HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Sigma rule (View on GitHub)

 1title: HackTool - Potential CobaltStrike Process Injection
 2id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
 3status: test
 4description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
 5references:
 6    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
 7    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 8author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
 9date: 2018/11/30
10modified: 2023/05/05
11tags:
12    - attack.defense_evasion
13    - attack.t1055.001
14logsource:
15    product: windows
16    category: create_remote_thread
17detection:
18    selection:
19        StartAddress|endswith:
20            - '0B80'
21            - '0C7C'
22            - '0C88'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top