Detection rules › Sigma
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4697 | A service was installed in the system. |
Stages and Predicates
Stage 1: event_id
Stage 2: 1 of selection1
ServiceFileName|contains: .exe
ServiceFileName|contains: 'ADMIN$'
Stage 3: 1 of selection2
ServiceFileName|contains: '%COMSPEC%'
ServiceFileName|contains: powershell
ServiceFileName|contains: start
Stage 4: 1 of selection3
ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
Stage 5: 1 of selection4
ServiceFileName|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ServiceFileName | match |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Service Installed via an Unusual Client (adds 5 filters)
- Invoke-Obfuscation Via Use Rundll32 - Security (adds 5 filters)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security (adds 5 filters)
- Invoke-Obfuscation VAR+ Launcher - Security (adds 4 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - Security (adds 4 filters)
- Invoke-Obfuscation Via Use MSHTA - Security (adds 4 filters)
- Metasploit Or Impacket Service Installation Via SMB PsExec (adds 4 filters)
- Invoke-Obfuscation CLIP+ Launcher - Security (adds 3 filters)
- Invoke-Obfuscation Via Stdin - Security (adds 3 filters)
- HybridConnectionManager Service Installation (adds 2 filters)
- Invoke-Obfuscation STDIN+ Launcher - Security (adds 2 filters)
- Invoke-Obfuscation Via Use Clip - Security (adds 1 filter)
- Credential Dumping Tools Service Execution - Security (adds 1 filter)
- Windows Pcap Drivers (adds 1 filter)
- PowerShell Scripts Installed as Services - Security (adds 1 filter)
- Remote Access Tool Services Have Been Installed - Security (adds 1 filter)
- Tap Driver Installation - Security (adds 1 filter)