cscli scenarios install sigmahq/proc_creation_win_hktl_cobaltstrike_process_patterns1type: trigger2name: sigmahq/proc_creation_win_hktl_cobaltstrike_process_patterns3description: |4 Detects potential process patterns related to Cobalt Strike beacon activity5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine endsWith 'cmd.exe /C whoami' && evt.Parsed.ParentImage startsWith 'C:\\Temp\\' || (evt.Parsed.ParentImage endsWith '\\runonce.exe' || evt.Parsed.ParentImage endsWith '\\dllhost.exe') && evt.Parsed.CommandLine contains 'cmd.exe /c echo' && evt.Parsed.CommandLine contains '> \\\\.\\pipe' || evt.Parsed.ParentCommandLine contains 'cmd.exe /C echo' && evt.Parsed.ParentCommandLine contains ' > \\\\.\\pipe' && evt.Parsed.CommandLine endsWith 'conhost.exe 0xffffffff -ForceV1' || evt.Parsed.ParentCommandLine endsWith '/C whoami' && evt.Parsed.CommandLine endsWith 'conhost.exe 0xffffffff -ForceV1')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t10591516 label: "Potential CobaltStrike Process Patterns"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324