This detection rule targets the identification of potential Cobalt Strike process injection activities in a Windows environment. It focuses specifically on the creation of remote threads that may be indicative of malicious behavior, particularly the use of Cobalt Strike beacons. The rule is triggered by examining the start addresses of these threads—specifically those that end with '0B80', '0C7C', or '0C88', which have been characterized in research as typical for Cobalt Strike deployments. Given the stealthy nature of Cobalt Strike, which is a tool used for penetration testing and may also be leveraged by attackers, this detection aims to bolster defenses against such methodologies by alerting security teams when these indicators are met. The rule is categorized under high severity due to the potential risk of a successful breach if such a threat is indeed occurring. False positives are labeled as unknown, indicating the need for further investigation when alerts are triggered. The development and testing of this rule involved contributions from several security professionals and the community, highlighting its collaborative nature.