From 3ecab6de5bc0a5c57bfd3123228874836c5d9318 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Wed, 2 Dec 2020 11:54:10 -0600
Subject: [PATCH] Create rundll32_possible_cobalt_strike.yml

---
 .../windows/rundll32_possible_cobalt_strike.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 queries/windows/rundll32_possible_cobalt_strike.yml

diff --git a/queries/windows/rundll32_possible_cobalt_strike.yml b/queries/windows/rundll32_possible_cobalt_strike.yml
new file mode 100644
index 0000000..c90e18d
--- /dev/null
+++ b/queries/windows/rundll32_possible_cobalt_strike.yml
@@ -0,0 +1,17 @@
+title: Rundll32 Possible Cobalt Strike 
+description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
+author: keyboardcrunch
+date: 02/12/2020
+modified:
+mitre: 
+   tactic: Defense Evasion
+   technique: T1218
+   subtechnique: 011
+operating_system: 
+query: ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase  ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In  ( "splwow64.exe" ) AND SrcProcParentName Not In  ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
+false_positives:
+   - Printer drivers
+tags:
+   - Cobalt Strike
+references:
+   - https://thedfirreport.com/2020/10/08/ryuks-return/