mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-08 17:07:13 +00:00
keyboardcrunch
19 lines
835 B
YAML
19 lines
835 B
YAML
title: Rundll32 Possible Cobalt Strike
|
|
description: Loose detection of lateral movement through SMB, commonly used with Cobalt Strike.
|
|
author: keyboardcrunch
|
|
date: 02/12/2020
|
|
modified: 05/12/2020
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1218
|
|
subtechnique: 011
|
|
operating_system: windows
|
|
query: ( SrcProcName In AnyCase ( "rundll32.exe" ) AND SrcProcCmdLine IS EMPTY ) OR ( SrcProcName In AnyCase ( "rundll32.exe" ) AND NetConnOutCount > "0" AND SrcProcParentName Not In ( "splwow64.exe" ) AND SrcProcParentName Not In ( "msiexec.exe" ) AND SrcProcCmdLine RegExp ".*((?!C:\\windows\\system32\\spool\\DRIVERS\\.*,MonitorPrintJobStatus))$/gmi" )
|
|
false_positives:
|
|
- Printer drivers
|
|
- High number of outbound SMB connections
|
|
tags:
|
|
- Cobalt Strike
|
|
references:
|
|
- https://thedfirreport.com/2020/10/08/ryuks-return/
|