HackTool - Potential CobaltStrike Process Injection

 1title: HackTool - Potential CobaltStrike Process Injection
 2id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
 3status: test
 4description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 5references:
 6    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 7    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 8author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
 9date: 2018-11-30
10modified: 2023-05-05
11tags:
12    - attack.defense-evasion
13    - attack.t1055.001
14logsource:
15    product: windows
16    category: create_remote_thread
17detection:
18    selection:
19        StartAddress|endswith:
20            - '0B80'
21            - '0C7C'
22            - '0C88'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• Cobalt Strike Remote Threads detection

  

  I was playing around a bit with a cool new C# tool one of my colleagues created, NoPowerShell. This allows an attacker to execute certain…

  
  Read More

• Blog - Cobalt Strike

  

  [...]Read More... from Blog

  
  Read More

Related rules

• ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
• Mavinject Inject DLL Into Running Process
• Potential DLL Injection Or Execution Using Tracker.exe
• Renamed Mavinject.EXE Execution
• Renamed ZOHO Dctask64 Execution