← Back to Explore
sigmahighHunting
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
Detection Query
selection:
CallTrace|re: ^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
GrantedAccess:
- "0x1028"
- "0x1fffff"
condition: selection
Author
Christian Burkard (Nextron Systems)
Created
2021-08-04
Data Sources
windowsProcess Access Events
Platforms
windows
Tags
attack.executionattack.t1106attack.defense-evasionattack.t1562.001
Raw Content
title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
- attack.execution
- attack.t1106
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- '0x1028'
- '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high