Detecting Malicious C2 Activity -SpawnAs & SMB Lateral Movement in CobaltStrike

SpawnAs

Not a great way to show it, but you can see beacon.exe (initial payload) spawn chrome_proxy.exe (elevated with another account) with a bunch of network connections following it, if module detection was enabled that would also be tied to the new elevated process.
rule detect_cobaltstrike_spawnas {
meta:
author = "Dan L"
description = "Look for a cobaltstrike spawnas"
version = "1.0"
severity = "High"
mitre_TA = "TA0004 - Privilege Escalation"
mitre_T1 = "T1055"
mitre_url = "https://attack.mitre.org/techniques/T1055/"
events:// Successful Login
$e0.metadata.product_event_type = "UserLogon"
$e0.security_result.summary = "Successful login occurred"
$e0.target.user.userid != /.*$.*/ nocase
$e0.target.user.userid != /.*dwm.*/ nocase
$e0.principal.hostname = $hostname
// Modules being loaded due to new session being loaded
$e1.metadata.event_type = "PROCESS_MODULE_LOAD"
$e1.principal.hostname = $hostname
// A process injection must happen to spawnas
$e2.metadata.event_type = "GENERIC_EVENT"
$e2.metadata.product_event_type = "ProcessInjection"
$e2.principal.hostname = $hostname
match:
$hostname over 1m
condition:
$e0 and #e1 > 5 and $e2
}

SMB Beacon/Payload

rule cobaltstrike_smb_beacon_detection {
meta:
author = "Dan L"
description = "Detects the usage of cobaltstrike, metasploit SMB Beacon"
version = "2.0"
severity = "High"
mitre_TA = "TA0008 - Lateral Movement"
mitre_T1 = "T1570"
mitre_url = "https://attack.mitre.org/techniques/T1570/"
events:
// Look for a successful user login
$e0.metadata.product_event_type = "UserLogon"
$e0.security_result.summary = "Successful login occurred"
$e0.principal.hostname = $hostname
// Look for a file launching from ADMIN$
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.target.process.command_line = /.*\\admin\$\\.*/ nocase
$e1.principal.hostname = $hostname
// Look for an SMB SERVER Share Open
$e2.metadata.product_event_type = "SmbServerShareOpenedEtw"
$e2.target.user.userid = /.*\$/ nocase
$e2.principal.hostname = $hostname
match:
$hostname over 10m
condition:
$e0 and $e1 and #e2 > 1
}
Each of the events from the rule triggered when attempting SMB lateral movement via CobaltStrike (Authentication, random process in the ADMIN$ folder launched, and SmbServerShare triggered).
rule default_cobaltstrike_smb_beacondll {
meta:
credit = "Dan L"
description = "Identify the default beacon.dll file being written to disk during SMB beacon lateral movement"
Version = "1.0"
severity = "High"
mitre_TA = "TA0008 - Lateral Movement"
mitre_T1 = "T1570"
mitre_url = "https://attack.mitre.org/techniques/T1570/"
events:

$e0.target.file.full_path = /.*beacon.dll.*/ nocase
$e0.principal.hostname = $hostname
match:
$hostname over 1m
condition:
$e0
}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store