SigmaHQ/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml

title: CobaltStrike Process Injection 
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
tags:
    - attack.defense_evasion
    - attack.t1055
status: experimental
author: Olaf Hartong, Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 8
        TargetProcessAddress: '*0B80'
    condition: selection
falsepositives:
    - unknown
level: high
rule: Cobalt Strike beacon detection via Remote Threat Creation https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 2018-11-30 09:25:05 +00:00			`title: CobaltStrike Process Injection`
			`description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons`
			`references:`
			`- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f`
atc review 2019-03-06 04:25:12 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1055`
rule: Cobalt Strike beacon detection via Remote Threat Creation https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f 2018-11-30 09:25:05 +00:00			`status: experimental`
			`author: Olaf Hartong, Florian Roth`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 8`
			`TargetProcessAddress: '*0B80'`
			`condition: selection`
			`falsepositives:`
			`- unknown`
			`level: high`