From 2ebbdebe46f4c29ddd80c26a1be7efd6932ecd68 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 30 Nov 2018 10:25:05 +0100
Subject: [PATCH] rule: Cobalt Strike beacon detection via Remote Threat
 Creation

https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
---
 .../sysmon_cobaltstrike_process_injection.yml | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml

diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
new file mode 100644
index 000000000..7224ffceb
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
@@ -0,0 +1,21 @@
+title: CobaltStrike Process Injection 
+description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
+references:
+    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
+status: experimental
+author: Olaf Hartong, Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 8
+        TargetProcessAddress: '*0B80'
+    condition: selection
+tags:
+    - attack.process_injection
+    - attack.t1055
+falsepositives:
+    - unknown
+level: high
+