This detection rule identifies the execution patterns associated with Cobalt Strike's Beacon Object File (BOF) injection technique. By monitoring process access events on Windows systems, particularly interactions with the ntdll.dll and KERNELBASE.dll libraries, this rule aims to detect malicious behavior indicative of Cobalt Strike activity. The detection mechanism relies on specific call traces that match known patterns of injection, and it focuses on unique granted access rights typically utilized by such threats. Given the persistence of Cobalt Strike in penetration testing tools and the potential for misuse in real-world attacks, this rule plays a crucial role in enhancing security visibility for Windows environments. As it operates on high alert levels, its configuration is suited for environments where active monitoring of process behaviors is paramount.