rule: Cobalt Strike beacon detection via Remote Threat Creation

https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f

rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml

@@ -0,0 +1,21 @@
+title: CobaltStrike Process Injection 
+description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
+references:
+    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+status: experimental
+author: Olaf Hartong, Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 8
+        TargetProcessAddress: '*0B80'
+    condition: selection
+tags:
+    - attack.process_injection
+    - attack.t1055
+falsepositives:
+    - unknown
+level: high
+