false positives are very unlikely as this detection targets default cobalt strike powershell beacon functions and variables. modifications to the beacon's script may bypass detection but do not create false positives.

t1059.001
t1204.002
endpoint
splunk

Techniques

T1059.001
T1204.002

Sample rules

Windows Default Cobalt Strike PowerShell Beacon

source: splunk
technicques:
- T1059.001
- T1204.002

Description

Detects default function and variable names known to be used by the Cobalt Strike PowerShell beacon. This beacon is used to gain command and control on a victim.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText IN (
    "*func_get_proc_address*",
    "*$var_unsafe_native_methods*",
    "*$var_gpa.Invoke*",
    "*func_get_delegate_type*",
    "*$var_type_builder*"
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime

by Computer EventID ScriptBlockText dest signature signature_id
   user_id vendor_product Guid Opcode Name
   Path ProcessID ScriptBlockId


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_default_cobalt_strike_powershell_beacon_filter`