{
	"id": "3761a5b8-acc3-40b7-9e96-6688d2425d50",
	"created_at": "2026-04-06T00:07:09.662916Z",
	"updated_at": "2026-04-10T03:21:40.598538Z",
	"deleted_at": null,
	"sha1_hash": "34e87f599c4b1d4ac20c5ffe7d63a312b3478ff8",
	"title": "Detecting Malicious C2 Activity -SpawnAs \u0026 SMB Lateral Movement in CobaltStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 858524,
	"plain_text": "Detecting Malicious C2 Activity -SpawnAs \u0026 SMB Lateral\r\nMovement in CobaltStrike\r\nBy Dan Lussier\r\nPublished: 2021-02-24 · Archived: 2026-04-05 16:50:22 UTC\r\nPress enter or click to view image in full size\r\nUnderstanding common attack vectors and how threat actors move in your environment post-compromise is\r\ncritical to identifying what kind of potential threats exist in an environment. We’re going to review how threat\r\nactors use common C2 spawning features to utilize elevated privileges which allow for lateral movement via\r\nSMB, and what defenders can do to detect it.\r\nIn the last article, a lot of time was spent describing how advanced threat actors often spawn a sacrificial process.\r\nThis mainly focused on same user-credential based spawning, however in many campaigns threat actors have\r\nharvested credentials and want to spawn a process as that different user context, often with elevated privileges.\r\nSpawnAs\r\nWhen a threat actor is able to successfully get a foothold on a target network some of the first steps are recon\r\nwhich includes identifying easy ways to get elevated privileges. There are many ways to initially get elevated\r\nprivileges, but most common are Kerberoasting, ASREPRoast, and file share enumeration looking for cleartext\r\ncredentials. Although these can be noisy, they’re highly effective in delivering elevated privileges.\r\nLet’s take a look at spawning a process as a new user\r\nPress enter or click to view image in full size\r\nhttps://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nPage 1 of 5\n\nNot a great way to show it, but you can see beacon.exe (initial payload) spawn chrome_proxy.exe\r\n(elevated with another account) with a bunch of network connections following it, if module\r\ndetection was enabled that would also be tied to the new elevated process.\r\nNow let’s take a look at a rule that would detect a threat actor utilizing CobaltStrike to spawn a new process with\r\nelevated privileges.\r\nrule detect_cobaltstrike_spawnas {\r\n meta:\r\n author = \"Dan L\"\r\n description = \"Look for a cobaltstrike spawnas\"\r\n version = \"1.0\"\r\n severity = \"High\"\r\n mitre_TA = \"TA0004 - Privilege Escalation\"\r\n mitre_T1 = \"T1055\"\r\n mitre_url = \"https://attack.mitre.org/techniques/T1055/\"events:// Successful Login\r\n $e0.metadata.product_event_type = \"UserLogon\"\r\n $e0.security_result.summary = \"Successful login occurred\"\r\n $e0.target.user.userid != /.*$.*/ nocase\r\n $e0.target.user.userid != /.*dwm.*/ nocase\r\n $e0.principal.hostname = $hostname// Modules being loaded due to new session being loaded\r\n $e1.metadata.event_type = \"PROCESS_MODULE_LOAD\"\r\n $e1.principal.hostname = $hostname// A process injection must happen to spawnas\r\n $e2.metadata.event_type = \"GENERIC_EVENT\"\r\n $e2.metadata.product_event_type = \"ProcessInjection\"\r\n $e2.principal.hostname = $hostnamematch:\r\n $hostname over 1mcondition:\r\n $e0 and #e1 \u003e 5 and $e2\r\n}\r\nIn this rule there are three areas of focus which are a successful logon, a bunch of modules being loaded, and\r\nprocess injection. The first of these is a successful logon, this is captured via EDR/Windows Event Logs as a new\r\nhttps://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nPage 2 of 5\n\nuser account will be utilized to spawn the process. Second a bunch of modules will load at the time of the spawn\r\nof the new process, every time a payload executes many modules are loaded with it, and finally process injection.\r\nAt this point, the threat actor has obtained a newly created beacon to their C2 with what is often a privileged\r\naccount, or an account that allows for additional lateral movement in an environment.\r\nSMB Beacon/Payload\r\nAdditional recon will often take place with this newly spawned payload due to its new user context. At this point a\r\nthreat actor will want to move laterally from their current compromised asset to other assets in the environment,\r\nand one of the ways to do this in CobaltStrike is via an SMB beacon. As of this writing (early 2021) you can still\r\nutilize the default SMB beacon without a custom named pipe that drops a file called beacon.dll onto an asset\r\nwithout being detected by many EDR platforms. With that said, that may not be the best move for opsec purposes\r\nfrom a threat actor perspective.\r\nGet Dan Lussier’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLet’s jump into what a rule that can detect lateral movement via the SMB beacon in CobaltStrike looks like.\r\nrule cobaltstrike_smb_beacon_detection {\r\n meta:\r\n author = \"Dan L\"\r\n description = \"Detects the usage of cobaltstrike, metasploit SMB Beacon\"\r\n version = \"2.0\"\r\n severity = \"High\"\r\n mitre_TA = \"TA0008 - Lateral Movement\"\r\n mitre_T1 = \"T1570\"\r\n mitre_url = \"https://attack.mitre.org/techniques/T1570/\"events:\r\n // Look for a successful user login\r\n $e0.metadata.product_event_type = \"UserLogon\"\r\n $e0.security_result.summary = \"Successful login occurred\"\r\n $e0.principal.hostname = $hostname // Look for a file launching from ADMIN$\r\n $e1.metadata.event_type = \"PROCESS_LAUNCH\"\r\n $e1.target.process.command_line = /.*\\\\admin\\$\\\\.*/ nocase\r\n $e1.principal.hostname = $hostname // Look for an SMB SERVER Share Open\r\n $e2.metadata.product_event_type = \"SmbServerShareOpenedEtw\"\r\n $e2.target.user.userid = /.*\\$/ nocase\r\n $e2.principal.hostname = $hostnamematch:\r\n $hostname over 10mcondition:\r\n $e0 and $e1 and #e2 \u003e 1\r\n}\r\nhttps://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nPage 3 of 5\n\nIn this rule, we again have 3 conditions we are trying to match on, all of these conditions will be happening on the\r\nremote device the threat actor is attempting to connect to. First a successful logon event from EDR/Windows\r\nEvent Logs, second a process launch in the ADMIN$ path on the remote asset, and finally the EDR/Windows\r\nEvent of a file share being opened more than once. This can take a bit of time depending on an environment, so\r\nlook for all of this activity to take place over a 10 minute window.\r\nLet’s take a look at what this looks like as a detection\r\nPress enter or click to view image in full size\r\nEach of the events from the rule triggered when attempting SMB lateral movement via CobaltStrike\r\n(Authentication, random process in the ADMIN$ folder launched, and SmbServerShare triggered).\r\nOnce a threat actor has spawned an SMB beacon on a remote asset, they’ve taken the the spawnas command with\r\na potentially elevated privileged account context and opened a persistent connection to the initial compromised\r\nasset. A large component to this is a threat actor doesn’t need to generate an abundance of HTTPS/DNS traffic\r\nwhich could be identified (outside of the initial compromise), as it will all traverse over SMB.\r\nBONUS: This rule detects the default beacon.dll file being written on a remote asset. This should never trigger,\r\nhowever it can’t hurt to have it running with many ransomware groups utilizing default settings in CobaltStrike.\r\n(2/24/21 Updated regex pattern on $e0)\r\nrule default_cobaltstrike_smb_beacondll {\r\n meta:\r\n credit = \"Dan L\"\r\n description = \"Identify the default beacon.dll file being written to disk during SMB beacon late\r\n Version = \"1.0\"\r\n severity = \"High\"\r\n mitre_TA = \"TA0008 - Lateral Movement\"\r\n mitre_T1 = \"T1570\"\r\n mitre_url = \"https://attack.mitre.org/techniques/T1570/\"events:\r\n $e0.target.file.full_path = /.*beacon.dll.*/ nocase\r\n $e0.principal.hostname = $hostname\r\nmatch:\r\n $hostname over 1mcondition:\r\nhttps://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nPage 4 of 5\n\n$e0\r\n}\r\nOne thing I’d like to note here is that SMB is not the only means to move laterally through an environment and\r\nthere are many Sharp tools that can offer similar tooling with less artifacts written to disk (SharpRDP, and\r\nSharpWMI). The good news here is that the rules from the previous article should detect the launch of any Sharp\r\ntool and hand off an alert to the defenders.\r\nDefensive \u003e Chronicle, LimaCharlie (Robust EDR platform)\r\nOffensive \u003e CobaltStrike\r\nSource: https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nhttps://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64"
	],
	"report_names": [
		"detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64"
	],
	"threat_actors": [],
	"ts_created_at": 1775434029,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34e87f599c4b1d4ac20c5ffe7d63a312b3478ff8.pdf",
		"text": "https://archive.orkl.eu/34e87f599c4b1d4ac20c5ffe7d63a312b3478ff8.txt",
		"img": "https://archive.orkl.eu/34e87f599c4b1d4ac20c5ffe7d63a312b3478ff8.jpg"
	}
}