← Back to Explore
sigmahighHunting
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
Detection Query
selection_img:
- OriginalFileName: Cmd.Exe
- Image|endswith: \cmd.exe
selection_cli:
CommandLine|startswith:
- "cmd "
- cmd.exe
- c:\windows\system32\cmd.exe
CommandLine|contains:
- psinject
- spawnas
- make_token
- remote-exec
- rev2self
- dcsync
- logonpasswords
- execute-assembly
- getsystem
condition: all of selection_*
Author
_pete_0, TheDFIRReport
Created
2022-05-06
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.executionattack.t1059.003stp.1u
Raw Content
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
- id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|startswith:
- 'cmd '
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- 'psinject'
- 'spawnas'
- 'make_token'
- 'remote-exec'
- 'rev2self'
- 'dcsync'
- 'logonpasswords'
- 'execute-assembly'
- 'getsystem'
condition: all of selection_*
falsepositives:
- Unknown
level: high