improve sysmon_cobaltstrike_process_injection.yml

2024-11-08 02:08:54 +00:00 · 2019-11-08 01:41:26 +03:00 · 2019-11-08 01:41:26 +03:00 · 52d099a6e3
commit 52d099a6e3
parent 3b34ed6150
1 changed files with 8 additions and 2 deletions
--- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
+++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
@ -2,18 +2,24 @@ title: CobaltStrike Process Injection
 description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
 references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
 tags:
    - attack.defense_evasion
    - attack.t1055
 status: experimental
-author: Olaf Hartong, Florian Roth
+author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
+date: 2018/11/30
+modified: 2019/11/08
 logsource:
    product: windows
    service: sysmon
 detection:
    selection:
        EventID: 8
-        TargetProcessAddress: '*0B80'
+        TargetProcessAddress|endswith: 
+            - '0B80'
+            - '0C7C'
+            - '0C88'
    condition: selection
 falsepositives:
    - unknown