Techniques
Sample rules
Potential Meterpreter/CobaltStrike Activity
- source: sigma
- technicques:
- t1134
- t1134.001
- t1134.002
Description
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Detection logic
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
filter_defender:
CommandLine|contains: MpCmdRun
selection_img:
ParentImage|endswith: \services.exe
selection_technique_1:
CommandLine|contains:
- cmd
- '%COMSPEC%'
CommandLine|contains|all:
- /c
- echo
- \pipe\
selection_technique_2:
CommandLine|contains|all:
- rundll32
- .dll,a
- '/p:'