detection.wiki

Detection rules › Sigma

Potential Meterpreter/CobaltStrike Activity

Severity
high
Author
Teymur Kheirkhabarov, Ecco, Florian Roth
Source
upstream

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1134.001 Access Token Manipulation: Token Impersonation/Theft, T1134.002 Access Token Manipulation: Create Process with Token
Defense EvasionT1134.001 Access Token Manipulation: Token Impersonation/Theft, T1134.002 Access Token Manipulation: Create Process with Token

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection_img

ParentImage|endswith: '\services.exe'

Stage 2: 1 of selection_technique_1

or:
CommandLine|contains: '%COMSPEC%'
CommandLine|contains: cmd
CommandLine|contains: '/c'
CommandLine|contains: '\pipe\'
CommandLine|contains: echo

Stage 3: 1 of selection_technique_2

CommandLine|contains: '.dll,a'
CommandLine|contains: '/p:'
CommandLine|contains: rundll32

Stage 4: not 1 of filter_defender

CommandLine|contains: MpCmdRun

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • %COMSPEC% corpus 2 (sigma 2)
  • .dll,a
  • /c corpus 7 (sigma 7)
  • /p:
  • MpCmdRun
  • \pipe\
  • cmd corpus 5 (sigma 5)
  • echo corpus 3 (sigma 3)
  • rundll32 corpus 19 (sigma 19)
ParentImageends_with
  • \services.exe corpus 7 (sigma 7)