title: CobaltStrike Process Injection 
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons 
references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
status: experimental
author: Olaf Hartong, Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 8
        TargetProcessAddress: '*0B80'
    condition: selection
tags:
    - attack.process_injection
    - attack.t1055
falsepositives:
    - unknown
level: high