/21
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -14,37 +15,26 @@ tags:
     - attack.t1021.002
     - attack.t1543.003
     - attack.t1569.002
-detection:
-    selection1:
-        ServiceFileName|contains|all: 
-            - 'ADMIN$'
-            - '.exe'
-    selection2:
-        ServiceFileName|contains|all: 
-            - '%COMSPEC%'
-            - 'start'
-            - 'powershell'
-    selection3:
-        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
-    selection4:
-        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
-    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
-falsepositives:
-    - Unknown
-level: critical
----
-id: 5a105d34-05fc-401e-8553-272b45c1522d
 logsource:
     product: windows
     service: system
 detection:
     selection_id:
         EventID: 7045
----
-id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
-logsource:
-    product: windows
-    service: security
-detection:
-    selection_id:
-        EventID: 4697
+    selection1:
+        ImagePath|contains|all: 
+            - 'ADMIN$'
+            - '.exe'
+    selection2:
+        ImagePath|contains|all: 
+            - '%COMSPEC%'
+            - 'start'
+            - 'powershell'
+    selection3:
+        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
+    selection4:
+        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
+    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
+falsepositives:
+    - Unknown
+level: critical

rules/windows/builtin/win_security_cobaltstrike_service_installs.yml

@@ -0,0 +1,43 @@
+title: CobaltStrike Service Installations
+id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
+related:
+    - id: 5a105d34-05fc-401e-8553-272b45c1522d
+      type: derived
+description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
+author: Florian Roth, Wojciech Lesicki
+references:
+    - https://www.sans.org/webcasts/119395
+    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
+    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
+date: 2021/05/26
+modified: 2021/09/21
+tags:
+    - attack.execution
+    - attack.privilege_escalation
+    - attack.lateral_movement 
+    - attack.t1021.002
+    - attack.t1543.003
+    - attack.t1569.002
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_id:
+        EventID: 4697
+    selection1:
+        ServiceFileName|contains|all: 
+            - 'ADMIN$'
+            - '.exe'
+    selection2:
+        ServiceFileName|contains|all: 
+            - '%COMSPEC%'
+            - 'start'
+            - 'powershell'
+    selection3:
+        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
+    selection4:
+        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
+    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
+falsepositives:
+    - Unknown
+level: critical