Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

WindowsFile Event

TA0005 · Defense EvasionT1218 · System Binary Proxy Execution

François Hubaut+3Fri Nov 18windows

Detectioncriticaltest

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

WindowsNamed Pipe Created

TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process Injection

Florian Roth (Nextron Systems)+1Tue May 25windows

Detectionhightest

CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

WindowsProcess Creation

TA0005 · Defense EvasionT1218.011 · Rundll32

Wojciech LesickiTue Jun 01windows

Detectionhightest

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

WindowsRegistry Set

TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3

Wojciech LesickiTue Jun 29windows