Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Example:
"HKLM\System\ControlSet001\Services" or "HKLM\System\ControlSet002\Services"
Reference:
https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml
Related
CobaltStrike - Persistence Registry_set
{{mitre("T1543.003")}}
Data Source(s): registry_set
let selection_1 = dynamic(['.exe','ADMIN$']);
let selection_2 = dynamic(['powershell','start','%COMSPEC%']);
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any (@'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services', @'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services', @'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services')
| where RegistryValueData has_all (selection_1) or RegistryValueData has_all (selection_2)
- Analyse the ActionType field for services being installed and modified and if its legit/expected activity.
- Check the commandlines if the file executed is genuine and is located in valid location, else maybe sign of malware infection.
Version 1.0 (date: 25/10/2023)