LoFP LoFP / commandlines containing components like cmd accidentally

Techniques

Sample rules

Potential Meterpreter/CobaltStrike Activity

Description

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

Detection logic

condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
filter_defender:
  CommandLine|contains: MpCmdRun
selection_img:
  ParentImage|endswith: \services.exe
selection_technique_1:
  CommandLine|contains:
  - cmd
  - '%COMSPEC%'
  CommandLine|contains|all:
  - /c
  - echo
  - \pipe\
selection_technique_2:
  CommandLine|contains|all:
  - rundll32
  - .dll,a
  - '/p:'