← Back to SOC feed Coverage →

Potential CobaltStrike Process Patterns

sigma HIGH SigmaHQ
T1059
imProcessCreate
cobalt-strike
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-08T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potential process patterns related to Cobalt Strike beacon activity

Detection Rule

Sigma (Original)

title: Potential CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: test
description: Detects potential process patterns related to Cobalt Strike beacon activity
references:
    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-27
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_generic_1:
        CommandLine|endswith: 'cmd.exe /C whoami'
        ParentImage|startswith: 'C:\Temp\'
    selection_generic_2:
        ParentImage|endswith:
            - '\runonce.exe'
            - '\dllhost.exe'
        CommandLine|contains|all:
            - 'cmd.exe /c echo'
            - '> \\\\.\\pipe'
    selection_conhost_1:
        ParentCommandLine|contains|all:
            - 'cmd.exe /C echo'
            - ' > \\\\.\\pipe'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    selection_conhost_2:
        ParentCommandLine|endswith: '/C whoami'
        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessCommandLine endswith "cmd.exe /C whoami" and (ParentProcessName startswith "C:\\Temp\\" or ActingProcessName startswith "C:\\Temp\\")) or (((ParentProcessName endswith "\\runonce.exe" or ParentProcessName endswith "\\dllhost.exe") or (ActingProcessName endswith "\\runonce.exe" or ActingProcessName endswith "\\dllhost.exe")) and (TargetProcessCommandLine contains "cmd.exe /c echo" and TargetProcessCommandLine contains "> \\\\.\\pipe")) or ((ActingProcessCommandLine contains "cmd.exe /C echo" and ActingProcessCommandLine contains " > \\\\.\\pipe") and TargetProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1") or (ActingProcessCommandLine endswith "/C whoami" and TargetProcessCommandLine endswith "conhost.exe 0xffffffff -ForceV1")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml