Hey guys ! Today I am here today to tell you about new rules available in the Endpoint content extension !
Reconnaissance tools, legitimate or not, can be used by malware to identify applications, vulnerabilities, weaknesses and gather network informations to discover attack paths in your organization.
Officially, Cobalt Strike is a Software for Adversary Simulations and Red Team Operations, unfortunately sometimes it is used for more than simulation...
To help you react to attacks of that type, we've published a few rules to detect reconnaissance tools, I detailed it in the first blog talking about the Endpoint content extension. If you missed it, you can still find it in the Endpoint monitoring essentials for QRadar blog post.
The timing to talk about it again seems perfect as the report from Microsoft on the detection of the Log4j (CVE-2021-44228) exploit mentions Cobalt Strike as an indicator of comprise to look at ("Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems."), it is actually the entire Endpoint Content pack that can help today.
The SIOC team in Italy wanted to go further and did a lot of work to simulate more attacks using Cobalt Strike, so we could provide you with even more detections ! I am taking the opportunity to thank them here for their collaboration, they did a fantastic job.
So we have published an update to include new rules in the pack to detect process injection and privilege escalation tentative using Cobalt Strike.
When a service is configured to use a pipe, it could indicate that an attacker is working to escalate their privileges using getsystem script. Here is a rule that would help detect it:
Apply Service Configured to Use a Pipe on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Service Installed
and when the event matches LOWER("ServiceFileName") like '%/c%' and LOWER("ServiceFileName") like '%echo%' and LOWER("ServiceFileName") like '%_pipe%' AND lower("ServiceFileName") matches'.*?(cmd[.]exe|%COMSPEC%).*' AQL filter query |
A few processes can be a good indicator of memory code injection when their command line contains no argument.
Apply Potential Memory Code Injection on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches Process CommandLine (custom) matches any of expressions [WerFault.exe$ or rundll32.exe$ or regsvcs.exe$ or regasm.exe$ or regsvr32.exe$] |
A big thank you to Antonella Gioia Rodio, Giancarlo D'Elia, Pietro Melillo, Angelo Riccobene for their great initiative and awesome work !
I hope these rules will help you guys!
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.