← Back to Explore
sigmahighHunting
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Detection Query
selection:
StartAddress|endswith:
- 0B80
- 0C7C
- 0C88
condition: selection
Author
Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
Created
2018-11-30
Data Sources
windowsRemote Thread Creation
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1055.001
Raw Content
title: HackTool - Potential CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
status: test
description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
- https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
date: 2018-11-30
modified: 2023-05-05
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartAddress|endswith:
- '0B80'
- '0C7C'
- '0C88'
condition: selection
falsepositives:
- Unknown
level: high