Home/CVE-2022-39197/Sigma rules
Sigma

Sigma rules for CVE-2022-39197

9 rules · scoped to cve · back to CVE-2022-39197
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

9 of 9
direct critical
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id 2975af79-28c4-4d2f-a951-9095f229df29 license Sigma · DRL-1.1
view Sigma YAML 
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection1:
        query|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        query|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
direct critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id f356a9c4-effd-4608-bbf8-408afd5cd006 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
direct critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Nasreddine Bencherchali (Nextron Systems) id 0d18728b-f5bf-4381-9dcf-915539fff6c2 license Sigma · DRL-1.1
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.t1071.004
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
falsepositives:
    - Unknown
level: critical
direct high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
status test author Bhabesh Raj id 7100f7e3-92ce-4584-b7b7-01b40d3d4118 license Sigma · DRL-1.1
view Sigma YAML 
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
references:
    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021-06-23
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.s0154
logsource:
    product: zeek
    service: x509
detection:
    selection:
        certificate.serial: 8BB00EE
    condition: selection
falsepositives:
    - Unknown
level: high
direct high
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
status test author _pete_0, TheDFIRReport id 4f154fb6-27d1-4813-a759-78b93e0b9c48 license Sigma · DRL-1.1
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
      type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|contains:
            - 'Invoke-UserHunter'
            - 'Invoke-ShareFinder'
            - 'Invoke-Kerberoast'
            - 'Invoke-SMBAutoBrute'
            - 'Invoke-Nightmare'
            - 'zerologon'
            - 'av_query'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
status test author _pete_0, TheDFIRReport id 647c7b9e-d784-4fda-b9a0-45c565a7b729 license Sigma · DRL-1.1
view Sigma YAML 
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
    - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
      type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
    - attack.execution
    - attack.t1059.003
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'Cmd.Exe'
        - Image|endswith: '\cmd.exe'
    selection_cli:
        CommandLine|startswith:
            - 'cmd '
            - 'cmd.exe'
            - 'c:\windows\system32\cmd.exe'
        CommandLine|contains:
            - 'psinject'
            - 'spawnas'
            - 'make_token'
            - 'remote-exec'
            - 'rev2self'
            - 'dcsync'
            - 'logonpasswords'
            - 'execute-assembly'
            - 'getsystem'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 license Sigma · DRL-1.1
view Sigma YAML 
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
      type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection_eid:
        EventID: 4697
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ServiceFileName|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ServiceFileName|contains:
            - 'cmd'
            - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ServiceFileName|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_eid and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high
direct high
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id 843544a7-56e0-4dcc-a44f-5cc266dd97d6 license Sigma · DRL-1.1
view Sigma YAML 
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ImagePath|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ImagePath|contains:
        - 'cmd'
        - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ImagePath|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_id and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high
direct high
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
status test author Nasreddine Bencherchali (Nextron Systems) id aa5b0a40-ed88-46aa-9fdc-0337b379ca9d license Sigma · DRL-1.1
view Sigma YAML 
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
            - /a')
    condition: selection
falsepositives:
    - Unlikely
level: high
Showing 1-9 of 9
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh