SigmaHQ/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
Yugoslavskiy Daniil 05cc7e455d atc review
2019-03-06 05:25:12 +01:00

22 lines
583 B
YAML

title: CobaltStrike Process Injection
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
tags:
- attack.defense_evasion
- attack.t1055
status: experimental
author: Olaf Hartong, Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetProcessAddress: '*0B80'
condition: selection
falsepositives:
- unknown
level: high