valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a5fe7af25f
SigmaHQ/rules/windows/builtin/win_cobaltstrike_service_installs.yml
Florian Roth a5fe7af25f Cobalt Strike Service Installation
2021-05-26 18:05:38 +02:00

26 lines
672 B
YAML
Raw Blame History

title: CobaltStrike Service Installations
id: 5a105d34-05fc-401e-8553-272b45c1522d
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges
author: Florian Roth
references:
- https://www.sans.org/webcasts/119395
date: 2021/05/26
tags:
- attack.execution
- attack.privilege_escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ImagePath|contains|all:
- '\\127.0.0.1\ADMIN$'
- '.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink