mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
22 lines
585 B
YAML
22 lines
585 B
YAML
title: CobaltStrike Process Injection
|
|
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
|
|
references:
|
|
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
|
|
status: experimental
|
|
author: Olaf Hartong, Florian Roth
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 8
|
|
TargetProcessAddress: '*0B80'
|
|
condition: selection
|
|
tags:
|
|
- attack.process_injection
|
|
- attack.t1055
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|
|
|