title: CobaltStrike BOF Injection Pattern
author: Christian Burkard
date: 2021/08/04
description: Detects a typical pattern of a CobaltStrike BOF which inject into other
    processes
detection:
    SELECTION_1:
        EventID: 10
    SELECTION_2:
        CallTrace|re: ^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\+[a-z0-9]{4,6}\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$
    SELECTION_3:
        GrantedAccess: '0x1028'
    SELECTION_4:
        GrantedAccess: '0x1fffff'
    condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4))
falsepositives:
- unknown
id: 09706624-b7f6-455d-9d02-adee024cee1d
level: high
logsource:
    category: process_access
    product: windows
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
status: experimental
tags:
- attack.execution
- attack.t1106
- attack.defense_evasion
- attack.t1562.001
yml_filename: sysmon_cobaltstrike_bof_injection_pattern.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_access