Sigma
Sigma rules for CVE-2023-44437
8 rules · scoped to cve · back to CVE-2023-44437
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
◈
Detection rules
8 of 8
direct
critical
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection1:
query|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
query|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
direct
critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
- id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
QueryName|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
direct
critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
- id: f356a9c4-effd-4608-bbf8-408afd5cd006
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.t1071.004
- attack.command-and-control
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection_eid:
EventID: 3008
selection_query_1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection_query_2:
QueryName|contains: '.stage.123456.'
condition: selection_eid and 1 of selection_query_*
falsepositives:
- Unknown
level: critical
direct
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
view Sigma YAML
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
references:
- https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021-06-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.s0154
logsource:
product: zeek
service: x509
detection:
selection:
certificate.serial: 8BB00EE
condition: selection
falsepositives:
- Unknown
level: high
direct
high
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
view Sigma YAML
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
- id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains:
- 'Invoke-UserHunter'
- 'Invoke-ShareFinder'
- 'Invoke-Kerberoast'
- 'Invoke-SMBAutoBrute'
- 'Invoke-Nightmare'
- 'zerologon'
- 'av_query'
condition: all of selection_*
falsepositives:
- Unknown
level: high
direct
high
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
view Sigma YAML
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
- id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|startswith:
- 'cmd '
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- 'psinject'
- 'spawnas'
- 'make_token'
- 'remote-exec'
- 'rev2self'
- 'dcsync'
- 'logonpasswords'
- 'execute-assembly'
- 'getsystem'
condition: all of selection_*
falsepositives:
- Unknown
level: high
direct
high
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
direct
high
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ImagePath|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ImagePath|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_id and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
Showing 1-8 of 8