CobaltStrike Process Injection

Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Rule Content

- title: CobaltStrike Process Injection
  id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
  description: Detects a possible remote threat creation with certain characteristics
    which are typical for Cobalt Strike beacons
  references:
  - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
  - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
  tags:
  - attack.defense_evasion
  - attack.t1055
  status: experimental
  author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community
  date: 2018/11/30
  modified: 2019/11/08
  logsource:
    product: windows
    service: sysmon
    category: null
  detection:
    selection:
      EventID: 8
      TargetProcessAddress|endswith:
      - 0B80
      - 0C7C
      - 0C88
    condition: selection
  falsepositives:
  - unknown
  level: high

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-sysmon-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='(event_id:"8" AND thread_start_address.keyword:(*0B80 OR *0C7C OR *0C88))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()