Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ecab6de5bc0a5c57bfd3123228874836c5d9318
keyboardcrunch-sentinelone-…/queries/windows/rundll32_possible_cobalt_strike.yml
T
keyboardcrunch 3ecab6de5b Create rundll32_possible_cobalt_strike.yml
2020-12-02 11:54:10 -06:00

18 lines
772 B
YAML
Raw Blame History

title: Rundll32 Possible Cobalt Strike
description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
author: keyboardcrunch
date: 02/12/2020
modified:
mitre:
tactic: Defense Evasion
technique: T1218
subtechnique: 011
operating_system:
query: ( SrcProcName In AnyCase ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In ( "splwow64.exe" ) AND SrcProcParentName Not In ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
false_positives:
- Printer drivers
tags:
- Cobalt Strike
references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
Reference in New Issue View Git Blame Copy Permalink