Operator Bloopers Cobalt Strike Commands

    Thursday, April 3, 2025 In: Threat Research Print

    Date: 04/03/2025

    Severity: Medium

    Summary

    "Operator Bloopers: Cobalt Strike Commands" refers to the accidental use of Cobalt Strike commands in the CMD shell, which can potentially expose the attacker's activities. These mistakes may lead to detection by security systems and compromise the stealth of the operation.

    Indicators of Compromise (IOC) List

    OriginalFileName

    'Cmd.Exe'

    Image

    '\cmd.exe'

    CommandLine

    'cmd '

    'cmd.exe'

    'c:\windows\system32\cmd.exe'

    'psinject'

    'spawnas'

    'make_token'

    'remote-exec'

    'rev2self'

    'dcsync'

    'logonpasswords'

    'execute-assembly'

    'getsystem'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename in ("Windows Security") AND eventtype = "4688") AND processname like "Cmd.Exe") AND ((commandline like "cmd " or commandline like "cmd.exe" or commandline like "c:\windows\system32\cmd.exe") AND (commandline like "psinject" or commandline like "spawnas" or commandline like "make_token" or commandline like "remote-exec" or commandline like "rev2self" or commandline like "dcsync" or commandline like "logonpasswords" or commandline like "execute-assembly" or commandline like "getsystem"))

    Detection Query 2

    (technologygroup = "EDR" AND processname like "Cmd.Exe") AND ((commandline like "cmd " or commandline like "cmd.exe" or commandline like "c:\windows\system32\cmd.exe") AND (commandline like "psinject" or commandline like "spawnas" or commandline like "make_token" or commandline like "remote-exec" or commandline like "rev2self" or commandline like "dcsync" or commandline like "logonpasswords" or commandline like "execute-assembly" or commandline like "getsystem"))

    Detection Query 3

    (((resourcename = "Sysmon" AND eventtype = "1") AND filename like "Cmd.Exe") AND processname like "\cmd.exe") AND ((commandline like "cmd " or commandline like "cmd.exe" or commandline like "c:\windows\system32\cmd.exe") AND (commandline like "psinject" or commandline like "spawnas" or commandline like "make_token" or commandline like "remote-exec" or commandline like "rev2self" or commandline like "dcsync" or commandline like "logonpasswords" or commandline like "execute-assembly" or commandline like "getsystem"))

    Detection Query 4

    ((technologygroup = "EDR" AND filename like "Cmd.Exe") AND processname like "\cmd.exe") AND ((commandline like "cmd " or commandline like "cmd.exe" or commandline like "c:\windows\system32\cmd.exe") AND (commandline like "psinject" or commandline like "spawnas" or commandline like "make_token" or commandline like "remote-exec" or commandline like "rev2self" or commandline like "dcsync" or commandline like "logonpasswords" or commandline like "execute-assembly" or commandline like "getsystem"))

    Reference:

    https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_cobaltstrike_operator_bloopers_cmds.yml


    Tags

    MalwareCobalt StrikeSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.