HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
Sigma rule (View on GitHub)
1title: HackTool - CobaltStrike BOF Injection Pattern
2id: 09706624-b7f6-455d-9d02-adee024cee1d
3status: test
4description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
5references:
6 - https://github.com/boku7/injectAmsiBypass
7 - https://github.com/boku7/spawn
8author: Christian Burkard (Nextron Systems)
9date: 2021/08/04
10modified: 2023/11/28
11tags:
12 - attack.execution
13 - attack.t1106
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 category: process_access
18 product: windows
19detection:
20 selection:
21 CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
22 GrantedAccess:
23 - '0x1028'
24 - '0x1fffff'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. - boku7/injectAmsiBypass
Read More -
Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (AC...
Read More
Related rules
- HackTool - HandleKatz Duplicating LSASS Handle
- AMSI Bypass Pattern Assembly GetType
- HackTool - RedMimicry Winnti Playbook Execution
- PowerShell AMSI Bypass Pattern
- Using powershell specific download cradle OneLiner