Process Creation Using Sysnative Folder

Severity: medium
Author: Max Altgelt (Nextron Systems)
Source: upstream

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1055` Process Injection
Defense Evasion	`T1055` Process Injection

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `selection`

or:
CommandLine|contains: ':\Windows\Sysnative\'
Image|contains: ':\Windows\Sysnative\'

Stage 2: `not 1 of filter_main_ngen`

or:
Image|contains: 'C:\Windows\Microsoft.NET\Framework64\v'
Image|contains: 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
Image|contains: 'C:\Windows\Microsoft.NET\FrameworkArm\v'
Image|contains: 'C:\Windows\Microsoft.NET\Framework\v'
CommandLine|contains: install
Image|endswith: '\ngen.exe'

Stage 3: `not 1 of filter_optional_xampp`

CommandLine|contains: "C:\Windows\sysnative\cmd.exe"
CommandLine|contains: '\catalina_start.bat'
CommandLine|contains: '\xampp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`"C:\Windows\sysnative\cmd.exe"` `:\Windows\Sysnative\` `\catalina_start.bat` corpus 2 (sigma 2) `\xampp\` corpus 2 (sigma 2) `install` corpus 4 (sigma 4)
`Image`	ends_with	`\ngen.exe` corpus 3 (sigma 3)
`Image`	match	`:\Windows\Sysnative\` `C:\Windows\Microsoft.NET\Framework64\v` `C:\Windows\Microsoft.NET\FrameworkArm64\v` `C:\Windows\Microsoft.NET\FrameworkArm\v` `C:\Windows\Microsoft.NET\Framework\v`