HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Sigma rule (View on GitHub)
1title: HackTool - Potential CobaltStrike Process Injection
2id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
3status: test
4description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
5references:
6 - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
7 - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
8author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
9date: 2018-11-30
10modified: 2023-05-05
11tags:
12 - attack.privilege-escalation
13 - attack.defense-evasion
14 - attack.t1055.001
15logsource:
16 product: windows
17 category: create_remote_thread
18detection:
19 selection:
20 StartAddress|endswith:
21 - '0B80'
22 - '0C7C'
23 - '0C88'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
I was playing around a bit with a cool new C# tool one of my colleagues created, NoPowerShell. This allows an attacker to execute certain…
Read More -
The Cobalt Strike Blog. Read new featured content, get updates on the latest patches, and insights into the future of red teaming tools.
Read More
Related rules
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- Potential DLL Injection Or Execution Using Tracker.exe
- Renamed ZOHO Dctask64 Execution
- TAIDOOR RAT DLL Load
- Mavinject Inject DLL Into Running Process