detection.wiki

Detection rules › Sigma

Potential CobaltStrike Process Patterns

Severity
high
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects potential process patterns related to Cobalt Strike beacon activity

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: 1 of selection_generic_1

CommandLine|endswith: 'cmd.exe /C whoami'
ParentImage|startswith: 'C:\Temp\'

Stage 2: 1 of selection_generic_2

or:
ParentImage|endswith: '\dllhost.exe'
ParentImage|endswith: '\runonce.exe'
CommandLine|contains: '> \\\\.\\pipe'
CommandLine|contains: 'cmd.exe /c echo'

Stage 3: 1 of selection_conhost_1

CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
ParentCommandLine|contains: ' > \\\\.\\pipe'
ParentCommandLine|contains: 'cmd.exe /C echo'

Stage 4: 1 of selection_conhost_2

CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
ParentCommandLine|endswith: '/C whoami'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • cmd.exe /C whoami
  • conhost.exe 0xffffffff -ForceV1
CommandLinematch
  • > \\\\.\\pipe
  • cmd.exe /c echo
ParentCommandLineends_with
  • /C whoami
ParentCommandLinematch
  • > \\\\.\\pipe
  • cmd.exe /C echo
ParentImageends_with
  • \dllhost.exe corpus 5 (sigma 5)
  • \runonce.exe
ParentImagestarts_with
  • C:\Temp\