LoFP / some legitimate penetration testing activities and authorized red team exercises may use this powershell loader pattern. verify and whitelist approved security testing tools to reduce false alerts.

Techniques

• T1059.001
• T1608

Sample rules

Windows Cobalt Strike PowerShell Loader

• source: splunk
• technicques:
  • T1608
  • T1059.001

Description

Detects the PowerShell pattern used at the end of a Cobalt Strike PowerShell loader to perform the decompression of the executable. This loader is used in attacks such as scripted web delivery. Cobalt Strike is a legitimate, commercial penetration testing tool that has been largely co-opted by ransomware gangs to launch attacks. Cobalt Strike’s popularity is mainly due to its beacons or payload being stealthy, and easily customizable. Cobalt Strike Beacon provides encrypted communication with the C&C server to send information and receive commands.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText="*));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID ScriptBlockText dest signature signature_id user_id vendor_product
     Guid Opcode Name Path ProcessID ScriptBlockId


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_cobalt_strike_powershell_loader_filter`