Detection rules › Sigma
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1569.002 System Services: Service Execution |
| Persistence | T1543.003 Create or Modify System Process: Windows Service |
| Privilege Escalation | T1543.003 Create or Modify System Process: Windows Service |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Service-Control-Manager | 7045 |
Stages and Predicates
Stage 1: selection_id
Provider_Name: 'Service Control Manager'
Stage 2: selection1
ImagePath|contains: .exe
ImagePath|contains: 'ADMIN$'
Stage 3: selection2
ImagePath|contains: '%COMSPEC%'
ImagePath|contains: powershell
ImagePath|contains: start
Stage 4: selection3
ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
Stage 5: selection4
ImagePath|contains: 'IEX (New-Object Net.Webclient).DownloadString(''http://127.0.0.1:'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ImagePath | match |
|
Provider_Name | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Invoke-Obfuscation Via Use Rundll32 - System (adds 5 filters)
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System (adds 5 filters)
- Invoke-Obfuscation VAR+ Launcher - System (adds 4 filters)
- Invoke-Obfuscation COMPRESS OBFUSCATION - System (adds 4 filters)
- Invoke-Obfuscation RUNDLL LAUNCHER - System (adds 4 filters)
- Invoke-Obfuscation CLIP+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation STDIN+ Launcher - System (adds 3 filters)
- Invoke-Obfuscation Via Stdin - System (adds 3 filters)
- Invoke-Obfuscation Via Use MSHTA - System (adds 2 filters)
- ProcessHacker Privilege Elevation (adds 2 filters)
- Invoke-Obfuscation Via Use Clip - System (adds 1 filter)
- Credential Dumping Tools Service Execution - System (adds 1 filter)
- Moriya Rootkit - System (adds 1 filter)
- PowerShell Scripts Installed as Services (adds 1 filter)
- Service Installed By Unusual Client - System (adds 1 filter)
- Suspicious Service Installation (adds 1 filter)
- Tap Driver Installation (adds 1 filter)
- RTCore Suspicious Service Installation (adds 1 filter)
- Service Installation in Suspicious Folder (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Invoke-Obfuscation Obfuscated IEX Invocation - System (drops 1 filter this rule applies)