Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imRegistry
| where (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) and ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell"))DeviceRegistryEvents
| where (RegistryKey contains "\\System\\CurrentControlSet\\Services" or (RegistryKey contains "\\System\\ControlSet" and RegistryKey contains "\\Services")) and ((RegistryValueData contains "ADMIN$" and RegistryValueData contains ".exe") or (RegistryValueData contains "%COMSPEC%" and RegistryValueData contains "start" and RegistryValueData contains "powershell"))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |