← Back to Explore
sigmahighHunting
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Detection Query
selection_key:
- TargetObject|contains: \System\CurrentControlSet\Services
- TargetObject|contains|all:
- \System\ControlSet
- \Services
selection_details:
- Details|contains|all:
- ADMIN$
- .exe
- Details|contains|all:
- "%COMSPEC%"
- start
- powershell
condition: all of selection_*
Author
Wojciech Lesicki
Created
2021-06-29
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.persistenceattack.executionattack.privilege-escalationattack.lateral-movementattack.t1021.002attack.t1543.003attack.t1569.002
Raw Content
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high