HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Sigma rule (View on GitHub)
1title: HackTool - Potential CobaltStrike Process Injection
2id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
3status: test
4description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
5references:
6 - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
7 - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
8author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
9date: 2018/11/30
10modified: 2023/05/05
11tags:
12 - attack.defense_evasion
13 - attack.t1055.001
14logsource:
15 product: windows
16 category: create_remote_thread
17detection:
18 selection:
19 StartAddress|endswith:
20 - '0B80'
21 - '0C7C'
22 - '0C88'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- ZOHO Dctask64 Process Injection
- Renamed ZOHO Dctask64 Execution
- Potential DLL Injection Or Execution Using Tracker.exe
- HackTool - CACTUSTORCH Remote Thread Creation
- Windows Defender Real-Time Protection Failure/Restart