├── LICENSE
├── README.md
├── YARA
├── CobaltStrike
│ ├── CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara
│ ├── CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara
│ ├── CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara
│ ├── CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara
│ ├── CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara
│ ├── CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara
│ ├── CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara
│ ├── CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara
│ ├── CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara
│ ├── CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara
│ ├── CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara
│ ├── CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara
│ ├── CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara
│ ├── CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara
│ ├── CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara
│ ├── CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara
│ ├── CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara
│ ├── CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara
│ ├── CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara
│ ├── CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara
│ ├── CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara
│ ├── CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara
│ ├── CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara
│ ├── CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara
│ ├── CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara
│ ├── CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara
│ ├── CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara
│ └── CobaltStrike__Sleeve_BeaconLoader_all.yara
├── README.md
└── Sliver
│ ├── Sliver__Implant_32bit.yara
│ └── Sliver__Implant_64bit.yara
└── docs
├── code-of-conduct.md
└── contributing.md
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | Apache License
3 | Version 2.0, January 2004
4 | http://www.apache.org/licenses/
5 |
6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7 |
8 | 1. Definitions.
9 |
10 | "License" shall mean the terms and conditions for use, reproduction,
11 | and distribution as defined by Sections 1 through 9 of this document.
12 |
13 | "Licensor" shall mean the copyright owner or entity authorized by
14 | the copyright owner that is granting the License.
15 |
16 | "Legal Entity" shall mean the union of the acting entity and all
17 | other entities that control, are controlled by, or are under common
18 | control with that entity. For the purposes of this definition,
19 | "control" means (i) the power, direct or indirect, to cause the
20 | direction or management of such entity, whether by contract or
21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
22 | outstanding shares, or (iii) beneficial ownership of such entity.
23 |
24 | "You" (or "Your") shall mean an individual or Legal Entity
25 | exercising permissions granted by this License.
26 |
27 | "Source" form shall mean the preferred form for making modifications,
28 | including but not limited to software source code, documentation
29 | source, and configuration files.
30 |
31 | "Object" form shall mean any form resulting from mechanical
32 | transformation or translation of a Source form, including but
33 | not limited to compiled object code, generated documentation,
34 | and conversions to other media types.
35 |
36 | "Work" shall mean the work of authorship, whether in Source or
37 | Object form, made available under the License, as indicated by a
38 | copyright notice that is included in or attached to the work
39 | (an example is provided in the Appendix below).
40 |
41 | "Derivative Works" shall mean any work, whether in Source or Object
42 | form, that is based on (or derived from) the Work and for which the
43 | editorial revisions, annotations, elaborations, or other modifications
44 | represent, as a whole, an original work of authorship. For the purposes
45 | of this License, Derivative Works shall not include works that remain
46 | separable from, or merely link (or bind by name) to the interfaces of,
47 | the Work and Derivative Works thereof.
48 |
49 | "Contribution" shall mean any work of authorship, including
50 | the original version of the Work and any modifications or additions
51 | to that Work or Derivative Works thereof, that is intentionally
52 | submitted to Licensor for inclusion in the Work by the copyright owner
53 | or by an individual or Legal Entity authorized to submit on behalf of
54 | the copyright owner. For the purposes of this definition, "submitted"
55 | means any form of electronic, verbal, or written communication sent
56 | to the Licensor or its representatives, including but not limited to
57 | communication on electronic mailing lists, source code control systems,
58 | and issue tracking systems that are managed by, or on behalf of, the
59 | Licensor for the purpose of discussing and improving the Work, but
60 | excluding communication that is conspicuously marked or otherwise
61 | designated in writing by the copyright owner as "Not a Contribution."
62 |
63 | "Contributor" shall mean Licensor and any individual or Legal Entity
64 | on behalf of whom a Contribution has been received by Licensor and
65 | subsequently incorporated within the Work.
66 |
67 | 2. Grant of Copyright License. Subject to the terms and conditions of
68 | this License, each Contributor hereby grants to You a perpetual,
69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70 | copyright license to reproduce, prepare Derivative Works of,
71 | publicly display, publicly perform, sublicense, and distribute the
72 | Work and such Derivative Works in Source or Object form.
73 |
74 | 3. Grant of Patent License. Subject to the terms and conditions of
75 | this License, each Contributor hereby grants to You a perpetual,
76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77 | (except as stated in this section) patent license to make, have made,
78 | use, offer to sell, sell, import, and otherwise transfer the Work,
79 | where such license applies only to those patent claims licensable
80 | by such Contributor that are necessarily infringed by their
81 | Contribution(s) alone or by combination of their Contribution(s)
82 | with the Work to which such Contribution(s) was submitted. If You
83 | institute patent litigation against any entity (including a
84 | cross-claim or counterclaim in a lawsuit) alleging that the Work
85 | or a Contribution incorporated within the Work constitutes direct
86 | or contributory patent infringement, then any patent licenses
87 | granted to You under this License for that Work shall terminate
88 | as of the date such litigation is filed.
89 |
90 | 4. Redistribution. You may reproduce and distribute copies of the
91 | Work or Derivative Works thereof in any medium, with or without
92 | modifications, and in Source or Object form, provided that You
93 | meet the following conditions:
94 |
95 | (a) You must give any other recipients of the Work or
96 | Derivative Works a copy of this License; and
97 |
98 | (b) You must cause any modified files to carry prominent notices
99 | stating that You changed the files; and
100 |
101 | (c) You must retain, in the Source form of any Derivative Works
102 | that You distribute, all copyright, patent, trademark, and
103 | attribution notices from the Source form of the Work,
104 | excluding those notices that do not pertain to any part of
105 | the Derivative Works; and
106 |
107 | (d) If the Work includes a "NOTICE" text file as part of its
108 | distribution, then any Derivative Works that You distribute must
109 | include a readable copy of the attribution notices contained
110 | within such NOTICE file, excluding those notices that do not
111 | pertain to any part of the Derivative Works, in at least one
112 | of the following places: within a NOTICE text file distributed
113 | as part of the Derivative Works; within the Source form or
114 | documentation, if provided along with the Derivative Works; or,
115 | within a display generated by the Derivative Works, if and
116 | wherever such third-party notices normally appear. The contents
117 | of the NOTICE file are for informational purposes only and
118 | do not modify the License. You may add Your own attribution
119 | notices within Derivative Works that You distribute, alongside
120 | or as an addendum to the NOTICE text from the Work, provided
121 | that such additional attribution notices cannot be construed
122 | as modifying the License.
123 |
124 | You may add Your own copyright statement to Your modifications and
125 | may provide additional or different license terms and conditions
126 | for use, reproduction, or distribution of Your modifications, or
127 | for any such Derivative Works as a whole, provided Your use,
128 | reproduction, and distribution of the Work otherwise complies with
129 | the conditions stated in this License.
130 |
131 | 5. Submission of Contributions. Unless You explicitly state otherwise,
132 | any Contribution intentionally submitted for inclusion in the Work
133 | by You to the Licensor shall be under the terms and conditions of
134 | this License, without any additional terms or conditions.
135 | Notwithstanding the above, nothing herein shall supersede or modify
136 | the terms of any separate license agreement you may have executed
137 | with Licensor regarding such Contributions.
138 |
139 | 6. Trademarks. This License does not grant permission to use the trade
140 | names, trademarks, service marks, or product names of the Licensor,
141 | except as required for reasonable and customary use in describing the
142 | origin of the Work and reproducing the content of the NOTICE file.
143 |
144 | 7. Disclaimer of Warranty. Unless required by applicable law or
145 | agreed to in writing, Licensor provides the Work (and each
146 | Contributor provides its Contributions) on an "AS IS" BASIS,
147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 | implied, including, without limitation, any warranties or conditions
149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 | PARTICULAR PURPOSE. You are solely responsible for determining the
151 | appropriateness of using or redistributing the Work and assume any
152 | risks associated with Your exercise of permissions under this License.
153 |
154 | 8. Limitation of Liability. In no event and under no legal theory,
155 | whether in tort (including negligence), contract, or otherwise,
156 | unless required by applicable law (such as deliberate and grossly
157 | negligent acts) or agreed to in writing, shall any Contributor be
158 | liable to You for damages, including any direct, indirect, special,
159 | incidental, or consequential damages of any character arising as a
160 | result of this License or out of the use or inability to use the
161 | Work (including but not limited to damages for loss of goodwill,
162 | work stoppage, computer failure or malfunction, or any and all
163 | other commercial damages or losses), even if such Contributor
164 | has been advised of the possibility of such damages.
165 |
166 | 9. Accepting Warranty or Additional Liability. While redistributing
167 | the Work or Derivative Works thereof, You may choose to offer,
168 | and charge a fee for, acceptance of support, warranty, indemnity,
169 | or other liability obligations and/or rights consistent with this
170 | License. However, in accepting such obligations, You may act only
171 | on Your own behalf and on Your sole responsibility, not on behalf
172 | of any other Contributor, and only if You agree to indemnify,
173 | defend, and hold each Contributor harmless for any liability
174 | incurred by, or claims asserted against, such Contributor by reason
175 | of your accepting any such warranty or additional liability.
176 |
177 | END OF TERMS AND CONDITIONS
178 |
179 | APPENDIX: How to apply the Apache License to your work.
180 |
181 | To apply the Apache License to your work, attach the following
182 | boilerplate notice, with the fields enclosed by brackets "[]"
183 | replaced with your own identifying information. (Don't include
184 | the brackets!) The text should be enclosed in the appropriate
185 | comment syntax for the file format. We also recommend that a
186 | file or class name and description of purpose be included on the
187 | same "printed page" as the copyright notice for easier
188 | identification within third-party archives.
189 |
190 | Copyright 2022 Google
191 |
192 | Licensed under the Apache License, Version 2.0 (the "License");
193 | you may not use this file except in compliance with the License.
194 | You may obtain a copy of the License at
195 |
196 | http://www.apache.org/licenses/LICENSE-2.0
197 |
198 | Unless required by applicable law or agreed to in writing, software
199 | distributed under the License is distributed on an "AS IS" BASIS,
200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 | See the License for the specific language governing permissions and
202 | limitations under the License.
203 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GCTI
2 |
3 | This repository contains GCTI's open source detection signatures.
4 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Artifact32_and_Resources_Dropper_v1_49_to_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/artifact32{.exe,.dll,big.exe,big.dll} and resources/dropper.exe signature for versions 1.49 to 3.14"
21 | hash = "40fc605a8b95bbd79a3bd7d9af73fbeebe3fada577c99e7a111f6168f6a0d37a"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | // Decoder function for the embedded payload
28 | $payloadDecoder = { 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 18 8B [2] 89 ?? C1 ?? 1F C1 ?? 1E 01 ?? 83 ?? 03 29 ?? 03 [2] 0F B6 00 31 ?? 88 ?? 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 12 }
29 |
30 | condition:
31 | any of them
32 | }
33 |
34 | rule CobaltStrike_Resources_Artifact32_v3_1_and_v3_2
35 | {
36 | meta:
37 | description = "Cobalt Strike's resources/artifact32{.dll,.exe,svc.exe,big.exe,big.dll,bigsvc.exe} and resources/artifact32uac(alt).dll signature for versions 3.1 and 3.2"
38 | hash = "4f14bcd7803a8e22e81e74d6061d0df9e8bac7f96f1213d062a29a8523ae4624"
39 | author = "gssincla@google.com"
40 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
41 | date = "2022-11-18"
42 |
43 | strings:
44 | /*
45 | 89 ?? mov eax, ecx
46 | B? 04 00 00 00 mov edi, 4
47 | 99 cdq
48 | F7 FF idiv edi
49 | 8B [2] mov edi, [ebp+arg_8]
50 | 8A [2] mov al, [edi+edx]
51 | 30 ?? xor [ebx], al
52 | 8A ?? mov al, [ebx]
53 | 4? inc ebx
54 | 88 [2] mov [esi+ecx], al
55 | */
56 |
57 | $decoderFunc = { 89 ?? B? 04 00 00 00 99 F7 FF 8B [2] 8A [2] 30 ?? 8A ?? 4? 88 }
58 | condition:
59 | all of them
60 | }
61 |
62 | rule CobaltStrike_Resources_Artifact32_v3_14_to_v4_x
63 | {
64 | meta:
65 | description = "Cobalt Strike's resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0"
66 | hash = "888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719"
67 | author = "gssincla@google.com"
68 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
69 | date = "2022-11-18"
70 |
71 | strings:
72 | /*
73 | C7 [3] 5C 00 00 00 mov dword ptr [esp+28h], 5Ch ; '\'
74 | C7 [3] 65 00 00 00 mov dword ptr [esp+24h], 65h ; 'e'
75 | C7 [3] 70 00 00 00 mov dword ptr [esp+20h], 70h ; 'p'
76 | C7 [3] 69 00 00 00 mov dword ptr [esp+1Ch], 69h ; 'i'
77 | C7 [3] 70 00 00 00 mov dword ptr [esp+18h], 70h ; 'p'
78 | F7 F1 div ecx
79 | C7 [3] 5C 00 00 00 mov dword ptr [esp+14h], 5Ch ; '\'
80 | C7 [3] 2E 00 00 00 mov dword ptr [esp+10h], 2Eh ; '.'
81 | C7 [3] 5C 00 00 00 mov dword ptr [esp+0Ch], 5Ch ; '\'
82 | */
83 |
84 | $pushFmtStr = { C7 [3] 5C 00 00 00 C7 [3] 65 00 00 00 C7 [3] 70 00 00 00 C7 [3] 69 00 00 00 C7 [3] 70 00 00 00 F7 F1 C7 [3] 5C 00 00 00 C7 [3] 2E 00 00 00 C7 [3] 5C 00 00 00 }
85 | $fmtStr = "%c%c%c%c%c%c%c%c%cMSSE-%d-server"
86 |
87 | condition:
88 | all of them
89 | }
90 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Artifact32svc_Exe_v1_49_to_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/artifact32svc(big).exe and resources/artifact32uac(alt).exe signature for versions v1.49 to v3.14"
21 | hash = "323ddf9623368b550def9e8980fde0557b6fe2dcd945fda97aa3b31c6c36d682"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 8B [2] mov eax, [ebp+var_C]
29 | 89 ?? mov ecx, eax
30 | 03 [2] add ecx, [ebp+lpBuffer]
31 | 8B [2] mov eax, [ebp+var_C]
32 | 03 [2] add eax, [ebp+lpBuffer]
33 | 0F B6 18 movzx ebx, byte ptr [eax]
34 | 8B [2] mov eax, [ebp+var_C]
35 | 89 ?? mov edx, eax
36 | C1 [2] sar edx, 1Fh
37 | C1 [2] shr edx, 1Eh
38 | 01 ?? add eax, edx
39 | 83 [2] and eax, 3
40 | 29 ?? sub eax, edx
41 | 03 [2] add eax, [ebp+arg_8]
42 | 0F B6 00 movzx eax, byte ptr [eax]
43 | 31 ?? xor eax, ebx
44 | 88 ?? mov [ecx], al
45 | */
46 |
47 | $decoderFunc = { 8B [2] 89 ?? 03 [2] 8B [2] 03 [5] 8B [2] 89 ?? C1 [2] C1 [2] 01 ?? 83 [2] 29 ?? 03 [5] 31 ?? 88 }
48 |
49 | condition:
50 | any of them
51 | }
52 |
53 | rule CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x
54 | {
55 | meta:
56 | description = "Cobalt Strike's resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)"
57 | hash = "871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9"
58 | author = "gssincla@google.com"
59 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
60 | date = "2022-11-18"
61 |
62 | strings:
63 | /*
64 | 89 ?? mov eax, ecx
65 | B? 04 00 00 00 mov edi, 4
66 | 99 cdq
67 | F7 FF idiv edi
68 | 8B [2] mov edi, [ebp+var_20]
69 | 8A [2] mov al, [edi+edx]
70 | 30 [2] xor [ebx+ecx], al
71 | */
72 |
73 | $decoderFunc = { 89 ?? B? 04 00 00 00 99 F7 FF 8B [2] 8A [2] 30 }
74 |
75 | condition:
76 | $decoderFunc
77 | }
78 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/artifact64{.dll,.exe,big.exe,big.dll,bigsvc.exe,big.x64.dll} and resources/rtifactuac(alt)64.dll signature for versions v1.49, v2.x, v3.0, and v3.3 through v3.14"
21 | hash = "9ec57d306764517b5956b49d34a3a87d4a6b26a2bb3d0fdb993d055e0cc9920d"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 8B [2] mov eax, [rbp+var_4]
29 | 48 98 cdqe
30 | 48 89 C1 mov rcx, rax
31 | 48 03 4D 10 add rcx, [rbp+arg_0]
32 | 8B 45 FC mov eax, [rbp+var_4]
33 | 48 98 cdqe
34 | 48 03 45 10 add rax, [rbp+arg_0]
35 | 44 0F B6 00 movzx r8d, byte ptr [rax]
36 | 8B 45 FC mov eax, [rbp+var_4]
37 | 89 C2 mov edx, eax
38 | C1 FA 1F sar edx, 1Fh
39 | C1 EA 1E shr edx, 1Eh
40 | 01 D0 add eax, edx
41 | 83 E0 03 and eax, 3
42 | 29 D0 sub eax, edx
43 | 48 98 cdqe
44 | 48 03 45 20 add rax, [rbp+arg_10]
45 | 0F B6 00 movzx eax, byte ptr [rax]
46 | 44 31 C0 xor eax, r8d
47 | 88 01 mov [rcx], al
48 | */
49 |
50 | $a = { 8B [2] 48 98 48 [2] 48 [3] 8B [2] 48 98 48 [3] 44 [3] 8B [2] 89 ?? C1 ?? 1F C1 ?? 1E 01 ?? 83 ?? 03 29 ?? 48 98 48 [3] 0F B6 00 44 [2] 88 }
51 |
52 | condition:
53 | $a
54 | }
55 |
56 | rule CobaltStrike_Resources_Artifact64_v3_1_v3_2_v3_14_and_v4_0
57 | {
58 | meta:
59 | description = "Cobalt Strike's resources/artifact64{svcbig.exe,.dll,big.dll,svc.exe} and resources/artifactuac(big)64.dll signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x"
60 | hash = "2e7a39bd6ac270f8f548855b97c4cef2c2ce7f54c54dd4d1aa0efabeecf3ba90"
61 | author = "gssincla@google.com"
62 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
63 | date = "2022-11-18"
64 |
65 | strings:
66 | /*
67 | 31 C0 xor eax, eax
68 | EB 0F jmp short loc_6BAC16B5
69 | 41 83 E1 03 and r9d, 3
70 | 47 8A 0C 08 mov r9b, [r8+r9]
71 | 44 30 0C 01 xor [rcx+rax], r9b
72 | 48 FF C0 inc rax
73 | 39 D0 cmp eax, edx
74 | 41 89 C1 mov r9d, eax
75 | 7C EA jl short loc_6BAC16A6
76 | 4C 8D 05 53 29 00 00 lea r8, aRundll32Exe; "rundll32.exe"
77 | E9 D1 FE FF FF jmp sub_6BAC1599
78 | */
79 |
80 | $decoderFunction = { 31 ?? EB 0F 41 [2] 03 47 [3] 44 [3] 48 [2] 39 ?? 41 [2] 7C EA 4C [6] E9 }
81 |
82 | condition:
83 | $decoderFunction
84 | }
85 |
86 | rule CobaltStrike_Resources_Artifact64_v3_14_to_v4_x
87 | {
88 | meta:
89 | description = "Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x"
90 | hash = "decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44"
91 | author = "gssincla@google.com"
92 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
93 | date = "2022-11-18"
94 |
95 | strings:
96 | /*
97 | 41 B8 5C 00 00 00 mov r8d, 5Ch ; '\'
98 | C7 44 24 50 5C 00 00 00 mov [rsp+68h+var_18], 5Ch ; '\'
99 | C7 44 24 48 65 00 00 00 mov [rsp+68h+var_20], 65h ; 'e'
100 | C7 44 24 40 70 00 00 00 mov [rsp+68h+var_28], 70h ; 'p'
101 | C7 44 24 38 69 00 00 00 mov [rsp+68h+var_30], 69h ; 'i'
102 | C7 44 24 30 70 00 00 00 mov [rsp+68h+var_38], 70h ; 'p'
103 | C7 44 24 28 5C 00 00 00 mov dword ptr [rsp+68h+lpThreadId], 5Ch ; '\'
104 | C7 44 24 20 2E 00 00 00 mov [rsp+68h+dwCreationFlags], 2Eh ; '.'
105 | 89 54 24 58 mov [rsp+68h+var_10], edx
106 | 48 8D 15 22 38 00 00 lea rdx, Format; Format
107 | E8 0D 17 00 00 call sprintf
108 | */
109 |
110 | $fmtBuilder = {
111 | 41 ?? 5C 00 00 00
112 | C7 [3] 5C 00 00 00
113 | C7 [3] 65 00 00 00
114 | C7 [3] 70 00 00 00
115 | C7 [3] 69 00 00 00
116 | C7 [3] 70 00 00 00
117 | C7 [3] 5C 00 00 00
118 | C7 [3] 2E 00 00 00
119 | 89 [3]
120 | 48 [6]
121 | E8
122 | }
123 |
124 | $fmtString = "%c%c%c%c%c%c%c%c%cMSSE-%d-server"
125 |
126 | condition:
127 | all of them
128 | }
129 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Beacon_Dll_v1_44
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/beacon.dll Version 1.44"
21 | hash = "75102e8041c58768477f5f982500da7e03498643b6ece86194f4b3396215f9c2"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 0F B7 D2 movzx edx, dx
29 | 4A dec edx; switch 5 cases
30 | 53 push ebx
31 | 8B D9 mov ebx, ecx; a2
32 | 83 FA 04 cmp edx, 4
33 | 77 36 ja short def_1000106C; jumptable 1000106C default case
34 | FF 24 ?? jmp ds:jpt_1000106C[edx*4]; switch jump
35 | */
36 | $version_sig = { 0F B7 D2 4A 53 8B D9 83 FA 04 77 36 FF 24 }
37 |
38 | /*
39 | B1 69 mov cl, 69h ; 'i'
40 | 30 88 [4] xor byte ptr word_10018F20[eax], cl
41 | 40 inc eax
42 | 3D 28 01 00 00 cmp eax, 128h
43 | 7C F2 jl short loc_10001AD4
44 | */
45 | $decode = { B1 ?? 30 88 [4] 40 3D 28 01 00 00 7C F2 }
46 |
47 | condition:
48 | all of them
49 | }
50 |
51 | rule CobaltStrike_Resources_Beacon_Dll_v1_45
52 | {
53 | meta:
54 | description = "Cobalt Strike's resources/beacon.dll Version 1.45"
55 | hash = "1a92b2024320f581232f2ba1e9a11bef082d5e9723429b3e4febb149458d1bb1"
56 | author = "gssincla@google.com"
57 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
58 | date = "2022-11-18"
59 |
60 | strings:
61 | /*
62 | 51 push ecx
63 | 0F B7 D2 movzx edx, dx
64 | 4A dec edx; switch 9 cases
65 | 53 push ebx
66 | 56 push esi
67 | 83 FA 08 cmp edx, 8
68 | 77 6B ja short def_1000106C; jumptable 1000106C default case
69 | FF 24 ?? jmp ds:jpt_1000106C[edx*4]; switch jump
70 | */
71 | $version_sig = { 51 0F B7 D2 4A 53 56 83 FA 08 77 6B FF 24 }
72 |
73 | /*
74 | B1 69 mov cl, 69h ; 'i'
75 | 30 88 [4] xor byte ptr word_10019F20[eax], cl
76 | 40 inc eax
77 | 3D 28 01 00 00 cmp eax, 128h
78 | 7C F2 jl short loc_10002664
79 | */
80 | $decode = { B1 ?? 30 88 [4] 40 3D 28 01 00 00 7C F2 }
81 |
82 | condition:
83 | all of them
84 | }
85 |
86 | rule CobaltStrike_Resources_Beacon_Dll_v1_46
87 | {
88 | meta:
89 | description = "Cobalt Strike's resources/beacon.dll Version 1.46"
90 | hash = "44e34f4024878024d4804246f57a2b819020c88ba7de160415be38cd6b5e2f76"
91 | author = "gssincla@google.com"
92 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
93 | date = "2022-11-18"
94 |
95 | strings:
96 | /*
97 | 8B F2 mov esi, edx
98 | 83 F9 0C cmp ecx, 0Ch
99 | 0F 87 8E 00 00 00 ja def_1000107F; jumptable 1000107F default case, case 8
100 | FF 24 ?? jmp ds:jpt_1000107F[ecx*4]; switch jump
101 | */
102 | $version_sig = { 8B F2 83 F9 0C 0F 87 8E 00 00 00 FF 24 }
103 |
104 | /*
105 | B1 69 mov cl, 69h ; 'i'
106 | 30 88 [4] xor byte ptr word_1001D040[eax], cl
107 | 40 inc eax
108 | 3D A8 01 00 00 cmp eax, 1A8h
109 | 7C F2 jl short loc_10002A04
110 | */
111 | $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 7C F2 }
112 |
113 | condition:
114 | all of them
115 | }
116 |
117 | rule CobaltStrike_Resources_Beacon_Dll_v1_47
118 | {
119 | meta:
120 | description = "Cobalt Strike's resources/beacon.dll Version 1.47"
121 | hash = "8ff6dc80581804391183303bb39fca2a5aba5fe13d81886ab21dbd183d536c8d"
122 | author = "gssincla@google.com"
123 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
124 | date = "2022-11-18"
125 |
126 | strings:
127 | /*
128 | 83 F8 12 cmp eax, 12h
129 | 77 10 ja short def_100010BB; jumptable 100010BB default case, case 8
130 | FF 24 ?? jmp ds:jpt_100010BB[eax*4]; switch jump
131 | */
132 | $version_sig = { 83 F8 12 77 10 FF 24 }
133 |
134 | /*
135 | B1 69 mov cl, 69h ; 'i'
136 | 30 88 [4] xor byte ptr word_1001E040[eax], cl
137 | 40 inc eax
138 | 3D A8 01 00 00 cmp eax, 1A8h
139 | */
140 | $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 }
141 |
142 | condition:
143 | all of them
144 | }
145 |
146 | rule CobaltStrike_Resources_Beacon_Dll_v1_48
147 | {
148 | meta:
149 | description = "Cobalt Strike's resources/beacon.dll Version 1.48"
150 | hash = "dd4e445572cd5e32d7e9cc121e8de337e6f19ff07547e3f2c6b7fce7eafd15e4"
151 | author = "gssincla@google.com"
152 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
153 | date = "2022-11-18"
154 |
155 | strings:
156 | /*
157 | 48 dec eax; switch 24 cases
158 | 57 push edi
159 | 8B F1 mov esi, ecx
160 | 8B DA mov ebx, edx
161 | 83 F8 17 cmp eax, 17h
162 | 77 12 ja short def_1000115D; jumptable 1000115D default case, case 8
163 | FF 24 ?? jmp ds:jpt_1000115D[eax*4]; switch jump
164 | */
165 | $version_sig = { 48 57 8B F1 8B DA 83 F8 17 77 12 FF 24 }
166 |
167 | /*
168 | B1 69 mov cl, 69h ; 'i'
169 | 30 88 [4] xor byte ptr word_1001F048[eax], cl
170 | 40 inc eax
171 | 3D A8 01 00 00 cmp eax, 1A8h
172 | 7C F2 jl short loc_100047B4
173 | */
174 | $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 7C F2 }
175 |
176 | condition:
177 | all of them
178 | }
179 |
180 | rule CobaltStrike_Resources_Beacon_Dll_v1_49
181 | {
182 | meta:
183 | description = "Cobalt Strike's resources/beacon.dll Version 1.49"
184 | hash = "52b4bd87e21ee0cbaaa0fc007fd3f894c5fc2c4bae5cbc2a37188de3c2c465fe"
185 | author = "gssincla@google.com"
186 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
187 | date = "2022-11-18"
188 |
189 | strings:
190 | /*
191 | 48 dec eax; switch 31 cases
192 | 56 push esi
193 | 83 F8 1E cmp eax, 1Eh
194 | 0F 87 23 01 00 00 ja def_1000115B; jumptable 1000115B default case, cases 8,30
195 | FF 24 85 80 12 00 10 jmp ds:jpt_1000115B[eax*4]; switch jump
196 | */
197 | $version_sig = { 48 56 83 F8 1E 0F 87 23 01 00 00 FF 24 }
198 |
199 | /*
200 | B1 69 mov cl, 69h ; 'i'
201 | 90 nop
202 | 30 88 [4] xor byte ptr word_10022038[eax], cl
203 | 40 inc eax
204 | 3D A8 01 00 00 cmp eax, 1A8h
205 | 7C F2 jl short loc_10005940
206 | */
207 | $decoder = { B1 ?? 90 30 88 [4] 40 3D A8 01 00 00 7C F2 }
208 |
209 | condition:
210 | all of them
211 | }
212 |
213 | rule CobaltStrike_Resources_Beacon_Dll_v2_0_49
214 | {
215 | meta:
216 | description = "Cobalt Strike's resources/beacon.dll Version 2.0.49"
217 | hash = "ed08c1a21906e313f619adaa0a6e5eb8120cddd17d0084a30ada306f2aca3a4e"
218 | author = "gssincla@google.com"
219 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
220 | date = "2022-11-18"
221 |
222 | strings:
223 | /*
224 | 83 F8 22 cmp eax, 22h
225 | 0F 87 96 01 00 00 ja def_1000115D; jumptable 1000115D default case, cases 8,30
226 | FF 24 ?? jmp ds:jpt_1000115D[eax*4]; switch jump
227 | */
228 | $version_sig = { 83 F8 22 0F 87 96 01 00 00 FF 24 }
229 |
230 | /*
231 | B1 69 mov cl, 69h ; 'i'
232 | EB 03 jmp short loc_10006930
233 | 8D 49 00 lea ecx, [ecx+0]
234 | 30 88 [4] xor byte ptr word_10023038[eax], cl
235 | 40 inc eax
236 | 3D 30 05 00 00 cmp eax, 530h
237 | 72 F2 jb short loc_10006930
238 | */
239 | $decoder = { B1 ?? EB 03 8D 49 00 30 88 [4] 40 3D 30 05 00 00 72 F2 }
240 |
241 | condition:
242 | all of them
243 | }
244 |
245 | rule CobaltStrike_Resources_Beacon_Dll_v2_1_and_v2_2
246 | {
247 | // v2.1 and v2.2 use the exact same beacon binary (matching hashes)
248 | meta:
249 | description = "Cobalt Strike's resources/beacon.dll Versions 2.1 and 2.2"
250 | hash = "ae7a1d12e98b8c9090abe19bcaddbde8db7b119c73f7b40e76cdebb2610afdc2"
251 | author = "gssincla@google.com"
252 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
253 | date = "2022-11-18"
254 |
255 | strings:
256 | /*
257 | 49 dec ecx; switch 37 cases
258 | 56 push esi
259 | 57 push edi
260 | 83 F9 24 cmp ecx, 24h
261 | 0F 87 8A 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 8,30
262 | FF 24 ?? jmp ds:jpt_1000112E[ecx*4]; switch jump
263 | */
264 | $version_sig = { 49 56 57 83 F9 24 0F 87 8A 01 00 00 FF 24 }
265 |
266 | /*
267 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
268 | 40 inc eax
269 | 3D 10 06 00 00 cmp eax, 610h
270 | 72 F1 jb short loc_1000674A
271 | */
272 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
273 |
274 | condition:
275 | all of them
276 | }
277 |
278 | rule CobaltStrike_Resources_Beacon_Dll_v2_3
279 | {
280 | meta:
281 | description = "Cobalt Strike's resources/beacon.dll Versions 2.3"
282 | hash = "00dd982cb9b37f6effb1a5a057b6571e533aac5e9e9ee39a399bb3637775ff83"
283 | author = "gssincla@google.com"
284 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
285 | date = "2022-11-18"
286 |
287 | strings:
288 | /*
289 | 49 dec ecx; switch 39 cases
290 | 56 push esi
291 | 57 push edi
292 | 83 F9 26 cmp ecx, 26h
293 | 0F 87 A9 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 8,30
294 | FF 24 ?? jmp ds:jpt_1000112E[ecx*4]; switch jump
295 | */
296 | $version_sig = { 49 56 57 83 F9 26 0F 87 A9 01 00 00 FF 24 }
297 |
298 | /*
299 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
300 | 40 inc eax
301 | 3D 10 06 00 00 cmp eax, 610h
302 | 72 F1 jb short loc_1000674A
303 | */
304 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
305 |
306 | condition:
307 | all of them
308 | }
309 |
310 | rule CobaltStrike_Resources_Beacon_Dll_v2_4
311 | {
312 | meta:
313 | description = "Cobalt Strike's resources/beacon.dll Versions 2.4"
314 | hash = "78c6f3f2b80e6140c4038e9c2bcd523a1b205d27187e37dc039ede4cf560beed"
315 | author = "gssincla@google.com"
316 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
317 | date = "2022-11-18"
318 |
319 | strings:
320 | /*
321 | 4A dec edx; switch 48 cases
322 | 56 push esi
323 | 57 push edi
324 | 83 FA 2F cmp edx, 2Fh
325 | 0F 87 F9 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 6-8,30
326 | FF 24 ?? jmp ds:jpt_1000112E[edx*4]; switch jump
327 | */
328 | $version_sig = { 4A 56 57 83 FA 2F 0F 87 F9 01 00 00 FF 24 }
329 |
330 | /*
331 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
332 | 40 inc eax
333 | 3D 10 06 00 00 cmp eax, 610h
334 | 72 F1 jb short loc_1000674A
335 | */
336 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
337 |
338 | condition:
339 | all of them
340 | }
341 |
342 | rule CobaltStrike_Resources_Beacon_Dll_v2_5
343 | {
344 | meta:
345 | description = "Cobalt Strike's resources/beacon.dll Versions 2.5"
346 | hash = "d99693e3e521f42d19824955bef0cefb79b3a9dbf30f0d832180577674ee2b58"
347 | author = "gssincla@google.com"
348 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
349 | date = "2022-11-18"
350 |
351 | strings:
352 | /*
353 | 48 dec eax; switch 59 cases
354 | 57 push edi
355 | 8B F2 mov esi, edx
356 | 83 F8 3A cmp eax, 3Ah
357 | 0F 87 6E 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30
358 | FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump
359 | */
360 | $version_sig = { 48 57 8B F2 83 F8 3A 0F 87 6E 02 00 00 FF 24 }
361 |
362 | /*
363 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
364 | 40 inc eax
365 | 3D 10 06 00 00 cmp eax, 610h
366 | 72 F1 jb short loc_1000674A
367 | */
368 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
369 |
370 | condition:
371 | all of them
372 | }
373 |
374 | rule CobaltStrike_Resources_Beacon_Dll_v3_0
375 | {
376 | meta:
377 | description = "Cobalt Strike's resources/beacon.dll Versions 3.0"
378 | hash = "30251f22df7f1be8bc75390a2f208b7514647835f07593f25e470342fd2e3f52"
379 | author = "gssincla@google.com"
380 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
381 | date = "2022-11-18"
382 |
383 | strings:
384 | /*
385 | 48 dec eax; switch 61 cases
386 | 57 push edi
387 | 8B F2 mov esi, edx
388 | 83 F8 3C cmp eax, 3Ch
389 | 0F 87 89 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30
390 | FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump
391 | */
392 | $version_sig = { 48 57 8B F2 83 F8 3C 0F 87 89 02 00 00 FF 24 }
393 |
394 | /*
395 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
396 | 40 inc eax
397 | 3D 10 06 00 00 cmp eax, 610h
398 | 72 F1 jb short loc_1000674A
399 | */
400 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
401 |
402 | condition:
403 | all of them
404 | }
405 |
406 | rule CobaltStrike_Resources_Beacon_Dll_v3_1
407 | {
408 | meta:
409 | description = "Cobalt Strike's resources/beacon.dll Versions 3.1"
410 | hash = "4de723e784ef4e1633bbbd65e7665adcfb03dd75505b2f17d358d5a40b7f35cf"
411 | author = "gssincla@google.com"
412 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
413 | date = "2022-11-18"
414 |
415 | // v3.1 and v3.2 share the same C2 handler code. We are using a function that
416 | // is not included in v3.2 to mark the v3.1 version along with the decoder
417 | // which allows us to narrow in on only v3.1 samples
418 | strings:
419 | /*
420 | 55 push ebp
421 | 8B EC mov ebp, esp
422 | 83 EC 58 sub esp, 58h
423 | A1 [4] mov eax, ___security_cookie
424 | 33 C5 xor eax, ebp
425 | 89 45 FC mov [ebp+var_4], eax
426 | E8 DF F5 FF FF call sub_10002109
427 | 6A 50 push 50h ; 'P'; namelen
428 | 8D 45 A8 lea eax, [ebp+name]
429 | 50 push eax; name
430 | FF 15 [4] call ds:gethostname
431 | 8D 45 ?? lea eax, [ebp+name]
432 | 50 push eax; name
433 | FF 15 [4] call ds:__imp_gethostbyname
434 | 85 C0 test eax, eax
435 | 74 14 jz short loc_10002B58
436 | 8B 40 0C mov eax, [eax+0Ch]
437 | 83 38 00 cmp dword ptr [eax], 0
438 | 74 0C jz short loc_10002B58
439 | 8B 00 mov eax, [eax]
440 | FF 30 push dword ptr [eax]; in
441 | FF 15 [4] call ds:inet_ntoa
442 | EB 05 jmp short loc_10002B5D
443 | B8 [4] mov eax, offset aUnknown; "unknown"
444 | 8B 4D FC mov ecx, [ebp+var_4]
445 | 33 CD xor ecx, ebp; StackCookie
446 | E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x)
447 | C9 leave
448 | */
449 | $version_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 }
450 |
451 | /*
452 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
453 | 40 inc eax
454 | 3D 10 06 00 00 cmp eax, 610h
455 | 72 F1 jb short loc_1000674A
456 | */
457 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
458 |
459 | condition:
460 | all of them
461 | }
462 |
463 | rule CobaltStrike_Resources_Beacon_Dll_v3_2
464 | {
465 | meta:
466 | description = "Cobalt Strike's resources/beacon.dll Versions 3.2"
467 | hash = "b490eeb95d150530b8e155da5d7ef778543836a03cb5c27767f1ae4265449a8d"
468 | rs2 ="a93647c373f16d61c38ba6382901f468247f12ba8cbe56663abb2a11ff2a5144"
469 | author = "gssincla@google.com"
470 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
471 | date = "2022-11-18"
472 |
473 | strings:
474 | /*
475 | 48 dec eax; switch 62 cases
476 | 57 push edi
477 | 8B F2 mov esi, edx
478 | 83 F8 3D cmp eax, 3Dh
479 | 0F 87 83 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30
480 | FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump
481 | */
482 | $version_sig = { 48 57 8B F2 83 F8 3D 0F 87 83 02 00 00 FF 24 }
483 |
484 | /*
485 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
486 | 40 inc eax
487 | 3D 10 06 00 00 cmp eax, 610h
488 | 72 F1 jb short loc_1000674A
489 | */
490 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
491 |
492 | // Since v3.1 and v3.2 are so similiar, we use the v3.1 version_sig
493 | // as a negating condition to diff between 3.1 and 3.2
494 | /*
495 | 55 push ebp
496 | 8B EC mov ebp, esp
497 | 83 EC 58 sub esp, 58h
498 | A1 [4] mov eax, ___security_cookie
499 | 33 C5 xor eax, ebp
500 | 89 45 FC mov [ebp+var_4], eax
501 | E8 DF F5 FF FF call sub_10002109
502 | 6A 50 push 50h ; 'P'; namelen
503 | 8D 45 A8 lea eax, [ebp+name]
504 | 50 push eax; name
505 | FF 15 [4] call ds:gethostname
506 | 8D 45 ?? lea eax, [ebp+name]
507 | 50 push eax; name
508 | FF 15 [4] call ds:__imp_gethostbyname
509 | 85 C0 test eax, eax
510 | 74 14 jz short loc_10002B58
511 | 8B 40 0C mov eax, [eax+0Ch]
512 | 83 38 00 cmp dword ptr [eax], 0
513 | 74 0C jz short loc_10002B58
514 | 8B 00 mov eax, [eax]
515 | FF 30 push dword ptr [eax]; in
516 | FF 15 [4] call ds:inet_ntoa
517 | EB 05 jmp short loc_10002B5D
518 | B8 [4] mov eax, offset aUnknown; "unknown"
519 | 8B 4D FC mov ecx, [ebp+var_4]
520 | 33 CD xor ecx, ebp; StackCookie
521 | E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x)
522 | C9 leave
523 | */
524 | $version3_1_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 }
525 |
526 | condition:
527 | $version_sig and $decoder and not $version3_1_sig
528 | }
529 |
530 | rule CobaltStrike_Resources_Beacon_Dll_v3_3
531 | {
532 | meta:
533 | description = "Cobalt Strike's resources/beacon.dll Versions 3.3"
534 | hash = "158dba14099f847816e2fc22f254c60e09ac999b6c6e2ba6f90c6dd6d937bc42"
535 | author = "gssincla@google.com"
536 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
537 | date = "2022-11-18"
538 |
539 | strings:
540 | /*
541 | 48 dec eax; switch 66 cases
542 | 57 push edi
543 | 8B F1 mov esi, ecx
544 | 83 F8 41 cmp eax, 41h
545 | 0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,30
546 | FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
547 | */
548 | $version_sig = { 48 57 8B F1 83 F8 41 0F 87 F0 02 00 00 FF 24 }
549 |
550 | /*
551 | 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
552 | 40 inc eax
553 | 3D 10 06 00 00 cmp eax, 610h
554 | 72 F1 jb short loc_1000674A
555 | */
556 | $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
557 |
558 | condition:
559 | all of them
560 | }
561 |
562 | rule CobaltStrike_Resources_Beacon_Dll_v3_4
563 | {
564 | meta:
565 | description = "Cobalt Strike's resources/beacon.dll Versions 3.4"
566 | hash = "5c40bfa04a957d68a095dd33431df883e3a075f5b7dea3e0be9834ce6d92daa3"
567 | author = "gssincla@google.com"
568 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
569 | date = "2022-11-18"
570 |
571 | strings:
572 | /*
573 | 48 dec eax; switch 67 cases
574 | 57 push edi
575 | 8B F1 mov esi, ecx
576 | 83 F8 42 cmp eax, 42h
577 | 0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30
578 | FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
579 | */
580 | $version_sig = { 48 57 8B F1 83 F8 42 0F 87 F0 02 00 00 FF 24 }
581 |
582 | /*
583 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
584 | 40 inc eax
585 | 3D 00 10 00 00 cmp eax, 1000h
586 | 7C F1 jl short loc_10008741
587 | */
588 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
589 |
590 | condition:
591 | all of them
592 | }
593 |
594 | rule CobaltStrike_Resources_Beacon_Dll_v3_5_hf1_and_3_5_1
595 | {
596 | // Version 3.5-hf1 and 3.5.1 use the exact same beacon binary (same hash)
597 | meta:
598 | description = "Cobalt Strike's resources/beacon.dll Versions 3.5-hf1 and 3.5.1 (3.5.x)"
599 | hash = "c78e70cd74f4acda7d1d0bd85854ccacec79983565425e98c16a9871f1950525"
600 | author = "gssincla@google.com"
601 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
602 | date = "2022-11-18"
603 |
604 | strings:
605 | /*
606 | 48 dec eax; switch 68 cases
607 | 57 push edi
608 | 8B F1 mov esi, ecx
609 | 83 F8 43 cmp eax, 43h
610 | 0F 87 07 03 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30
611 | FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
612 | */
613 | $version_sig = { 48 57 8B F1 83 F8 43 0F 87 07 03 00 00 FF 24 }
614 |
615 | /*
616 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
617 | 40 inc eax
618 | 3D 00 10 00 00 cmp eax, 1000h
619 | 7C F1 jl short loc_10008741
620 | */
621 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
622 |
623 | condition:
624 | all of them
625 | }
626 |
627 | rule CobaltStrike_Resources_Beacon_Dll_v3_6
628 | {
629 | meta:
630 | description = "Cobalt Strike's resources/beacon.dll Versions 3.6"
631 | hash = "495a744d0a0b5f08479c53739d08bfbd1f3b9818d8a9cbc75e71fcda6c30207d"
632 | author = "gssincla@google.com"
633 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
634 | date = "2022-11-18"
635 |
636 | strings:
637 | /*
638 | 48 dec eax; switch 72 cases
639 | 57 push edi
640 | 8B F9 mov edi, ecx
641 | 83 F8 47 cmp eax, 47h
642 | 0F 87 2F 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
643 | FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
644 | */
645 | $version_sig = { 48 57 8B F9 83 F8 47 0F 87 2F 03 00 00 FF 24 }
646 |
647 | /*
648 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
649 | 40 inc eax
650 | 3D 00 10 00 00 cmp eax, 1000h
651 | 7C F1 jl short loc_10008741
652 | */
653 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
654 |
655 | condition:
656 | all of them
657 | }
658 |
659 | rule CobaltStrike_Resources_Beacon_Dll_v3_7
660 | {
661 | meta:
662 | description = "Cobalt Strike's resources/beacon.dll Versions 3.7"
663 | hash = "f18029e6b12158fb3993f4951dab2dc6e645bb805ae515d205a53a1ef41ca9b2"
664 | author = "gssincla@google.com"
665 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
666 | date = "2022-11-18"
667 |
668 | strings:
669 | /*
670 | 48 dec eax; switch 74 cases
671 | 57 push edi
672 | 8B F9 mov edi, ecx
673 | 83 F8 49 cmp eax, 49h
674 | 0F 87 47 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
675 | FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
676 | */
677 | $version_sig = { 48 57 8B F9 83 F8 49 0F 87 47 03 00 00 FF 24 }
678 |
679 | /*
680 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
681 | 40 inc eax
682 | 3D 00 10 00 00 cmp eax, 1000h
683 | 7C F1 jl short loc_10008741
684 | */
685 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
686 |
687 | condition:
688 | all of them
689 | }
690 |
691 | rule CobaltStrike_Resources_Beacon_Dll_v3_8
692 | {
693 | meta:
694 | description = "Cobalt Strike's resources/beacon.dll Versions 3.8"
695 | hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603"
696 | author = "gssincla@google.com"
697 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
698 | date = "2022-11-18"
699 |
700 | strings:
701 | /*
702 | 48 dec eax; switch 76 cases
703 | 57 push edi
704 | 8B F9 mov edi, ecx
705 | 83 F8 4B cmp eax, 4Bh
706 | 0F 87 5D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
707 | FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
708 | */
709 | $version_sig = { 48 57 8B F9 83 F8 4B 0F 87 5D 03 00 00 FF 24 }
710 |
711 | /*
712 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
713 | 40 inc eax
714 | 3D 00 10 00 00 cmp eax, 1000h
715 | 7C F1 jl short loc_10008741
716 | */
717 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
718 |
719 | // XMRig uses a v3.8 sample to trick sandboxes into running their code.
720 | // These samples are the same and useless. This string removes many
721 | // of them from our detection
722 | $xmrig_srcpath = "C:/Users/SKOL-NOTE/Desktop/Loader/script.go"
723 | // To remove others, we look for known xmrig C2 domains in the config:
724 | $c2_1 = "ns7.softline.top" xor
725 | $c2_2 = "ns8.softline.top" xor
726 | $c2_3 = "ns9.softline.top" xor
727 | //$a = /[A-Za-z]{1020}.{4}$/
728 |
729 | condition:
730 | $version_sig and $decoder and not (2 of ($c2_*) or $xmrig_srcpath)
731 | }
732 |
733 | /*
734 |
735 | missing specific signatures for 3.9 and 3.10 since we don't have samples
736 |
737 | */
738 |
739 | rule CobaltStrike_Resources_Beacon_Dll_v3_11
740 | {
741 | meta:
742 | description = "Cobalt Strike's resources/beacon.dll Versions 3.11"
743 | hash = "2428b93464585229fd234677627431cae09cfaeb1362fe4f648b8bee59d68f29"
744 | author = "gssincla@google.com"
745 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
746 | date = "2022-11-18"
747 |
748 | // Original version from April 9, 2018
749 | strings:
750 | /*
751 | 48 dec eax; switch 81 cases
752 | 57 push edi
753 | 8B FA mov edi, edx
754 | 83 F8 50 cmp eax, 50h
755 | 0F 87 11 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36
756 | FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
757 | */
758 | $version_sig = { 48 57 8B FA 83 F8 50 0F 87 11 03 00 00 FF 24 }
759 |
760 | /*
761 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
762 | 40 inc eax
763 | 3D 00 10 00 00 cmp eax, 1000h
764 | 7C F1 jl short loc_10008741
765 | */
766 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
767 |
768 | condition:
769 | all of them
770 | }
771 |
772 | rule CobaltStrike_Resources_Beacon_Dll_v3_11_bugfix_and_v3_12
773 | {
774 | meta:
775 | description = "Cobalt Strike's resources/beacon.dll Versions 3.11-bugfix and 3.12"
776 | hash = "5912c96fffeabb2c5c5cdd4387cfbfafad5f2e995f310ace76ca3643b866e3aa"
777 | rs2 ="4476a93abe48b7481c7b13dc912090b9476a2cdf46a1c4287b253098e3523192"
778 | author = "gssincla@google.com"
779 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
780 | date = "2022-11-18"
781 |
782 | // Covers both 3.11 (bug fix form May 25, 2018) and v3.12
783 | strings:
784 | /*
785 | 48 dec eax; switch 81 cases
786 | 57 push edi
787 | 8B FA mov edi, edx
788 | 83 F8 50 cmp eax, 50h
789 | 0F 87 0D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36
790 | FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
791 | */
792 | $version_sig = { 48 57 8B FA 83 F8 50 0F 87 0D 03 00 00 FF 24 }
793 |
794 | /*
795 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
796 | 40 inc eax
797 | 3D 00 10 00 00 cmp eax, 1000h
798 | 7C F1 jl short loc_10008741
799 | */
800 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
801 |
802 | condition:
803 | all of them
804 | }
805 |
806 | rule CobaltStrike_Resources_Beacon_Dll_v3_13
807 | {
808 | meta:
809 | description = "Cobalt Strike's resources/beacon.dll Versions 3.13"
810 | hash = "362119e3bce42e91cba662ea80f1a7957a5c2b1e92075a28352542f31ac46a0c"
811 | author = "gssincla@google.com"
812 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
813 | date = "2022-11-18"
814 |
815 | strings:
816 | /*
817 | 4A dec edx; switch 91 cases
818 | 56 push esi
819 | 57 push edi
820 | 83 FA 5A cmp edx, 5Ah
821 | 0F 87 2D 03 00 00 ja def_10008D01; jumptable 10008D01 default case, cases 2,6-8,20,21,26,30,36,63-66
822 | FF 24 ?? jmp ds:jpt_10008D01[edx*4]; switch jump
823 | */
824 | $version_sig = { 4A 56 57 83 FA 5A 0F 87 2D 03 00 00 FF 24 }
825 |
826 | /*
827 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
828 | 40 inc eax
829 | 3D 00 10 00 00 cmp eax, 1000h
830 | 7C F1 jl short loc_10008741
831 | */
832 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
833 |
834 | condition:
835 | all of them
836 | }
837 |
838 | rule CobaltStrike_Resources_Beacon_Dll_v3_14
839 | {
840 | meta:
841 | description = "Cobalt Strike's resources/beacon.dll Versions 3.14"
842 | hash = "254c68a92a7108e8c411c7b5b87a2f14654cd9f1324b344f036f6d3b6c7accda"
843 | rs2 ="87b3eb55a346b52fb42b140c03ac93fc82f5a7f80697801d3f05aea1ad236730"
844 | author = "gssincla@google.com"
845 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
846 | date = "2022-11-18"
847 |
848 | strings:
849 | /*
850 | 83 FA 5B cmp edx, 5Bh
851 | 77 15 ja short def_1000939E; jumptable 1000939E default case, cases 2,6-8,20,21,26,30,36,63-66
852 | FF 24 ?? jmp ds:jpt_1000939E[edx*4]; switch jump
853 | */
854 | $version_sig = { 83 FA 5B 77 15 FF 24 }
855 |
856 | /*
857 | 80 B0 [4] 69 xor byte_1002E020[eax], 69h
858 | 40 inc eax
859 | 3D 00 10 00 00 cmp eax, 1000h
860 | 7C F1 jl short loc_10008741
861 | */
862 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
863 |
864 | condition:
865 | all of them
866 | }
867 |
868 | rule CobaltStrike_Sleeve_Beacon_Dll_v4_0_suspected
869 | {
870 | meta:
871 | description = "Cobalt Strike's sleeve/beacon.dll Versions 4.0 (suspected, not confirmed)"
872 | hash = "e2b2b72454776531bbc6a4a5dd579404250901557f887a6bccaee287ac71b248"
873 | author = "gssincla@google.com"
874 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
875 | date = "2022-11-18"
876 |
877 | strings:
878 | /*
879 | 51 push ecx
880 | 4A dec edx; switch 99 cases
881 | 56 push esi
882 | 57 push edi
883 | 83 FA 62 cmp edx, 62h
884 | 0F 87 8F 03 00 00 ja def_100077C3; jumptable 100077C3 default case, cases 2,6-8,20,21,25,26,30,34-36,63-66
885 | FF 24 95 56 7B 00 10 jmp ds:jpt_100077C3[edx*4]; switch jump
886 | */
887 |
888 | $version_sig = { 51 4A 56 57 83 FA 62 0F 87 8F 03 00 00 FF 24 95 56 7B 00 10 }
889 |
890 | /*
891 | 80 B0 20 00 03 10 ?? xor byte_10030020[eax], 2Eh
892 | 40 inc eax
893 | 3D 00 10 00 00 cmp eax, 1000h
894 | 7C F1 jl short loc_1000912B
895 | */
896 |
897 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
898 |
899 | condition:
900 | all of them
901 | }
902 |
903 | rule CobaltStrike_Sleeve_Beacon_Dll_v4_1_and_v4_2
904 | {
905 | meta:
906 | description = "Cobalt Strike's sleeve/beacon.dll Versions 4.1 and 4.2"
907 | hash = "daa42f4380cccf8729129768f3588bb98e4833b0c40ad0620bb575b5674d5fc3"
908 | rs2 ="9de55f27224a4ddb6b2643224a5da9478999c7b2dea3a3d6b3e1808148012bcf"
909 | author = "gssincla@google.com"
910 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
911 | date = "2022-11-18"
912 |
913 | strings:
914 | /*
915 | 48 dec eax; switch 100 cases
916 | 57 push edi
917 | 8B F2 mov esi, edx
918 | 83 F8 63 cmp eax, 63h
919 | 0F 87 3C 03 00 00 ja def_10007F28; jumptable 10007F28 default case, cases 2,6-8,20,21,25,26,29,30,34-36,58,63-66,80,81,95-97
920 | FF 24 ?? jmp ds:jpt_10007F28[eax*4]; switch jump
921 | */
922 | $version_sig = { 48 57 8B F2 83 F8 63 0F 87 3C 03 00 00 FF 24 }
923 |
924 | /*
925 | 80 B0 [4] 3E xor byte_10031010[eax], 3Eh
926 | 40 inc eax
927 | 3D 00 10 00 00 cmp eax, 1000h
928 | 7C F1 jl short loc_10009791
929 | */
930 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
931 |
932 | condition:
933 | all of them
934 | }
935 |
936 | rule CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6
937 | {
938 | meta:
939 | description = "Cobalt Strike's sleeve/beacon.dll Versions 4.3 and 4.4"
940 | hash = "51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f"
941 | rs2 ="78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc"
942 | author = "gssincla@google.com"
943 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
944 | date = "2022-11-18"
945 |
946 | strings:
947 | /*
948 | 48 dec eax; switch 102 cases
949 | 57 push edi
950 | 8B F2 mov esi, edx
951 | 83 F8 65 cmp eax, 65h
952 | 0F 87 47 03 00 00 ja def_10007EAD; jumptable 10007EAD default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97
953 | FF 24 ?? jmp ds:jpt_10007EAD[eax*4]; switch jump
954 | */
955 | $version_sig = { 48 57 8B F2 83 F8 65 0F 87 47 03 00 00 FF 24 }
956 |
957 | /*
958 | 80 B0 [4] 3E xor byte_10031010[eax], 3Eh
959 | 40 inc eax
960 | 3D 00 10 00 00 cmp eax, 1000h
961 | 7C F1 jl short loc_10009791
962 | */
963 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
964 |
965 | condition:
966 | all of them
967 | }
968 |
969 | rule CobaltStrike_Sleeve_Beacon_Dll_v4_7_suspected
970 | {
971 | meta:
972 | description = "Cobalt Strike's sleeve/beacon.dll Versions 4.7 (suspected, not confirmed)"
973 | hash = "da9e91b3d8df3d53425dd298778782be3bdcda40037bd5c92928395153160549"
974 | author = "gssincla@google.com"
975 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
976 | date = "2022-11-18"
977 |
978 | strings:
979 |
980 | /*
981 | 53 push ebx
982 | 56 push esi
983 | 48 dec eax; switch 104 cases
984 | 57 push edi
985 | 8B F2 mov esi, edx
986 | 83 F8 67 cmp eax, 67h
987 | 0F 87 5E 03 00 00 ja def_10008997; jumptable 10008997 default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97
988 | */
989 | $version_sig = { 53 56 48 57 8B F2 83 F8 67 0F 87 5E 03 00 00 }
990 |
991 | /*
992 | 80 B0 [5] xor byte_10033020[eax], 2Eh
993 | 40 inc eax
994 | 3D 00 10 00 00 cmp eax, 1000h
995 | 7C F1 jl short loc_1000ADA1
996 | */
997 |
998 | $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
999 |
1000 | condition:
1001 | all of them
1002 | }
1003 |
1004 | /*
1005 |
1006 | 64-bit Beacons.
1007 |
1008 | These signatures are a bit different. The decoders are all identical in the 4.x
1009 | series and the command processor doesn't use a switch/case idiom, but rather
1010 | an expanded set of if/then/else branches. This invalidates our method for
1011 | detecting the versions of the beacons by looking at the case count check
1012 | used by the 32-bit versions. As such, we are locking in on "random",
1013 | non-overlapping between version, sections of code in the command processor.
1014 | While a reasonable method is to look for blocks of Jcc which will have specific
1015 | address offsets per version, this generally is insufficient due to the lack of
1016 | code changes. As such, the best method appears to be to look for specific
1017 | function call offsets
1018 |
1019 | NOTE: There are only VERY subtle differences between the following versions:
1020 | * 3.2 and 3.3
1021 | * 3.4 and 3.5-hf1/3.5.1
1022 | * 3.12, 3.13 and 3.14
1023 | * 4.3 and 4.4-4.6 .
1024 |
1025 | Be very careful if you modify the $version_sig field for either of those rules.
1026 | */
1027 |
1028 |
1029 | rule CobaltStrike_Resources_Beacon_x64_v3_2
1030 | {
1031 | meta:
1032 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.2"
1033 | hash = "5993a027f301f37f3236551e6ded520e96872723a91042bfc54775dcb34c94a1"
1034 | author = "gssincla@google.com"
1035 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1036 | date = "2022-11-18"
1037 |
1038 | strings:
1039 | /*
1040 | 4C 8D 05 9F F8 FF FF lea r8, sub_18000C4B0
1041 | 8B D3 mov edx, ebx
1042 | 48 8B CF mov rcx, rdi
1043 | E8 05 1A 00 00 call sub_18000E620
1044 | EB 0A jmp short loc_18000CC27
1045 | 8B D3 mov edx, ebx
1046 | 48 8B CF mov rcx, rdi
1047 | E8 41 21 00 00 call sub_18000ED68
1048 | 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
1049 | 48 83 C4 20 add rsp, 20h
1050 | */
1051 |
1052 | $version_sig = { 4C 8D 05 9F F8 FF FF 8B D3 48 8B CF E8 05 1A 00 00
1053 | EB 0A 8B D3 48 8B CF E8 41 21 00 00 48 8B 5C 24 30
1054 | 48 83 C4 20 }
1055 |
1056 | /*
1057 | 80 31 ?? xor byte ptr [rcx], 69h
1058 | FF C2 inc edx
1059 | 48 FF C1 inc rcx
1060 | 48 63 C2 movsxd rax, edx
1061 | 48 3D 10 06 00 00 cmp rax, 610h
1062 | */
1063 |
1064 | $decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 }
1065 |
1066 | condition:
1067 | all of them
1068 | }
1069 |
1070 | rule CobaltStrike_Resources_Beacon_x64_v3_3
1071 | {
1072 | meta:
1073 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.3"
1074 | hash = "7b00721efeff6ed94ab108477d57b03022692e288cc5814feb5e9d83e3788580"
1075 | author = "gssincla@google.com"
1076 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1077 | date = "2022-11-18"
1078 |
1079 | strings:
1080 | /*
1081 | 8B D3 mov edx, ebx
1082 | 48 8B CF mov rcx, rdi
1083 | E8 89 66 00 00 call sub_1800155E8
1084 | E9 23 FB FF FF jmp loc_18000EA87
1085 | 41 B8 01 00 00 00 mov r8d, 1
1086 | E9 F3 FD FF FF jmp loc_18000ED62
1087 | 48 8D 0D 2A F8 FF FF lea rcx, sub_18000E7A0
1088 | E8 8D 2B 00 00 call sub_180011B08
1089 | 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
1090 | 48 83 C4 20 add rsp, 20h
1091 | */
1092 |
1093 | $version_sig = { 8B D3 48 8B CF E8 89 66 00 00 E9 23 FB FF FF
1094 | 41 B8 01 00 00 00 E9 F3 FD FF FF 48 8D 0D 2A F8 FF FF
1095 | E8 8D 2B 00 00 48 8B 5C 24 30 48 83 C4 20 }
1096 |
1097 | /*
1098 | 80 31 ?? xor byte ptr [rcx], 69h
1099 | FF C2 inc edx
1100 | 48 FF C1 inc rcx
1101 | 48 63 C2 movsxd rax, edx
1102 | 48 3D 10 06 00 00 cmp rax, 610h
1103 | */
1104 |
1105 | $decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 }
1106 |
1107 | condition:
1108 | all of them
1109 | }
1110 |
1111 | rule CobaltStrike_Resources_Beacon_x64_v3_4
1112 | {
1113 | meta:
1114 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.4"
1115 | hash = "5a4d48c2eda8cda79dc130f8306699c8203e026533ce5691bf90363473733bf0"
1116 | author = "gssincla@google.com"
1117 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1118 | date = "2022-11-18"
1119 |
1120 | strings:
1121 | /*
1122 | 8B D3 mov edx, ebx
1123 | 48 8B CF mov rcx, rdi
1124 | E8 56 6F 00 00 call sub_180014458
1125 | E9 17 FB FF FF jmp loc_18000D01E
1126 | 41 B8 01 00 00 00 mov r8d, 1
1127 | 8B D3 mov edx, ebx
1128 | 48 8B CF mov rcx, rdi
1129 | E8 41 4D 00 00 call sub_180012258
1130 | 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
1131 | 48 83 C4 20 add rsp, 20h
1132 | */
1133 | $version_sig = { 8B D3 48 8B CF E8 56 6F 00 00 E9 17 FB FF FF
1134 | 41 B8 01 00 00 00 8B D3 48 8B CF E8 41 4D 00 00
1135 | 48 8B 5C 24 30 48 83 C4 20 }
1136 |
1137 | /*
1138 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1139 | 48 FF C0 inc rax
1140 | 48 3D 00 10 00 00 cmp rax, 1000h
1141 | 7C F1 jl short loc_18001600E
1142 | */
1143 |
1144 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1145 |
1146 | condition:
1147 | all of them
1148 | }
1149 |
1150 | rule CobaltStrike_Resources_Beacon_x64_v3_5_hf1_and_v3_5_1
1151 | {
1152 | meta:
1153 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.5-hf1 and 3.5.1"
1154 | hash = "934134ab0ee65ec76ae98a9bb9ad0e9571d80f4bf1eb3491d58bacf06d42dc8d"
1155 | author = "gssincla@google.com"
1156 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1157 | date = "2022-11-18"
1158 |
1159 | strings:
1160 | /*
1161 | 8B D3 mov edx, ebx
1162 | 48 8B CF mov rcx, rdi
1163 | E8 38 70 00 00 call sub_180014548
1164 | E9 FD FA FF FF jmp loc_18000D012
1165 | 41 B8 01 00 00 00 mov r8d, 1
1166 | 8B D3 mov edx, ebx
1167 | 48 8B CF mov rcx, rdi
1168 | E8 3F 4D 00 00 call sub_180012264
1169 | 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
1170 | 48 83 C4 20 add rsp, 20h
1171 | 5F pop rdi
1172 | */
1173 |
1174 | $version_sig = { 8B D3 48 8B CF E8 38 70 00 00 E9 FD FA FF FF
1175 | 41 B8 01 00 00 00 8B D3 48 8B CF E8 3F 4D 00 00
1176 | 48 8B 5C 24 30 48 83 C4 20 5F }
1177 |
1178 | /*
1179 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1180 | 48 FF C0 inc rax
1181 | 48 3D 00 10 00 00 cmp rax, 1000h
1182 | 7C F1 jl short loc_180016B3E
1183 | */
1184 |
1185 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1186 |
1187 | condition:
1188 | all of them
1189 | }
1190 |
1191 | rule CobaltStrike_Resources_Beacon_x64_v3_6
1192 | {
1193 | meta:
1194 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.6"
1195 | hash = "92b0a4aec6a493bcb1b72ce04dd477fd1af5effa0b88a9d8283f26266bb019a1"
1196 | author = "gssincla@google.com"
1197 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1198 | date = "2022-11-18"
1199 |
1200 | strings:
1201 | /*
1202 | 48 89 5C 24 08 mov [rsp+arg_0], rbx
1203 | 57 push rdi
1204 | 48 83 EC 20 sub rsp, 20h
1205 | 41 8B D8 mov ebx, r8d
1206 | 48 8B FA mov rdi, rdx
1207 | 83 F9 27 cmp ecx, 27h ; '''
1208 | 0F 87 47 03 00 00 ja loc_18000D110
1209 | 0F 84 30 03 00 00 jz loc_18000D0FF
1210 | 83 F9 14 cmp ecx, 14h
1211 | 0F 87 A4 01 00 00 ja loc_18000CF7C
1212 | 0F 84 7A 01 00 00 jz loc_18000CF58
1213 | 83 F9 0C cmp ecx, 0Ch
1214 | 0F 87 C8 00 00 00 ja loc_18000CEAF
1215 | 0F 84 B3 00 00 00 jz loc_18000CEA0
1216 | */
1217 | $version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 27
1218 | 0F 87 47 03 00 00 0F 84 30 03 00 00 83 F9 14
1219 | 0F 87 A4 01 00 00 0F 84 7A 01 00 00 83 F9 0C
1220 | 0F 87 C8 00 00 00 0F 84 B3 00 00 00 }
1221 |
1222 | /*
1223 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1224 | 48 FF C0 inc rax
1225 | 48 3D 00 10 00 00 cmp rax, 1000h
1226 | 7C F1 jl short loc_180016B3E
1227 | */
1228 |
1229 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1230 |
1231 | condition:
1232 | all of them
1233 | }
1234 |
1235 | rule CobaltStrike_Resources_Beacon_x64_v3_7
1236 | {
1237 | meta:
1238 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.7"
1239 | hash = "81296a65a24c0f6f22208b0d29e7bb803569746ce562e2fa0d623183a8bcca60"
1240 | author = "gssincla@google.com"
1241 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1242 | date = "2022-11-18"
1243 |
1244 | strings:
1245 | /*
1246 | 48 89 5C 24 08 mov [rsp+arg_0], rbx
1247 | 57 push rdi
1248 | 48 83 EC 20 sub rsp, 20h
1249 | 41 8B D8 mov ebx, r8d
1250 | 48 8B FA mov rdi, rdx
1251 | 83 F9 28 cmp ecx, 28h ; '('
1252 | 0F 87 7F 03 00 00 ja loc_18000D148
1253 | 0F 84 67 03 00 00 jz loc_18000D136
1254 | 83 F9 15 cmp ecx, 15h
1255 | 0F 87 DB 01 00 00 ja loc_18000CFB3
1256 | 0F 84 BF 01 00 00 jz loc_18000CF9D
1257 | */
1258 |
1259 | $version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 28
1260 | 0F 87 7F 03 00 00 0F 84 67 03 00 00 83 F9 15
1261 | 0F 87 DB 01 00 00 0F 84 BF 01 00 00 }
1262 |
1263 | /*
1264 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1265 | 48 FF C0 inc rax
1266 | 48 3D 00 10 00 00 cmp rax, 1000h
1267 | 7C F1 jl short loc_180016ECA
1268 | */
1269 |
1270 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1271 |
1272 | condition:
1273 | all of them
1274 | }
1275 |
1276 | rule CobaltStrike_Resources_Beacon_x64_v3_8
1277 | {
1278 | meta:
1279 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.8"
1280 | hash = "547d44669dba97a32cb9e95cfb8d3cd278e00599e6a11080df1a9d09226f33ae"
1281 | author = "gssincla@google.com"
1282 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1283 | date = "2022-11-18"
1284 |
1285 | strings:
1286 | /*
1287 | 8B D3 mov edx, ebx
1288 | 48 8B CF mov rcx, rdi
1289 | E8 7A 52 00 00 call sub_18001269C
1290 | EB 0D jmp short loc_18000D431
1291 | 45 33 C0 xor r8d, r8d
1292 | 8B D3 mov edx, ebx
1293 | 48 8B CF mov rcx, rdi; Src
1294 | E8 8F 55 00 00 call sub_1800129C0
1295 | */
1296 |
1297 | $version_sig = { 8B D3 48 8B CF E8 7A 52 00 00 EB 0D 45 33 C0 8B D3 48 8B CF
1298 | E8 8F 55 00 00 }
1299 |
1300 | /*
1301 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1302 | 48 FF C0 inc rax
1303 | 48 3D 00 10 00 00 cmp rax, 1000h
1304 | 7C F1 jl short loc_18001772E
1305 | */
1306 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1307 |
1308 | condition:
1309 | all of them
1310 | }
1311 |
1312 | rule CobaltStrike_Resources_Beacon_x64_v3_11
1313 | {
1314 | meta:
1315 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.11 (two subversions)"
1316 | hash = "64007e104dddb6b5d5153399d850f1e1f1720d222bed19a26d0b1c500a675b1a"
1317 | rs2 = "815f313e0835e7fdf4a6d93f2774cf642012fd21ce870c48ff489555012e0047"
1318 | author = "gssincla@google.com"
1319 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1320 | date = "2022-11-18"
1321 |
1322 | strings:
1323 |
1324 | /*
1325 | 48 83 EC 20 sub rsp, 20h
1326 | 41 8B D8 mov ebx, r8d
1327 | 48 8B FA mov rdi, rdx
1328 | 83 F9 2D cmp ecx, 2Dh ; '-'
1329 | 0F 87 B2 03 00 00 ja loc_18000D1EF
1330 | 0F 84 90 03 00 00 jz loc_18000D1D3
1331 | 83 F9 17 cmp ecx, 17h
1332 | 0F 87 F8 01 00 00 ja loc_18000D044
1333 | 0F 84 DC 01 00 00 jz loc_18000D02E
1334 | 83 F9 0E cmp ecx, 0Eh
1335 | 0F 87 F9 00 00 00 ja loc_18000CF54
1336 | 0F 84 DD 00 00 00 jz loc_18000CF3E
1337 | FF C9 dec ecx
1338 | 0F 84 C0 00 00 00 jz loc_18000CF29
1339 | 83 E9 02 sub ecx, 2
1340 | 0F 84 A6 00 00 00 jz loc_18000CF18
1341 | FF C9 dec ecx
1342 | */
1343 |
1344 | $version_sig = { 48 83 EC 20 41 8B D8 48 8B FA 83 F9 2D 0F 87 B2 03 00 00
1345 | 0F 84 90 03 00 00 83 F9 17 0F 87 F8 01 00 00
1346 | 0F 84 DC 01 00 00 83 F9 0E 0F 87 F9 00 00 00
1347 | 0F 84 DD 00 00 00 FF C9 0F 84 C0 00 00 00 83 E9 02
1348 | 0F 84 A6 00 00 00 FF C9 }
1349 |
1350 | /*
1351 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1352 | 48 FF C0 inc rax
1353 | 48 3D 00 10 00 00 cmp rax, 1000h
1354 | 7C F1 jl short loc_180017DCA
1355 | */
1356 |
1357 | $decoder = {
1358 | 80 34 28 ??
1359 | 48 FF C0
1360 | 48 3D 00 10 00 00
1361 | 7C F1
1362 | }
1363 |
1364 | condition:
1365 | all of them
1366 | }
1367 |
1368 | rule CobaltStrike_Resources_Beacon_x64_v3_12
1369 | {
1370 | meta:
1371 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.12"
1372 | hash = "8a28b7a7e32ace2c52c582d0076939d4f10f41f4e5fa82551e7cc8bdbcd77ebc"
1373 | author = "gssincla@google.com"
1374 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1375 | date = "2022-11-18"
1376 |
1377 | strings:
1378 | /*
1379 | 8B D3 mov edx, ebx
1380 | 48 8B CF mov rcx, rdi
1381 | E8 F8 2E 00 00 call sub_180010384
1382 | EB 16 jmp short loc_18000D4A4
1383 | 8B D3 mov edx, ebx
1384 | 48 8B CF mov rcx, rdi
1385 | E8 00 5C 00 00 call f_OTH__Command_75
1386 | EB 0A jmp short loc_18000D4A4
1387 | 8B D3 mov edx, ebx
1388 | 48 8B CF mov rcx, rdi
1389 | E8 64 4F 00 00 call f_OTH__Command_74
1390 | */
1391 | $version_sig = { 8B D3 48 8B CF E8 F8 2E 00 00 EB 16 8B D3 48 8B CF
1392 | E8 00 5C 00 00 EB 0A 8B D3 48 8B CF E8 64 4F 00 00 }
1393 |
1394 | /*
1395 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1396 | 48 FF C0 inc rax
1397 | 48 3D 00 10 00 00 cmp rax, 1000h
1398 | 7C F1 jl short loc_180018205
1399 | */
1400 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1401 |
1402 | condition:
1403 | all of them
1404 | }
1405 |
1406 |
1407 | rule CobaltStrike_Resources_Beacon_x64_v3_13
1408 | {
1409 | meta:
1410 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.13"
1411 | hash = "945e10dcd57ba23763481981c6035e0d0427f1d3ba71e75decd94b93f050538e"
1412 | author = "gssincla@google.com"
1413 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1414 | date = "2022-11-18"
1415 |
1416 | strings:
1417 | /*
1418 | 48 8D 0D 01 5B FF FF lea rcx, f_NET__ExfiltrateData
1419 | 48 83 C4 28 add rsp, 28h
1420 | E9 A8 54 FF FF jmp f_OTH__Command_85
1421 | 8B D0 mov edx, eax
1422 | 49 8B CA mov rcx, r10; lpSrc
1423 | E8 22 55 FF FF call f_OTH__Command_84
1424 | */
1425 |
1426 | $version_sig = { 48 8D 0D 01 5B FF FF 48 83 C4 28 E9 A8 54 FF FF 8B D0
1427 | 49 8B CA E8 22 55 FF FF }
1428 |
1429 | /*
1430 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1431 | 48 FF C0 inc rax
1432 | 48 3D 00 10 00 00 cmp rax, 1000h
1433 | 7C F1 jl short loc_180018C01
1434 | */
1435 |
1436 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1437 |
1438 | condition:
1439 | all of them
1440 | }
1441 |
1442 | rule CobaltStrike_Resources_Beacon_x64_v3_14
1443 | {
1444 | meta:
1445 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.14"
1446 | hash = "297a8658aaa4a76599a7b79cb0da5b8aa573dd26c9e2c8f071e591200cf30c93"
1447 | rs2 = "39b9040e3dcd1421a36e02df78fe031cbdd2fb1a9083260b8aedea7c2bc406bf"
1448 | author = "gssincla@google.com"
1449 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1450 | date = "2022-11-18"
1451 |
1452 | strings:
1453 |
1454 | /*
1455 | 8B D0 mov edx, eax
1456 | 49 8B CA mov rcx, r10; Src
1457 | 48 83 C4 28 add rsp, 28h
1458 | E9 B1 1F 00 00 jmp f_OTH__Command_69
1459 | 8B D0 mov edx, eax
1460 | 49 8B CA mov rcx, r10; Source
1461 | 48 83 C4 28 add rsp, 28h
1462 | */
1463 |
1464 | $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 B1 1F 00 00 8B D0 49 8B CA
1465 | 48 83 C4 28 }
1466 |
1467 | /*
1468 | 80 34 28 ?? xor byte ptr [rax+rbp], 69h
1469 | 48 FF C0 inc rax
1470 | 48 3D 00 10 00 00 cmp rax, 1000h
1471 | 7C F1 jl short loc_1800196BD
1472 | */
1473 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1474 |
1475 | condition:
1476 | all of them
1477 | }
1478 |
1479 |
1480 | rule CobaltStrike_Sleeve_Beacon_Dll_x86_v4_0_suspected
1481 | {
1482 | meta:
1483 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.0 (suspected, not confirmed)"
1484 | hash = "55aa2b534fcedc92bb3da54827d0daaa23ece0f02a10eb08f5b5247caaa63a73"
1485 | author = "gssincla@google.com"
1486 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1487 | date = "2022-11-18"
1488 |
1489 | strings:
1490 | /*
1491 | 41 B8 01 00 00 00 mov r8d, 1
1492 | 8B D0 mov edx, eax
1493 | 49 8B CA mov rcx, r10
1494 | 48 83 C4 28 add rsp, 28h
1495 | E9 D1 B3 FF FF jmp sub_180010C5C
1496 | 8B D0 mov edx, eax
1497 | 49 8B CA mov rcx, r10
1498 | 48 83 C4 28 add rsp, 28h
1499 | E9 AF F5 FF FF jmp f_UNK__Command_92__ChangeFlag
1500 | 45 33 C0 xor r8d, r8d
1501 | 4C 8D 0D 8D 70 FF FF lea r9, sub_18000C930
1502 | 8B D0 mov edx, eax
1503 | 49 8B CA mov rcx, r10
1504 | E8 9B B0 FF FF call f_OTH__Command_91__WrapInjection
1505 | */
1506 |
1507 | $version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 D1 B3 FF FF
1508 | 8B D0 49 8B CA 48 83 C4 28 E9 AF F5 FF FF 45 33 C0
1509 | 4C 8D 0D 8D 70 FF FF 8B D0 49 8B CA E8 9B B0 FF FF }
1510 |
1511 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1512 |
1513 | condition:
1514 | all of them
1515 | }
1516 |
1517 | rule CobaltStrike_Sleeve_Beacon_x64_v4_1_and_v_4_2
1518 | {
1519 | meta:
1520 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.1 and 4.2"
1521 | hash = "29ec171300e8d2dad2e1ca2b77912caf0d5f9d1b633a81bb6534acb20a1574b2"
1522 | author = "gssincla@google.com"
1523 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1524 | date = "2022-11-18"
1525 |
1526 | strings:
1527 | /*
1528 | 83 F9 34 cmp ecx, 34h ; '4'
1529 | 0F 87 8E 03 00 00 ja loc_180016259
1530 | 0F 84 7A 03 00 00 jz loc_18001624B
1531 | 83 F9 1C cmp ecx, 1Ch
1532 | 0F 87 E6 01 00 00 ja loc_1800160C0
1533 | 0F 84 D7 01 00 00 jz loc_1800160B7
1534 | 83 F9 0E cmp ecx, 0Eh
1535 | 0F 87 E9 00 00 00 ja loc_180015FD2
1536 | 0F 84 CE 00 00 00 jz loc_180015FBD
1537 | FF C9 dec ecx
1538 | 0F 84 B8 00 00 00 jz loc_180015FAF
1539 | 83 E9 02 sub ecx, 2
1540 | 0F 84 9F 00 00 00 jz loc_180015F9F
1541 | FF C9 dec ecx
1542 | */
1543 |
1544 | $version_sig = { 83 F9 34 0F 87 8E 03 00 00 0F 84 7A 03 00 00 83 F9 1C 0F 87 E6 01 00 00
1545 | 0F 84 D7 01 00 00 83 F9 0E 0F 87 E9 00 00 00 0F 84 CE 00 00 00 FF C9
1546 | 0F 84 B8 00 00 00 83 E9 02 0F 84 9F 00 00 00 FF C9 }
1547 |
1548 |
1549 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1550 |
1551 | condition:
1552 | all of them
1553 | }
1554 |
1555 | rule CobaltStrike_Sleeve_Beacon_x64_v4_3
1556 | {
1557 | meta:
1558 | description = "Cobalt Strike's sleeve/beacon.x64.dll Version 4.3"
1559 | hash = "3ac9c3525caa29981775bddec43d686c0e855271f23731c376ba48761c27fa3d"
1560 | author = "gssincla@google.com"
1561 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1562 | date = "2022-11-18"
1563 |
1564 | strings:
1565 |
1566 | /*
1567 | 8B D0 mov edx, eax
1568 | 49 8B CA mov rcx, r10; Source
1569 | 48 83 C4 28 add rsp, 28h
1570 | E9 D3 88 FF FF jmp f_OTH__CommandAbove_10
1571 | 4C 8D 05 84 6E FF FF lea r8, f_NET__ExfiltrateData
1572 | 8B D0 mov edx, eax
1573 | 49 8B CA mov rcx, r10
1574 | 48 83 C4 28 add rsp, 28h
1575 | */
1576 |
1577 | $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 D3 88 FF FF
1578 | 4C 8D 05 84 6E FF FF 8B D0 49 8B CA 48 83 C4 28 }
1579 |
1580 | /*
1581 | 80 34 28 ?? xor byte ptr [rax+rbp], 2Eh
1582 | 48 FF C0 inc rax
1583 | 48 3D 00 10 00 00 cmp rax, 1000h
1584 | 7C F1 jl short loc_1800186E1
1585 | */
1586 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1587 |
1588 | condition:
1589 | all of them
1590 | }
1591 |
1592 |
1593 | rule CobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6
1594 | {
1595 | meta:
1596 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.4 through at least 4.6"
1597 | hash = "3280fec57b7ca94fd2bdb5a4ea1c7e648f565ac077152c5a81469030ccf6ab44"
1598 | author = "gssincla@google.com"
1599 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1600 | date = "2022-11-18"
1601 |
1602 | strings:
1603 | /*
1604 | 8B D0 mov edx, eax
1605 | 49 8B CA mov rcx, r10; Source
1606 | 48 83 C4 28 add rsp, 28h
1607 | E9 83 88 FF FF jmp f_OTH__CommandAbove_10
1608 | 4C 8D 05 A4 6D FF FF lea r8, f_NET__ExfiltrateData
1609 | 8B D0 mov edx, eax
1610 | 49 8B CA mov rcx, r10
1611 | 48 83 C4 28 add rsp, 28h
1612 | */
1613 |
1614 | $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 83 88 FF FF
1615 | 4C 8D 05 A4 6D FF FF 8B D0 49 8B CA 48 83 C4 28 }
1616 |
1617 | /*
1618 | 80 34 28 2E xor byte ptr [rax+rbp], 2Eh
1619 | 48 FF C0 inc rax
1620 | 48 3D 00 10 00 00 cmp rax, 1000h
1621 | 7C F1 jl short loc_1800184D9
1622 | */
1623 |
1624 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1625 |
1626 | condition:
1627 | all of them
1628 | }
1629 |
1630 | rule CobaltStrike_Sleeve_Beacon_x64_v4_5_variant
1631 | {
1632 | meta:
1633 | description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)"
1634 | hash = "8f0da7a45945b630cd0dfb5661036e365dcdccd085bc6cff2abeec6f4c9f1035"
1635 | author = "gssincla@google.com"
1636 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
1637 | date = "2022-11-18"
1638 |
1639 | strings:
1640 | /*
1641 | 41 B8 01 00 00 00 mov r8d, 1
1642 | 8B D0 mov edx, eax
1643 | 49 8B CA mov rcx, r10
1644 | 48 83 C4 28 add rsp, 28h
1645 | E9 E8 AB FF FF jmp sub_1800115A4
1646 | 8B D0 mov edx, eax
1647 | 49 8B CA mov rcx, r10
1648 | E8 1A EB FF FF call f_UNK__Command_92__ChangeFlag
1649 | 48 83 C4 28 add rsp, 28h
1650 | */
1651 | $version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 E8 AB FF FF
1652 | 8B D0 49 8B CA E8 1A EB FF FF 48 83 C4 28 }
1653 |
1654 | /*
1655 | 80 34 28 ?? xor byte ptr [rax+rbp], 2Eh
1656 | 48 FF C0 inc rax
1657 | 48 3D 00 10 00 00 cmp rax, 1000h
1658 | 7C F1 jl short loc_180018E1F
1659 | */
1660 |
1661 | $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
1662 |
1663 | condition:
1664 | all of them
1665 | }
1666 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bind64_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bind64.bin signature for versions v2.5 to v4.x"
21 | hash = "5dd136f5674f66363ea6463fd315e06690d6cb10e3cc516f2d378df63382955d"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 48 31 C0 xor rax, rax
29 | AC lodsb
30 | 41 C1 C9 0D ror r9d, 0Dh
31 | 41 01 C1 add r9d, eax
32 | 38 E0 cmp al, ah
33 | 75 F1 jnz short loc_100000000000007D
34 | 4C 03 4C 24 08 add r9, [rsp+40h+var_38]
35 | 45 39 D1 cmp r9d, r10d
36 | 75 D8 jnz short loc_100000000000006E
37 | 58 pop rax
38 | 44 8B 40 24 mov r8d, [rax+24h]
39 | 49 01 D0 add r8, rdx
40 | 66 41 8B 0C 48 mov cx, [r8+rcx*2]
41 | 44 8B 40 1C mov r8d, [rax+1Ch]
42 | 49 01 D0 add r8, rdx
43 | 41 8B 04 88 mov eax, [r8+rcx*4]
44 | 48 01 D0 add rax, rdx
45 | */
46 |
47 | $apiLocator = {
48 | 48 [2]
49 | AC
50 | 41 [2] 0D
51 | 41 [2]
52 | 38 ??
53 | 75 ??
54 | 4C [4]
55 | 45 [2]
56 | 75 ??
57 | 5?
58 | 44 [2] 24
59 | 49 [2]
60 | 66 [4]
61 | 44 [2] 1C
62 | 49 [2]
63 | 41 [3]
64 | 48
65 | }
66 |
67 |
68 | // the signature for reverse64 and bind really differ slightly, here we are using the inclusion of additional calls
69 | // found in bind64 to differentate between this and reverse64
70 | // Note that we can reasonably assume that the constants being passed to the call rbp will be just that, constant,
71 | // since we are triggering on the API hasher. If that hasher is unchanged, then the hashes we look for should be
72 | // unchanged. This means we can use these values as anchors in our signature.
73 | /*
74 | 41 BA C2 DB 37 67 mov r10d, bind
75 | FF D5 call rbp
76 | 48 31 D2 xor rdx, rdx
77 | 48 89 F9 mov rcx, rdi
78 | 41 BA B7 E9 38 FF mov r10d, listen
79 | FF D5 call rbp
80 | 4D 31 C0 xor r8, r8
81 | 48 31 D2 xor rdx, rdx
82 | 48 89 F9 mov rcx, rdi
83 | 41 BA 74 EC 3B E1 mov r10d, accept
84 | FF D5 call rbp
85 | 48 89 F9 mov rcx, rdi
86 | 48 89 C7 mov rdi, rax
87 | 41 BA 75 6E 4D 61 mov r10d, closesocket
88 | */
89 |
90 | $calls = {
91 | 41 BA C2 DB 37 67
92 | FF D5
93 | 48 [2]
94 | 48 [2]
95 | 41 BA B7 E9 38 FF
96 | FF D5
97 | 4D [2]
98 | 48 [2]
99 | 48 [2]
100 | 41 BA 74 EC 3B E1
101 | FF D5
102 | 48 [2]
103 | 48 [2]
104 | 41 BA 75 6E 4D 61
105 | }
106 |
107 | condition:
108 | $apiLocator and $calls
109 | }
110 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bind_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bind.bin signature for versions 2.5 to 4.x"
21 | hash = "3727542c0e3c2bf35cacc9e023d1b2d4a1e9e86ee5c62ee5b66184f46ca126d1"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for the stagers overlap significantly. Looking for bind.bin specific bytes helps delineate sample types
74 | /*
75 | 5D pop ebp
76 | 68 33 32 00 00 push '23'
77 | 68 77 73 32 5F push '_2sw'
78 | */
79 |
80 | $ws2_32 = {
81 | 5D
82 | 68 33 32 00 00
83 | 68 77 73 32 5F
84 | }
85 |
86 | // bind.bin, unlike reverse.bin, listens for incoming connections. Using the API hashes for listen and accept is a solid
87 | // approach to finding bind.bin specific samples
88 | /*
89 | 5? push ebx
90 | 5? push edi
91 | 68 B7 E9 38 FF push listen
92 | FF ?? call ebp
93 | 5? push ebx
94 | 5? push ebx
95 | 5? push edi
96 | 68 74 EC 3B E1 push accept
97 | */
98 | $listenaccept = {
99 | 5?
100 | 5?
101 | 68 B7 E9 38 FF
102 | FF ??
103 | 5?
104 | 5?
105 | 5?
106 | 68 74 EC 3B E1
107 | }
108 |
109 | condition:
110 | $apiLocator and $ws2_32 and $listenaccept
111 | }
112 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/browserpivot.bin from v1.48 to v3.14 and sleeve/browserpivot.dll from v4.0 to at least v4.4"
21 | hash = "12af9f5a7e9bfc49c82a33d38437e2f3f601639afbcdc9be264d3a8d84fd5539"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | FF [1-5] call ds:recv // earlier versions (v1.x to 2.x) this is CALL EBP
29 | 83 ?? FF cmp eax, 0FFFFFFFFh
30 | 74 ?? jz short loc_100020D5
31 | 85 C0 test eax, eax
32 | (74 | 76) ?? jz short loc_100020D5 // earlier versions (v1.x to 2.x) used jbe (76) here
33 | 03 ?? add esi, eax
34 | 83 ?? 02 cmp esi, 2
35 | 72 ?? jb short loc_100020D1
36 | 80 ?? 3E FF 0A cmp byte ptr [esi+edi-1], 0Ah
37 | 75 ?? jnz short loc_100020D1
38 | 80 ?? 3E FE 0D cmp byte ptr [esi+edi-2], 0Dh
39 | */
40 |
41 | $socket_recv = {
42 | FF [1-5]
43 | 83 ?? FF
44 | 74 ??
45 | 85 C0
46 | (74 | 76) ??
47 | 03 ??
48 | 83 ?? 02
49 | 72 ??
50 | 80 ?? 3E FF 0A
51 | 75 ??
52 | 80 ?? 3E FE 0D
53 | }
54 |
55 | // distinctive regex (sscanf) format string
56 | $fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]"
57 |
58 | condition:
59 | all of them
60 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/browserpivot.x64.bin from v1.48 to v3.14 and sleeve/browserpivot.x64.dll from v4.0 to at least v4.4"
21 | hash = "0ad32bc4fbf3189e897805cec0acd68326d9c6f714c543bafb9bc40f7ac63f55"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | FF 15 [4] call cs:recv
29 | 83 ?? FF cmp eax, 0FFFFFFFFh
30 | 74 ?? jz short loc_1800018FB
31 | 85 ?? test eax, eax
32 | 74 ?? jz short loc_1800018FB
33 | 03 ?? add ebx, eax
34 | 83 ?? 02 cmp ebx, 2
35 | 72 ?? jb short loc_1800018F7
36 | 8D ?? FF lea eax, [rbx-1]
37 | 80 [2] 0A cmp byte ptr [rax+rdi], 0Ah
38 | 75 ?? jnz short loc_1800018F7
39 | 8D ?? FE lea eax, [rbx-2]
40 | 80 [2] 0D cmp byte ptr [rax+rdi], 0Dh
41 | */
42 |
43 | $socket_recv = {
44 | FF 15 [4]
45 | 83 ?? FF
46 | 74 ??
47 | 85 ??
48 | 74 ??
49 | 03 ??
50 | 83 ?? 02
51 | 72 ??
52 | 8D ?? FF
53 | 80 [2] 0A
54 | 75 ??
55 | 8D ?? FE
56 | 80 [2] 0D
57 | }
58 |
59 | // distinctive regex (sscanf) format string
60 | $fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]"
61 |
62 | condition:
63 | all of them
64 | }
65 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bypassuac(-x86).dll from v1.49 to v3.14 (32-bit version) and sleeve/bypassuac.dll from v4.0 to at least v4.4"
21 | hash = "91d12e1d09a642feedee5da966e1c15a2c5aea90c79ac796e267053e466df365"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | A1 [4] mov eax, fileop
29 | 6A 00 push 0
30 | 8B ?? mov ecx, [eax]
31 | 5? push edx
32 | 5? push eax
33 | FF ?? 48 call dword ptr [ecx+48h]
34 | 85 ?? test eax, eax
35 | 75 ?? jnz short loc_10001177
36 | A1 [4] mov eax, fileop
37 | 5? push eax
38 | 8B ?? mov ecx, [eax]
39 | FF ?? 54 call dword ptr [ecx+54h]
40 | */
41 |
42 | $deleteFileCOM = {
43 | A1 [4]
44 | 6A 00
45 | 8B ??
46 | 5?
47 | 5?
48 | FF ?? 48
49 | 85 ??
50 | 75 ??
51 | A1 [4]
52 | 5?
53 | 8B ??
54 | FF ?? 54
55 | }
56 |
57 | /*
58 | A1 [4] mov eax, fileop
59 | 6A 00 push 0
60 | FF ?? 08 push [ebp+copyName]
61 | 8B ?? mov ecx, [eax]
62 | FF [5] push dstFile
63 | FF [5] push srcFile
64 | 5? push eax
65 | FF ?? 40 call dword ptr [ecx+40h]
66 | 85 ?? test eax, eax
67 | 75 ?? jnz short loc_10001026 // this line can also be 0F 85 <32-bit offset>
68 | A1 [4] mov eax, fileop
69 | 5? push eax
70 | 8B ?? mov ecx, [eax]
71 | FF ?? 54 call dword ptr [ecx+54h]
72 | */
73 |
74 | $copyFileCOM = {
75 | A1 [4]
76 | 6A 00
77 | FF [2]
78 | 8B ??
79 | FF [5]
80 | FF [5]
81 | 5?
82 | FF ?? 40
83 | 85 ??
84 | [2 - 6]
85 | A1 [4]
86 | 5?
87 | 8B ??
88 | FF ?? 54
89 | }
90 |
91 |
92 | condition:
93 | all of them
94 | }
95 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bypassuac-x64.dll from v3.3 to v3.14 (64-bit version) and sleeve/bypassuac.x64.dll from v4.0 to at least v4.4"
21 | hash = "9ecf56e9099811c461d592c325c65c4f9f27d947cbdf3b8ef8a98a43e583aecb"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 48 8B 0D 07 A4 01 00 mov rcx, cs:fileop
29 | 45 33 C0 xor r8d, r8d
30 | 48 8B 01 mov rax, [rcx]
31 | FF 90 90 00 00 00 call qword ptr [rax+90h]
32 | 85 C0 test eax, eax
33 | 75 D9 jnz short loc_180001022
34 | 48 8B 0D F0 A3 01 00 mov rcx, cs:fileop
35 | 48 8B 11 mov rdx, [rcx]
36 | FF 92 A8 00 00 00 call qword ptr [rdx+0A8h]
37 | 85 C0 test eax, eax
38 | */
39 |
40 | $deleteFileCOM = {
41 | 48 8B [5]
42 | 45 33 ??
43 | 48 8B ??
44 | FF 90 90 00 00 00
45 | 85 C0
46 | 75 ??
47 | 48 8B [5]
48 | 48 8B ??
49 | FF 92 A8 00 00 00
50 | 85 C0
51 | }
52 |
53 |
54 | /*
55 | 48 8B 0D 32 A3 01 00 mov rcx, cs:fileop
56 | 4C 8B 05 3B A3 01 00 mov r8, cs:dstFile
57 | 48 8B 15 2C A3 01 00 mov rdx, cs:srcFile
58 | 48 8B 01 mov rax, [rcx]
59 | 4C 8B CD mov r9, rbp
60 | 48 89 5C 24 20 mov [rsp+38h+var_18], rbx
61 | FF 90 80 00 00 00 call qword ptr [rax+80h]
62 | 85 C0 test eax, eax
63 | 0F 85 7B FF FF FF jnz loc_1800010B0
64 | 48 8B 0D 04 A3 01 00 mov rcx, cs:fileop
65 | 48 8B 11 mov rdx, [rcx]
66 | FF 92 A8 00 00 00 call qword ptr [rdx+0A8h]
67 | */
68 |
69 | $copyFileCOM = {
70 | 48 8B [5]
71 | 4C 8B [5]
72 | 48 8B [5]
73 | 48 8B ??
74 | 4C 8B ??
75 | 48 89 [3]
76 | FF 90 80 00 00 00
77 | 85 C0
78 | 0F 85 [4]
79 | 48 8B [5]
80 | 48 8B 11
81 | FF 92 A8 00 00 00
82 | }
83 |
84 | condition:
85 | all of them
86 | }
87 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bypassuactoken_Dll_v3_11_to_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bypassuactoken.dll from v3.11 to v3.14 (32-bit version)"
21 | hash = "df1c7256dfd78506e38c64c54c0645b6a56fc56b2ffad8c553b0f770c5683070"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 5? push eax; ReturnLength
29 | 5? push edi; TokenInformationLength
30 | 5? push edi; TokenInformation
31 | 8B ?? mov ebx, ecx
32 | 6A 19 push 19h; TokenInformationClass
33 | 5? push ebx; TokenHandle
34 | FF 15 [4] call ds:GetTokenInformation
35 | 85 C0 test eax, eax
36 | 75 ?? jnz short loc_10001100
37 | FF 15 [4] call ds:GetLastError
38 | 83 ?? 7A cmp eax, 7Ah ; 'z'
39 | 75 ?? jnz short loc_10001100
40 | FF [2] push [ebp+ReturnLength]; uBytes
41 | 5? push edi; uFlags
42 | FF 15 [4] call ds:LocalAlloc
43 | 8B ?? mov esi, eax
44 | 8D [2] lea eax, [ebp+ReturnLength]
45 | 5? push eax; ReturnLength
46 | FF [2] push [ebp+ReturnLength]; TokenInformationLength
47 | 5? push esi; TokenInformation
48 | 6A 19 push 19h; TokenInformationClass
49 | 5? push ebx; TokenHandle
50 | FF 15 [4] call ds:GetTokenInformation
51 | 85 C0 test eax, eax
52 | 74 ?? jz short loc_10001103
53 | FF ?? push dword ptr [esi]; pSid
54 | FF 15 [4] call ds:GetSidSubAuthorityCount
55 | 8A ?? mov al, [eax]
56 | FE C8 dec al
57 | 0F B6 C0 movzx eax, al
58 | 5? push eax; nSubAuthority
59 | FF ?? push dword ptr [esi]; pSid
60 | FF 15 [4] call ds:GetSidSubAuthority
61 | B? 01 00 00 00 mov ecx, 1
62 | 5? push esi; hMem
63 | 81 ?? 00 30 00 00 cmp dword ptr [eax], 3000h
64 | */
65 |
66 | $isHighIntegrityProcess = {
67 | 5?
68 | 5?
69 | 5?
70 | 8B ??
71 | 6A 19
72 | 5?
73 | FF 15 [4]
74 | 85 C0
75 | 75 ??
76 | FF 15 [4]
77 | 83 ?? 7A
78 | 75 ??
79 | FF [2]
80 | 5?
81 | FF 15 [4]
82 | 8B ??
83 | 8D [2]
84 | 5?
85 | FF [2]
86 | 5?
87 | 6A 19
88 | 5?
89 | FF 15 [4]
90 | 85 C0
91 | 74 ??
92 | FF ??
93 | FF 15 [4]
94 | 8A ??
95 | FE C8
96 | 0F B6 C0
97 | 5?
98 | FF ??
99 | FF 15 [4]
100 | B? 01 00 00 00
101 | 5?
102 | 81 ?? 00 30 00 00
103 | }
104 |
105 | /*
106 | 6A 3C push 3Ch ; '<'; Size
107 | 8D ?? C4 lea eax, [ebp+pExecInfo]
108 | 8B ?? mov edi, edx
109 | 6A 00 push 0; Val
110 | 5? push eax; void *
111 | 8B ?? mov esi, ecx
112 | E8 [4] call _memset
113 | 83 C4 0C add esp, 0Ch
114 | C7 [2] 3C 00 00 00 mov [ebp+pExecInfo.cbSize], 3Ch ; '<'
115 | 8D [2] lea eax, [ebp+pExecInfo]
116 | C7 [2] 40 00 00 00 mov [ebp+pExecInfo.fMask], 40h ; '@'
117 | C7 [6] mov [ebp+pExecInfo.lpFile], offset aTaskmgrExe; "taskmgr.exe"
118 | C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpParameters], 0
119 | 5? push eax; pExecInfo
120 | C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpDirectory], 0
121 | C7 [6] mov [ebp+pExecInfo.lpVerb], offset aRunas; "runas"
122 | C7 [2] 00 00 00 00 mov [ebp+pExecInfo.nShow], 0
123 | FF 15 [4] call ds:ShellExecuteExW
124 | FF 75 FC push [ebp+pExecInfo.hProcess]; Process
125 | */
126 |
127 | $executeTaskmgr = {
128 | 6A 3C
129 | 8D ?? C4
130 | 8B ??
131 | 6A 00
132 | 5?
133 | 8B ??
134 | E8 [4]
135 | 83 C4 0C
136 | C7 [2] 3C 00 00 00
137 | 8D [2]
138 | C7 [2] 40 00 00 00
139 | C7 [6]
140 | C7 [2] 00 00 00 00
141 | 5?
142 | C7 [2] 00 00 00 00
143 | C7 [6]
144 | C7 [2] 00 00 00 00
145 | FF 15 [4]
146 | FF 75 FC
147 | }
148 |
149 | condition:
150 | all of them
151 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/bypassuactoken.x64.dll from v3.11 to v3.14 (64-bit version)"
21 | hash = "853068822bbc6b1305b2a9780cf1034f5d9d7127001351a6917f9dbb42f30d67"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 83 F8 7A cmp eax, 7Ah ; 'z'
29 | 75 59 jnz short loc_1800014BC
30 | 8B 54 24 48 mov edx, dword ptr [rsp+38h+uBytes]; uBytes
31 | 33 C9 xor ecx, ecx; uFlags
32 | FF 15 49 9C 00 00 call cs:LocalAlloc
33 | 44 8B 4C 24 48 mov r9d, dword ptr [rsp+38h+uBytes]; TokenInformationLength
34 | 8D 53 19 lea edx, [rbx+19h]; TokenInformationClass
35 | 48 8B F8 mov rdi, rax
36 | 48 8D 44 24 48 lea rax, [rsp+38h+uBytes]
37 | 48 8B CE mov rcx, rsi; TokenHandle
38 | 4C 8B C7 mov r8, rdi; TokenInformation
39 | 48 89 44 24 20 mov [rsp+38h+ReturnLength], rax; ReturnLength
40 | FF 15 B0 9B 00 00 call cs:GetTokenInformation
41 | 85 C0 test eax, eax
42 | 74 2D jz short loc_1800014C1
43 | 48 8B 0F mov rcx, [rdi]; pSid
44 | FF 15 AB 9B 00 00 call cs:GetSidSubAuthorityCount
45 | 8D 73 01 lea esi, [rbx+1]
46 | 8A 08 mov cl, [rax]
47 | 40 2A CE sub cl, sil
48 | 0F B6 D1 movzx edx, cl; nSubAuthority
49 | 48 8B 0F mov rcx, [rdi]; pSid
50 | FF 15 9F 9B 00 00 call cs:GetSidSubAuthority
51 | 81 38 00 30 00 00 cmp dword ptr [rax], 3000h
52 | */
53 |
54 | $isHighIntegrityProcess = {
55 | 83 ?? 7A
56 | 75 ??
57 | 8B [3]
58 | 33 ??
59 | FF 15 [4]
60 | 44 [4]
61 | 8D [2]
62 | 48 8B ??
63 | 48 8D [3]
64 | 48 8B ??
65 | 4C 8B ??
66 | 48 89 [3]
67 | FF 15 [4]
68 | 85 C0
69 | 74 ??
70 | 48 8B ??
71 | FF 15 [4]
72 | 8D [2]
73 | 8A ??
74 | 40 [2]
75 | 0F B6 D1
76 | 48 8B 0F
77 | FF 15 [4]
78 | 81 ?? 00 30 00 00
79 | }
80 |
81 | /*
82 | 44 8D 42 70 lea r8d, [rdx+70h]; Size
83 | 48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; void *
84 | E8 2E 07 00 00 call memset
85 | 83 64 24 50 00 and [rsp+98h+pExecInfo.nShow], 0
86 | 48 8D 05 E2 9B 00 00 lea rax, aTaskmgrExe; "taskmgr.exe"
87 | 0F 57 C0 xorps xmm0, xmm0
88 | 66 0F 7F 44 24 40 movdqa xmmword ptr [rsp+98h+pExecInfo.lpParameters], xmm0
89 | 48 89 44 24 38 mov [rsp+98h+pExecInfo.lpFile], rax
90 | 48 8D 05 E5 9B 00 00 lea rax, aRunas; "runas"
91 | 48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; pExecInfo
92 | C7 44 24 20 70 00 00 00 mov [rsp+98h+pExecInfo.cbSize], 70h ; 'p'
93 | C7 44 24 24 40 00 00 00 mov [rsp+98h+pExecInfo.fMask], 40h ; '@'
94 | 48 89 44 24 30 mov [rsp+98h+pExecInfo.lpVerb], rax
95 | FF 15 05 9B 00 00 call cs:ShellExecuteExW
96 | */
97 |
98 | $executeTaskmgr = {
99 | 44 8D ?? 70
100 | 48 8D [3]
101 | E8 [4]
102 | 83 [3] 00
103 | 48 8D [5]
104 | 0F 57 ??
105 | 66 0F 7F [3]
106 | 48 89 [3]
107 | 48 8D [5]
108 | 48 8D [3]
109 | C7 [3] 70 00 00 00
110 | C7 [3] 40 00 00 00
111 | 48 89 [3]
112 | FF 15
113 | }
114 |
115 |
116 | condition:
117 | all of them
118 | }
119 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x"
21 | hash = "932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | // the command.ps1 and compress.ps1 are the same file. Between v3.7 and v3.8 the file was renamed from command to compress.
28 | $ps1 = "$s=New-Object \x49O.MemoryStream(,[Convert]::\x46romBase64String(" nocase
29 | $ps2 ="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();" nocase
30 |
31 | condition:
32 | all of them
33 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Covertvpn_Dll_v2_1_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/covertvpn.dll signature for version v2.2 to v4.4"
21 | hash = "0a452a94d53e54b1df6ba02bc2f02e06d57153aad111171a94ec65c910d22dcf"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 5? push esi
29 | 68 [4] push offset ProcName; "IsWow64Process"
30 | 68 [4] push offset ModuleName; "kernel32"
31 | C7 [3-5] 00 00 00 00 mov [ebp+var_9C], 0 // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x
32 | FF 15 [4] call ds:GetModuleHandleA
33 | 50 push eax; hModule
34 | FF 15 [4] call ds:GetProcAddress
35 | 8B ?? mov esi, eax
36 | 85 ?? test esi, esi
37 | 74 ?? jz short loc_1000298B
38 | 8D [3-5] lea eax, [ebp+var_9C] // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x
39 | 5? push eax
40 | FF 15 [4] call ds:GetCurrentProcess
41 | 50 push eax
42 | */
43 |
44 | $dropComponentsAndActivateDriver_prologue = {
45 | 5?
46 | 68 [4]
47 | 68 [4]
48 | C7 [3-5] 00 00 00 00
49 | FF 15 [4]
50 | 50
51 | FF 15 [4]
52 | 8B ??
53 | 85 ??
54 | 74 ??
55 | 8D [3-5]
56 | 5?
57 | FF 15 [4]
58 | 50
59 | }
60 |
61 | /*
62 | 6A 00 push 0; AccessMode
63 | 5? push esi; FileName
64 | E8 [4] call __access
65 | 83 C4 08 add esp, 8
66 | 83 F8 FF cmp eax, 0FFFFFFFFh
67 | 74 ?? jz short loc_100028A7
68 | 5? push esi
69 | 68 [4] push offset aWarningSExists; "Warning: %s exists\n" // this may not exist in v2.x samples
70 | E8 [4] call nullsub_1
71 | 83 C4 08 add esp, 8 // if the push doesnt exist, then this is 04, not 08
72 | // v2.x has a PUSH ESI here... so we need to skip that
73 | 6A 00 push 0; hTemplateFile
74 | 68 80 01 00 00 push 180h; dwFlagsAndAttributes
75 | 6A 02 push 2; dwCreationDisposition
76 | 6A 00 push 0; lpSecurityAttributes
77 | 6A 05 push 5; dwShareMode
78 | 68 00 00 00 40 push 40000000h; dwDesiredAccess
79 | 5? push esi; lpFileName
80 | FF 15 [4] call ds:CreateFileA
81 | 8B ?? mov edi, eax
82 | 83 ?? FF cmp edi, 0FFFFFFFFh
83 | 75 ?? jnz short loc_100028E2
84 | FF 15 [4] call ds:GetLastError
85 | 5? push eax
86 | */
87 |
88 | $dropFile = {
89 | 6A 00
90 | 5?
91 | E8 [4]
92 | 83 C4 08
93 | 83 F8 FF
94 | 74 ??
95 | 5?
96 | [0-5]
97 | E8 [4]
98 | 83 C4 ??
99 | [0-2]
100 | 6A 00
101 | 68 80 01 00 00
102 | 6A 02
103 | 6A 00
104 | 6A 05
105 | 68 00 00 00 40
106 | 5?
107 | FF 15 [4]
108 | 8B ??
109 | 83 ?? FF
110 | 75 ??
111 | FF 15 [4]
112 | 5?
113 | }
114 |
115 | $nfp = "npf.sys" nocase
116 | $wpcap = "wpcap.dll" nocase
117 |
118 | condition:
119 | all of them
120 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/covertvpn-injector.exe signature for version v1.44 to v2.0.49"
21 | hash = "d741751520f46602f5a57d1ed49feaa5789115aeeba7fa4fc7cbb534ee335462"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | C7 04 24 [4] mov dword ptr [esp], offset aKernel32; "kernel32"
29 | E8 [4] call GetModuleHandleA
30 | 83 EC 04 sub esp, 4
31 | C7 44 24 04 [4] mov dword ptr [esp+4], offset aIswow64process; "IsWow64Process"
32 | 89 04 24 mov [esp], eax; hModule
33 | E8 59 14 00 00 call GetProcAddress
34 | 83 EC 08 sub esp, 8
35 | 89 45 ?? mov [ebp+var_C], eax
36 | 83 7D ?? 00 cmp [ebp+var_C], 0
37 | 74 ?? jz short loc_4019BA
38 | E8 [4] call GetCurrentProcess
39 | 8D [2] lea edx, [ebp+fIs64bit]
40 | 89 [3] mov [esp+4], edx
41 | 89 04 24 mov [esp], eax
42 | */
43 |
44 | $dropComponentsAndActivateDriver_prologue = {
45 | C7 04 24 [4]
46 | E8 [4]
47 | 83 EC 04
48 | C7 44 24 04 [4]
49 | 89 04 24
50 | E8 59 14 00 00
51 | 83 EC 08
52 | 89 45 ??
53 | 83 7D ?? 00
54 | 74 ??
55 | E8 [4]
56 | 8D [2]
57 | 89 [3]
58 | 89 04 24
59 | }
60 |
61 | /*
62 | C7 44 24 04 00 00 00 00 mov dword ptr [esp+4], 0; AccessMode
63 | 8B [2] mov eax, [ebp+FileName]
64 | 89 ?? 24 mov [esp], eax; FileName
65 | E8 [4] call _access
66 | 83 F8 FF cmp eax, 0FFFFFFFFh
67 | 74 ?? jz short loc_40176D
68 | 8B [2] mov eax, [ebp+FileName]
69 | 89 ?? 24 04 mov [esp+4], eax
70 | C7 04 24 [4] mov dword ptr [esp], offset aWarningSExists; "Warning: %s exists\n"
71 | E8 [4] call log
72 | E9 [4] jmp locret_401871
73 | C7 44 24 18 00 00 00 00 mov dword ptr [esp+18h], 0; hTemplateFile
74 | C7 44 24 14 80 01 00 00 mov dword ptr [esp+14h], 180h; dwFlagsAndAttributes
75 | C7 44 24 10 02 00 00 00 mov dword ptr [esp+10h], 2; dwCreationDisposition
76 | C7 44 24 0C 00 00 00 00 mov dword ptr [esp+0Ch], 0; lpSecurityAttributes
77 | C7 44 24 08 05 00 00 00 mov dword ptr [esp+8], 5; dwShareMode
78 | C7 44 24 04 00 00 00 40 mov dword ptr [esp+4], 40000000h; dwDesiredAccess
79 | 8B [2] mov eax, [ebp+FileName]
80 | 89 04 24 mov [esp], eax; lpFileName
81 | E8 [4] call CreateFileA
82 | 83 EC 1C sub esp, 1Ch
83 | 89 45 ?? mov [ebp+hFile], eax
84 | */
85 |
86 | $dropFile = {
87 | C7 44 24 04 00 00 00 00
88 | 8B [2]
89 | 89 ?? 24
90 | E8 [4]
91 | 83 F8 FF
92 | 74 ??
93 | 8B [2]
94 | 89 ?? 24 04
95 | C7 04 24 [4]
96 | E8 [4]
97 | E9 [4]
98 | C7 44 24 18 00 00 00 00
99 | C7 44 24 14 80 01 00 00
100 | C7 44 24 10 02 00 00 00
101 | C7 44 24 0C 00 00 00 00
102 | C7 44 24 08 05 00 00 00
103 | C7 44 24 04 00 00 00 40
104 | 8B [2]
105 | 89 04 24
106 | E8 [4]
107 | 83 EC 1C
108 | 89 45 ??
109 | }
110 |
111 | $nfp = "npf.sys" nocase
112 | $wpcap = "wpcap.dll" nocase
113 |
114 | condition:
115 | all of them
116 | }
117 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x"
21 | hash = "10f946b88486b690305b87c14c244d7bc741015c3fef1c4625fa7f64917897f1"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for the stagers overlap significantly. Looking for dnsstager.bin specific bytes helps delineate sample types
74 | $dnsapi = { 68 64 6E 73 61 }
75 |
76 | condition:
77 | $apiLocator and $dnsapi
78 | }
79 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/elevate.dll signature for v3.0 to v3.14 and sleeve/elevate.dll for v4.x"
21 | hash = "6deeb2cafe9eeefe5fc5077e63cc08310f895e9d5d492c88c4e567323077aa2f"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 6A 00 push 0; lParam
29 | 6A 28 push 28h ; '('; wParam
30 | 68 00 01 00 00 push 100h; Msg
31 | 5? push edi; hWnd
32 | C7 [5] 01 00 00 00 mov dword_10017E70, 1
33 | FF ?? call esi ; PostMessageA
34 | 6A 00 push 0; lParam
35 | 6A 27 push 27h ; '''; wParam
36 | 68 00 01 00 00 push 100h; Msg
37 | 5? push edi; hWnd
38 | FF ?? call esi ; PostMessageA
39 | 6A 00 push 0; lParam
40 | 6A 00 push 0; wParam
41 | 68 01 02 00 00 push 201h; Msg
42 | 5? push edi; hWnd
43 | FF ?? call esi ; PostMessageA
44 | */
45 |
46 | $wnd_proc = {
47 | 6A 00
48 | 6A 28
49 | 68 00 01 00 00
50 | 5?
51 | C7 [5] 01 00 00 00
52 | FF ??
53 | 6A 00
54 | 6A 27
55 | 68 00 01 00 00
56 | 5?
57 | FF ??
58 | 6A 00
59 | 6A 00
60 | 68 01 02 00 00
61 | 5?
62 | FF ??
63 | }
64 |
65 |
66 | condition:
67 | $wnd_proc
68 | }
69 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/elevate.x64.dll signature for v3.0 to v3.14 and sleeve/elevate.x64.dll for v4.x"
21 | hash = "c3ee8a9181fed39cec3bd645b32b611ce98d2e84c5a9eff31a8acfd9c26410ec"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 81 FA 21 01 00 00 cmp edx, 121h
29 | 75 4A jnz short loc_1800017A9
30 | 83 3D 5A 7E 01 00 00 cmp cs:dword_1800195C0, 0
31 | 75 41 jnz short loc_1800017A9
32 | 45 33 C9 xor r9d, r9d; lParam
33 | 8D 57 DF lea edx, [rdi-21h]; Msg
34 | C7 05 48 7E 01 00 01 00 00 00 mov cs:dword_1800195C0, 1
35 | 45 8D 41 28 lea r8d, [r9+28h]; wParam
36 | FF 15 36 DB 00 00 call cs:PostMessageA
37 | 45 33 C9 xor r9d, r9d; lParam
38 | 8D 57 DF lea edx, [rdi-21h]; Msg
39 | 45 8D 41 27 lea r8d, [r9+27h]; wParam
40 | 48 8B CB mov rcx, rbx; hWnd
41 | FF 15 23 DB 00 00 call cs:PostMessageA
42 | 45 33 C9 xor r9d, r9d; lParam
43 | 45 33 C0 xor r8d, r8d; wParam
44 | BA 01 02 00 00 mov edx, 201h; Msg
45 | 48 8B CB mov rcx, rbx; hWnd
46 | */
47 |
48 | $wnd_proc = {
49 | 81 ?? 21 01 00 00
50 | 75 ??
51 | 83 [5] 00
52 | 75 ??
53 | 45 33 ??
54 | 8D [2]
55 | C7 [5] 01 00 00 00
56 | 45 [2] 28
57 | FF 15 [4]
58 | 45 33 ??
59 | 8D [2]
60 | 45 [2] 27
61 | 48 [2]
62 | FF 15 [4]
63 | 45 33 ??
64 | 45 33 ??
65 | BA 01 02 00 00
66 | 48
67 | }
68 |
69 | condition:
70 | $wnd_proc
71 | }
72 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Httpsstager64_Bin_v3_2_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/httpsstager64.bin signature for versions v3.2 to v4.x"
21 | hash = "109b8c55816ddc0defff360c93e8a07019ac812dd1a42209ea7e95ba79b5a573"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 48 31 C0 xor rax, rax
29 | AC lodsb
30 | 41 C1 C9 0D ror r9d, 0Dh
31 | 41 01 C1 add r9d, eax
32 | 38 E0 cmp al, ah
33 | 75 F1 jnz short loc_100000000000007D
34 | 4C 03 4C 24 08 add r9, [rsp+40h+var_38]
35 | 45 39 D1 cmp r9d, r10d
36 | 75 D8 jnz short loc_100000000000006E
37 | 58 pop rax
38 | 44 8B 40 24 mov r8d, [rax+24h]
39 | 49 01 D0 add r8, rdx
40 | 66 41 8B 0C 48 mov cx, [r8+rcx*2]
41 | 44 8B 40 1C mov r8d, [rax+1Ch]
42 | 49 01 D0 add r8, rdx
43 | 41 8B 04 88 mov eax, [r8+rcx*4]
44 | 48 01 D0 add rax, rdx
45 | */
46 |
47 | $apiLocator = {
48 | 48 [2]
49 | AC
50 | 41 [2] 0D
51 | 41 [2]
52 | 38 ??
53 | 75 ??
54 | 4C [4]
55 | 45 [2]
56 | 75 ??
57 | 5?
58 | 44 [2] 24
59 | 49 [2]
60 | 66 [4]
61 | 44 [2] 1C
62 | 49 [2]
63 | 41 [3]
64 | 48
65 | }
66 |
67 |
68 | // the signature for httpstager64 and httpsstager64 really only differ by the flags passed to WinInet API
69 | // and the inclusion of the InternetSetOptionA call. We will trigger off that API
70 | /*
71 | BA 1F 00 00 00 mov edx, 1Fh
72 | 6A 00 push 0
73 | 68 80 33 00 00 push 3380h
74 | 49 89 E0 mov r8, rsp
75 | 41 B9 04 00 00 00 mov r9d, 4
76 | 41 BA 75 46 9E 86 mov r10d, InternetSetOptionA
77 | */
78 |
79 | $InternetSetOptionA = {
80 | BA 1F 00 00 00
81 | 6A 00
82 | 68 80 33 00 00
83 | 49 [2]
84 | 41 ?? 04 00 00 00
85 | 41 ?? 75 46 9E 86
86 | }
87 |
88 | condition:
89 | $apiLocator and $InternetSetOptionA
90 | }
91 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Httpsstager_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/httpsstager.bin signature for versions 2.5 to 4.x"
21 | hash = "5ebe813a4c899b037ac0ee0962a439833964a7459b7a70f275ac73ea475705b3"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for httpstager and httpsstager really only differ by the flags passed to WinInet API
74 | // and the inclusion of the InternetSetOptionA call. We will trigger off that API
75 | /*
76 | 6A 04 push 4
77 | 5? push eax
78 | 6A 1F push 1Fh
79 | 5? push esi
80 | 68 75 46 9E 86 push InternetSetOptionA
81 | FF ?? call ebp
82 | */
83 |
84 | $InternetSetOptionA = {
85 | 6A 04
86 | 5?
87 | 6A 1F
88 | 5?
89 | 68 75 46 9E 86
90 | FF
91 | }
92 |
93 | condition:
94 | $apiLocator and $InternetSetOptionA
95 | }
96 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Httpstager64_Bin_v3_2_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/httpstager64.bin signature for versions v3.2 to v4.x"
21 | hash = "ad93d1ee561bc25be4a96652942f698eac9b133d8b35ab7e7d3489a25f1d1e76"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 48 31 C0 xor rax, rax
29 | AC lodsb
30 | 41 C1 C9 0D ror r9d, 0Dh
31 | 41 01 C1 add r9d, eax
32 | 38 E0 cmp al, ah
33 | 75 F1 jnz short loc_100000000000007D
34 | 4C 03 4C 24 08 add r9, [rsp+40h+var_38]
35 | 45 39 D1 cmp r9d, r10d
36 | 75 D8 jnz short loc_100000000000006E
37 | 58 pop rax
38 | 44 8B 40 24 mov r8d, [rax+24h]
39 | 49 01 D0 add r8, rdx
40 | 66 41 8B 0C 48 mov cx, [r8+rcx*2]
41 | 44 8B 40 1C mov r8d, [rax+1Ch]
42 | 49 01 D0 add r8, rdx
43 | 41 8B 04 88 mov eax, [r8+rcx*4]
44 | 48 01 D0 add rax, rdx
45 | */
46 |
47 | $apiLocator = {
48 | 48 [2]
49 | AC
50 | 41 [2] 0D
51 | 41 [2]
52 | 38 ??
53 | 75 ??
54 | 4C [4]
55 | 45 [2]
56 | 75 ??
57 | 5?
58 | 44 [2] 24
59 | 49 [2]
60 | 66 [4]
61 | 44 [2] 1C
62 | 49 [2]
63 | 41 [3]
64 | 48
65 | }
66 |
67 |
68 | // the signature for httpstager64 and httpsstager64 really the inclusion or exclusion of InternetSetOptionA. However,
69 | // there is a subtle difference in the jmp after the InternetOpenA call (short jmp for x86 and long jmp for x64)
70 | /*
71 | 41 BA 3A 56 79 A7 mov r10d, InternetOpenA
72 | FF D5 call rbp
73 | EB 61 jmp short j_get_c2_ip
74 | */
75 |
76 | $postInternetOpenJmp = {
77 | 41 ?? 3A 56 79 A7
78 | FF ??
79 | EB
80 | }
81 |
82 |
83 | condition:
84 | $apiLocator and $postInternetOpenJmp
85 | }
86 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Httpstager_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/httpstager.bin signature for versions 2.5 to 4.x"
21 | hash = "a47569af239af092880751d5e7b68d0d8636d9f678f749056e702c9b063df256"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for httpstager and httpsstager really only differ by the flags passed to WinInet API
74 | // and the httpstager controls the download loop slightly different than the httpsstager
75 | /*
76 | B? 00 2F 00 00 mov edi, 2F00h
77 | 39 ?? cmp edi, eax
78 | 74 ?? jz short loc_100000E9
79 | 31 ?? xor edi, edi
80 | E9 [4] jmp loc_100002CA // opcode could also be EB for a short jump (v2.5-v3.10)
81 | */
82 |
83 | $downloaderLoop = {
84 | B? 00 2F 00 00
85 | 39 ??
86 | 74 ??
87 | 31 ??
88 | ( E9 | EB )
89 | }
90 |
91 | condition:
92 | $apiLocator and $downloaderLoop
93 | }
94 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Reverse64_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/reverse64.bin signature for versions v2.5 to v4.x"
21 | hash = "d2958138c1b7ef681a63865ec4a57b0c75cc76896bf87b21c415b7ec860397e8"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 48 31 C0 xor rax, rax
29 | AC lodsb
30 | 41 C1 C9 0D ror r9d, 0Dh
31 | 41 01 C1 add r9d, eax
32 | 38 E0 cmp al, ah
33 | 75 F1 jnz short loc_100000000000007D
34 | 4C 03 4C 24 08 add r9, [rsp+40h+var_38]
35 | 45 39 D1 cmp r9d, r10d
36 | 75 D8 jnz short loc_100000000000006E
37 | 58 pop rax
38 | 44 8B 40 24 mov r8d, [rax+24h]
39 | 49 01 D0 add r8, rdx
40 | 66 41 8B 0C 48 mov cx, [r8+rcx*2]
41 | 44 8B 40 1C mov r8d, [rax+1Ch]
42 | 49 01 D0 add r8, rdx
43 | 41 8B 04 88 mov eax, [r8+rcx*4]
44 | 48 01 D0 add rax, rdx
45 | */
46 |
47 | $apiLocator = {
48 | 48 [2]
49 | AC
50 | 41 [2] 0D
51 | 41 [2]
52 | 38 ??
53 | 75 ??
54 | 4C [4]
55 | 45 [2]
56 | 75 ??
57 | 5?
58 | 44 [2] 24
59 | 49 [2]
60 | 66 [4]
61 | 44 [2] 1C
62 | 49 [2]
63 | 41 [3]
64 | 48
65 | }
66 |
67 |
68 | // the signature for reverse64 and bind really differ slightly, here we are using the lack of additional calls
69 | // found in reverse64 to differentate between this and bind64
70 | // Note that we can reasonably assume that the constants being passed to the call rbp will be just that, constant,
71 | // since we are triggering on the API hasher. If that hasher is unchanged, then the hashes we look for should be
72 | // unchanged. This means we can use these values as anchors in our signature.
73 | /*
74 | 41 BA EA 0F DF E0 mov r10d, WSASocketA
75 | FF D5 call rbp
76 | 48 89 C7 mov rdi, rax
77 | 6A 10 push 10h
78 | 41 58 pop r8
79 | 4C 89 E2 mov rdx, r12
80 | 48 89 F9 mov rcx, rdi
81 | 41 BA 99 A5 74 61 mov r10d, connect
82 | FF D5 call rbp
83 | */
84 |
85 | $calls = {
86 | 48 89 C1
87 | 41 BA EA 0F DF E0
88 | FF D5
89 | 48 [2]
90 | 6A ??
91 | 41 ??
92 | 4C [2]
93 | 48 [2]
94 | 41 BA 99 A5 74 61
95 | FF D5
96 | }
97 | condition:
98 | $apiLocator and $calls
99 | }
100 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x"
21 | hash = "887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for the stagers overlap significantly. Looking for reverse.bin specific bytes helps delineate sample types
74 | /*
75 | 5D pop ebp
76 | 68 33 32 00 00 push '23'
77 | 68 77 73 32 5F push '_2sw'
78 | */
79 |
80 | $ws2_32 = {
81 | 5D
82 | 68 33 32 00 00
83 | 68 77 73 32 5F
84 | }
85 |
86 |
87 | // reverse.bin makes outbound connection (using connect) while bind.bin listens for incoming connections (using listen)
88 | // so the presence of the connect API hash is a solid method for distinguishing between the two.
89 | /*
90 | 6A 10 push 10h
91 | [0]5? push esi
92 | 5? push edi
93 | 68 99 A5 74 61 push connect
94 | */
95 | $connect = {
96 | 6A 10
97 | 5?
98 | 5?
99 | 68 99 A5 74 61
100 | }
101 |
102 | condition:
103 | $apiLocator and $ws2_32 and $connect
104 | }
105 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Smbstager_Bin_v2_5_through_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/smbstager.bin signature for versions 2.5 to 4.x"
21 | hash = "946af5a23e5403ea1caccb2e0988ec1526b375a3e919189f16491eeabc3e7d8c"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | 31 ?? xor eax, eax
29 | AC lodsb
30 | C1 ?? 0D ror edi, 0Dh
31 | 01 ?? add edi, eax
32 | 38 ?? cmp al, ah
33 | 75 ?? jnz short loc_10000054
34 | 03 [2] add edi, [ebp-8]
35 | 3B [2] cmp edi, [ebp+24h]
36 | 75 ?? jnz short loc_1000004A
37 | 5? pop eax
38 | 8B ?? 24 mov ebx, [eax+24h]
39 | 01 ?? add ebx, edx
40 | 66 8B [2] mov cx, [ebx+ecx*2]
41 | 8B ?? 1C mov ebx, [eax+1Ch]
42 | 01 ?? add ebx, edx
43 | 8B ?? 8B mov eax, [ebx+ecx*4]
44 | 01 ?? add eax, edx
45 | 89 [3] mov [esp+28h+var_4], eax
46 | 5? pop ebx
47 | 5? pop ebx
48 | */
49 |
50 | $apiLocator = {
51 | 31 ??
52 | AC
53 | C1 ?? 0D
54 | 01 ??
55 | 38 ??
56 | 75 ??
57 | 03 [2]
58 | 3B [2]
59 | 75 ??
60 | 5?
61 | 8B ?? 24
62 | 01 ??
63 | 66 8B [2]
64 | 8B ?? 1C
65 | 01 ??
66 | 8B ?? 8B
67 | 01 ??
68 | 89 [3]
69 | 5?
70 | 5?
71 | }
72 |
73 | // the signature for the stagers overlap significantly. Looking for smbstager.bin specific bytes helps delineate sample types
74 | $smb = { 68 C6 96 87 52 }
75 |
76 | // This code block helps differentiate between smbstager.bin and metasploit's engine which has reasonable level of overlap
77 | /*
78 | 6A 40 push 40h ; '@'
79 | 68 00 10 00 00 push 1000h
80 | 68 FF FF 07 00 push 7FFFFh
81 | 6A 00 push 0
82 | 68 58 A4 53 E5 push VirtualAlloc
83 | */
84 |
85 | $smbstart = {
86 | 6A 40
87 | 68 00 10 00 00
88 | 68 FF FF 07 00
89 | 6A 00
90 | 68 58 A4 53 E5
91 | }
92 |
93 | condition:
94 | $apiLocator and $smb and $smbstart
95 | }
96 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Template_Py_v3_3_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x"
21 | hash = "d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | $arch = "platform.architecture()"
28 | $nope = "WindowsPE"
29 | $alloc = "ctypes.windll.kernel32.VirtualAlloc"
30 | $movemem = "ctypes.windll.kernel32.RtlMoveMemory"
31 | $thread = "ctypes.windll.kernel32.CreateThread"
32 | $wait = "ctypes.windll.kernel32.WaitForSingleObject"
33 |
34 | condition:
35 | all of them
36 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Template_Sct_v3_3_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/template.sct signature for versions v3.3 to v4.x"
21 | hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | $scriptletstart = "" nocase
28 | $registration = "" nocase
31 | $cdata = "" nocase
33 | $antiregistration = "" nocase
34 | $scriptletend = ""
35 |
36 | condition:
37 | all of them and @scriptletstart[1] < @registration[1] and @registration[1] < @classid[1] and @classid[1] < @scriptlang[1] and @scriptlang[1] < @cdata[1]
38 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources__Template_Vbs_v3_3_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/btemplate.vbs signature for versions v3.3 to v4.x"
21 | hash = "e0683f953062e63b2aabad7bc6d76a78748504b114329ef8e2ece808b3294135"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | $ea = "Excel.Application" nocase
28 | $vis = "Visible = False" nocase
29 | $wsc = "Wscript.Shell" nocase
30 | $regkey1 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" nocase
31 | $regkey2 = "\\Excel\\Security\\AccessVBOM" nocase
32 | $regwrite = ".RegWrite" nocase
33 | $dw = "REG_DWORD"
34 | $code = ".CodeModule.AddFromString"
35 | /* Hex encoded Auto_*/ /*Open */
36 | $ao = { 41 75 74 6f 5f 4f 70 65 6e }
37 | $da = ".DisplayAlerts"
38 |
39 | condition:
40 | all of them
41 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/template.x64.ps1, resources/template.x32 from v3.11 to v3.14 and resources/template.ps1 from v1.45 to v2.5 "
21 | hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 |
28 | $importVA = "[DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc" nocase
29 | $importCT = "[DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread" nocase
30 | $importWFSO = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject" nocase
31 | $compiler = "New-Object Microsoft.CSharp.CSharpCodeProvider" nocase
32 | $params = "New-Object System.CodeDom.Compiler.CompilerParameters" nocase
33 | $paramsSys32 = ".ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" nocase
34 | $paramsGIM = ".GenerateInMemory = $True" nocase
35 | $result = "$compiler.CompileAssemblyFromSource($params, $assembly)" nocase
36 | //$data = "[Byte[]]$var_code = [System.Convert]::FromBase64String(" nocase
37 |
38 | //$64bitSpecific = "[IntPtr]::size -eq 8"
39 |
40 |
41 | condition:
42 | all of them
43 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13"
21 | hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | $dda = "[AppDomain]::CurrentDomain.DefineDynamicAssembly" nocase
28 | $imm = "InMemoryModule" nocase
29 | $mdt = "MyDelegateType" nocase
30 | $rd = "New-Object System.Reflection.AssemblyName('ReflectedDelegate')" nocase
31 | $data = "[Byte[]]$var_code = [System.Convert]::FromBase64String(" nocase
32 | $64bitSpecific = "[IntPtr]::size -eq 8"
33 | $mandatory = "Mandatory = $True"
34 |
35 | condition:
36 | all of them
37 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Template_x86_Vba_v3_8_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resources/template.x86.vba signature for versions v3.8 to v4.x"
21 | hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | $createstuff = "Function CreateStuff Lib \"kernel32\" Alias \"CreateRemoteThread\"" nocase
28 | $allocstuff = "Function AllocStuff Lib \"kernel32\" Alias \"VirtualAllocEx\"" nocase
29 | $writestuff = "Function WriteStuff Lib \"kernel32\" Alias \"WriteProcessMemory\"" nocase
30 | $runstuff = "Function RunStuff Lib \"kernel32\" Alias \"CreateProcessA\"" nocase
31 | $vars = "Dim rwxpage As Long" nocase
32 | $res = "RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)"
33 | $rwxpage = "AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)"
34 |
35 | condition:
36 | all of them and @vars[1] < @res[1] and @allocstuff[1] < @rwxpage[1]
37 | }
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Xor_Bin_v2_x_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resource/xor.bin signature for version 2.x through 4.x"
21 | hash = "211ccc5d28b480760ec997ed88ab2fbc5c19420a3d34c1df7991e65642638a6f"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /* The method for making this signatures consists of extracting each stub from the various resources/xor.bin files
28 | in the cobaltstrike.jar files. For each stub found, sort them by byte count (size). Then for all entries in the
29 | same size category, compare them nibble by nibble. Any mismatched nibbles get 0'd. After all stubs have been
30 | compared to each other thereby creating a mask, any 0 nibbles are turned to ? wildcards. The results are seen below */
31 | $stub52 = {fc e8 ?? ?? ?? ?? [1-32] eb 27 5? 8b ?? 83 c? ?4 8b ?? 31 ?? 83 c? ?4 5? 8b ?? 31 ?? 89 ?? 31 ?? 83 c? ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb ea 5? ff e? e8 d4 ff ff ff}
32 | $stub56 = {fc e8 ?? ?? ?? ?? [1-32] eb 2b 5d 8b ?? ?? 83 c5 ?4 8b ?? ?? 31 ?? 83 c5 ?4 55 8b ?? ?? 31 ?? 89 ?? ?? 31 ?? 83 c5 ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e8 5? ff e? e8 d? ff ff ff}
33 |
34 | condition:
35 | any of them
36 | }
37 |
38 |
39 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Resources_Xor_Bin__64bit_v3_12_to_v4_x
18 | {
19 | meta:
20 | description = "Cobalt Strike's resource/xor64.bin signature for version 3.12 through 4.x"
21 | hash = "01dba8783768093b9a34a1ea2a20f72f29fd9f43183f3719873df5827a04b744"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /* The method for making this signatures consists of extracting each stub from the various resources/xor64.bin files
28 | in the cobaltstrike.jar files. For each stub found, sort them by byte count (size). Then for all entries in the
29 | same size category, compare them nibble by nibble. Any mismatched nibbles get 0'd. After all stubs have been
30 | compared to each other thereby creating a mask, any 0 nibbles are turned to ? wildcards. The results are seen below */
31 |
32 | $stub58 = {fc e8 ?? ?? ?? ?? [1-32] eb 33 5? 8b ?? 00 4? 83 ?? ?4 8b ?? 00 31 ?? 4? 83 ?? ?4 5? 8b ?? 00 31 ?? 89 ?? 00 31 ?? 4? 83 ?? ?4 83 ?? ?4 31 ?? 39 ?? 74 ?2 eb e7 5? fc 4? 83 ?? f0 ff}
33 | $stub59 = {fc e8 ?? ?? ?? ?? [1-32] eb 2e 5? 8b ?? 48 83 c? ?4 8b ?? 31 ?? 48 83 c? ?4 5? 8b ?? 31 ?? 89 ?? 31 ?? 48 83 c? ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e9 5? 48 83 ec ?8 ff e? e8 cd ff ff ff}
34 | $stub63 = {fc e8 ?? ?? ?? ?? [1-32] eb 32 5d 8b ?? ?? 48 83 c5 ?4 8b ?? ?? 31 ?? 48 83 c5 ?4 55 8b ?? ?? 31 ?? 89 ?? ?? 31 ?? 48 83 c5 ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e7 5? 48 83 ec ?8 ff e? e8 c9 ff ff ff}
35 |
36 | condition:
37 | any of them
38 | }
39 |
--------------------------------------------------------------------------------
/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule CobaltStrike_Sleeve_BeaconLoader_HA_x86_o_v4_3_v4_4_v4_5_and_v4_6
18 | {
19 | meta:
20 | description = "Cobalt Strike's sleeve/BeaconLoader.HA.x86.o (HeapAlloc) Versions 4.3 through at least 4.6"
21 | hash = "8e4a1862aa3693f0e9011ade23ad3ba036c76ae8ccfb6585dc19ceb101507dcd"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 |
26 | strings:
27 | /*
28 | C6 45 F0 48 mov [ebp+var_10], 48h ; 'H'
29 | C6 45 F1 65 mov [ebp+var_F], 65h ; 'e'
30 | C6 45 F2 61 mov [ebp+var_E], 61h ; 'a'
31 | C6 45 F3 70 mov [ebp+var_D], 70h ; 'p'
32 | C6 45 F4 41 mov [ebp+var_C], 41h ; 'A'
33 | C6 45 F5 6C mov [ebp+var_B], 6Ch ; 'l'
34 | C6 45 F6 6C mov [ebp+var_A], 6Ch ; 'l'
35 | C6 45 F7 6F mov [ebp+var_9], 6Fh ; 'o'
36 | C6 45 F8 63 mov [ebp+var_8], 63h ; 'c'
37 | C6 45 F9 00 mov [ebp+var_7], 0
38 | */
39 |
40 | $core_sig = {
41 | C6 45 F0 48
42 | C6 45 F1 65
43 | C6 45 F2 61
44 | C6 45 F3 70
45 | C6 45 F4 41
46 | C6 45 F5 6C
47 | C6 45 F6 6C
48 | C6 45 F7 6F
49 | C6 45 F8 63
50 | C6 45 F9 00
51 | }
52 |
53 | // These strings can narrow down the specific version
54 | //$ver_43 = { 9B 2C 3E 60 } // Version 4.3
55 | //$ver_44_45_46 = { 55 F8 86 5F } // Versions 4.4, 4.5, and 4.6
56 |
57 | condition:
58 | all of them
59 | }
60 |
61 | rule CobaltStrike_Sleeve_BeaconLoader_MVF_x86_o_v4_3_v4_4_v4_5_and_v4_6
62 | {
63 | meta:
64 | description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x86.o (MapViewOfFile) Versions 4.3 through at least 4.6"
65 | hash = "cded3791caffbb921e2afa2de4c04546067c3148c187780066e8757e67841b44"
66 | author = "gssincla@google.com"
67 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
68 | date = "2022-11-18"
69 |
70 | strings:
71 | /*
72 | C6 45 EC 4D mov [ebp+var_14], 4Dh ; 'M'
73 | C6 45 ED 61 mov [ebp+var_13], 61h ; 'a'
74 | C6 45 EE 70 mov [ebp+var_12], 70h ; 'p'
75 | C6 45 EF 56 mov [ebp+var_11], 56h ; 'V'
76 | C6 45 F0 69 mov [ebp+var_10], 69h ; 'i'
77 | C6 45 F1 65 mov [ebp+var_F], 65h ; 'e'
78 | C6 45 F2 77 mov [ebp+var_E], 77h ; 'w'
79 | C6 45 F3 4F mov [ebp+var_D], 4Fh ; 'O'
80 | C6 45 F4 66 mov [ebp+var_C], 66h ; 'f'
81 | C6 45 F5 46 mov [ebp+var_B], 46h ; 'F'
82 | C6 45 F6 69 mov [ebp+var_A], 69h ; 'i'
83 | C6 45 F7 6C mov [ebp+var_9], 6Ch ; 'l'
84 | C6 45 F8 65 mov [ebp+var_8], 65h ; 'e'
85 | C6 45 F9 00 mov [ebp+var_7], 0
86 | */
87 |
88 | $core_sig = {
89 | C6 45 EC 4D
90 | C6 45 ED 61
91 | C6 45 EE 70
92 | C6 45 EF 56
93 | C6 45 F0 69
94 | C6 45 F1 65
95 | C6 45 F2 77
96 | C6 45 F3 4F
97 | C6 45 F4 66
98 | C6 45 F5 46
99 | C6 45 F6 69
100 | C6 45 F7 6C
101 | C6 45 F8 65
102 | C6 45 F9 00
103 | }
104 |
105 | // These strings can narrow down the specific version
106 | //$ver_43 = { 9C 2C 3E 60 } // Version 4.3
107 | //$ver_44_45_46 = { 55 F8 86 5F } // Versions 4.4, 4.5, and 4.6
108 |
109 | condition:
110 | all of them
111 | }
112 |
113 |
114 | rule CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6
115 | {
116 | meta:
117 | description = "Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6"
118 | hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1"
119 | author = "gssincla@google.com"
120 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
121 | date = "2022-11-18"
122 |
123 | strings:
124 | /*
125 | C6 45 B0 56 mov [ebp+var_50], 56h ; 'V'
126 | C6 45 B1 69 mov [ebp+var_50+1], 69h ; 'i'
127 | C6 45 B2 72 mov [ebp+var_50+2], 72h ; 'r'
128 | C6 45 B3 74 mov [ebp+var_50+3], 74h ; 't'
129 | C6 45 B4 75 mov [ebp+var_50+4], 75h ; 'u'
130 | C6 45 B5 61 mov [ebp+var_50+5], 61h ; 'a'
131 | C6 45 B6 6C mov [ebp+var_50+6], 6Ch ; 'l'
132 | C6 45 B7 41 mov [ebp+var_50+7], 41h ; 'A'
133 | C6 45 B8 6C mov [ebp+var_50+8], 6Ch ; 'l'
134 | C6 45 B9 6C mov [ebp+var_50+9], 6Ch ; 'l'
135 | C6 45 BA 6F mov [ebp+var_50+0Ah], 6Fh ; 'o'
136 | C6 45 BB 63 mov [ebp+var_50+0Bh], 63h ; 'c'
137 | C6 45 BC 00 mov [ebp+var_50+0Ch], 0
138 | */
139 |
140 | $core_sig = {
141 | C6 45 B0 56
142 | C6 45 B1 69
143 | C6 45 B2 72
144 | C6 45 B3 74
145 | C6 45 B4 75
146 | C6 45 B5 61
147 | C6 45 B6 6C
148 | C6 45 B7 41
149 | C6 45 B8 6C
150 | C6 45 B9 6C
151 | C6 45 BA 6F
152 | C6 45 BB 63
153 | C6 45 BC 00
154 | }
155 |
156 | /*
157 | 8B 4D FC mov ecx, [ebp+var_4]
158 | 83 C1 01 add ecx, 1
159 | 89 4D FC mov [ebp+var_4], ecx
160 | 8B 55 FC mov edx, [ebp+var_4]
161 | 3B 55 0C cmp edx, [ebp+arg_4]
162 | 73 19 jnb short loc_231
163 | 0F B6 45 10 movzx eax, [ebp+arg_8]
164 | 8B 4D 08 mov ecx, [ebp+arg_0]
165 | 03 4D FC add ecx, [ebp+var_4]
166 | 0F BE 11 movsx edx, byte ptr [ecx]
167 | 33 D0 xor edx, eax
168 | 8B 45 08 mov eax, [ebp+arg_0]
169 | 03 45 FC add eax, [ebp+var_4]
170 | 88 10 mov [eax], dl
171 | EB D6 jmp short loc_207
172 | */
173 |
174 | $deobfuscator = {
175 | 8B 4D FC
176 | 83 C1 01
177 | 89 4D FC
178 | 8B 55 FC
179 | 3B 55 0C
180 | 73 19
181 | 0F B6 45 10
182 | 8B 4D 08
183 | 03 4D FC
184 | 0F BE 11
185 | 33 D0
186 | 8B 45 08
187 | 03 45 FC
188 | 88 10
189 | EB D6
190 | }
191 |
192 | condition:
193 | all of them
194 | }
195 |
196 | rule CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6
197 | {
198 | meta:
199 | description = "Cobalt Strike's sleeve/BeaconLoader.x86.o Versions 4.3 through at least 4.6"
200 | hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1"
201 | author = "gssincla@google.com"
202 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
203 | date = "2022-11-18"
204 |
205 | strings:
206 | /*
207 | C6 45 B0 56 mov [ebp+var_50], 56h ; 'V'
208 | C6 45 B1 69 mov [ebp+var_50+1], 69h ; 'i'
209 | C6 45 B2 72 mov [ebp+var_50+2], 72h ; 'r'
210 | C6 45 B3 74 mov [ebp+var_50+3], 74h ; 't'
211 | C6 45 B4 75 mov [ebp+var_50+4], 75h ; 'u'
212 | C6 45 B5 61 mov [ebp+var_50+5], 61h ; 'a'
213 | C6 45 B6 6C mov [ebp+var_50+6], 6Ch ; 'l'
214 | C6 45 B7 41 mov [ebp+var_50+7], 41h ; 'A'
215 | C6 45 B8 6C mov [ebp+var_50+8], 6Ch ; 'l'
216 | C6 45 B9 6C mov [ebp+var_50+9], 6Ch ; 'l'
217 | C6 45 BA 6F mov [ebp+var_50+0Ah], 6Fh ; 'o'
218 | C6 45 BB 63 mov [ebp+var_50+0Bh], 63h ; 'c'
219 | C6 45 BC 00 mov [ebp+var_50+0Ch], 0
220 | */
221 |
222 | $core_sig = {
223 | C6 45 B0 56
224 | C6 45 B1 69
225 | C6 45 B2 72
226 | C6 45 B3 74
227 | C6 45 B4 75
228 | C6 45 B5 61
229 | C6 45 B6 6C
230 | C6 45 B7 41
231 | C6 45 B8 6C
232 | C6 45 B9 6C
233 | C6 45 BA 6F
234 | C6 45 BB 63
235 | C6 45 BC 00
236 | }
237 |
238 | /*
239 | 8B 4D FC mov ecx, [ebp+var_4]
240 | 83 C1 01 add ecx, 1
241 | 89 4D FC mov [ebp+var_4], ecx
242 | 8B 55 FC mov edx, [ebp+var_4]
243 | 3B 55 0C cmp edx, [ebp+arg_4]
244 | 73 19 jnb short loc_231
245 | 0F B6 45 10 movzx eax, [ebp+arg_8]
246 | 8B 4D 08 mov ecx, [ebp+arg_0]
247 | 03 4D FC add ecx, [ebp+var_4]
248 | 0F BE 11 movsx edx, byte ptr [ecx]
249 | 33 D0 xor edx, eax
250 | 8B 45 08 mov eax, [ebp+arg_0]
251 | 03 45 FC add eax, [ebp+var_4]
252 | 88 10 mov [eax], dl
253 | EB D6 jmp short loc_207
254 | */
255 |
256 | $deobfuscator = {
257 | 8B 4D FC
258 | 83 C1 01
259 | 89 4D FC
260 | 8B 55 FC
261 | 3B 55 0C
262 | 73 19
263 | 0F B6 45 10
264 | 8B 4D 08
265 | 03 4D FC
266 | 0F BE 11
267 | 33 D0
268 | 8B 45 08
269 | 03 45 FC
270 | 88 10
271 | EB D6
272 | }
273 |
274 | condition:
275 | $core_sig and not $deobfuscator
276 | }
277 |
278 |
279 | // 64-bit BeaconLoaders
280 |
281 | rule CobaltStrike_Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6
282 | {
283 | meta:
284 | description = "Cobalt Strike's sleeve/BeaconLoader.HA.x64.o (HeapAlloc) Versions 4.3 through at least 4.6"
285 | hash = "d64f10d5a486f0f2215774e8ab56087f32bef19ac666e96c5627c70d345a354d"
286 | author = "gssincla@google.com"
287 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
288 | date = "2022-11-18"
289 |
290 | strings:
291 | /*
292 | C6 44 24 38 48 mov [rsp+78h+var_40], 48h ; 'H'
293 | C6 44 24 39 65 mov [rsp+78h+var_3F], 65h ; 'e'
294 | C6 44 24 3A 61 mov [rsp+78h+var_3E], 61h ; 'a'
295 | C6 44 24 3B 70 mov [rsp+78h+var_3D], 70h ; 'p'
296 | C6 44 24 3C 41 mov [rsp+78h+var_3C], 41h ; 'A'
297 | C6 44 24 3D 6C mov [rsp+78h+var_3B], 6Ch ; 'l'
298 | C6 44 24 3E 6C mov [rsp+78h+var_3A], 6Ch ; 'l'
299 | C6 44 24 3F 6F mov [rsp+78h+var_39], 6Fh ; 'o'
300 | C6 44 24 40 63 mov [rsp+78h+var_38], 63h ; 'c'
301 | C6 44 24 41 00 mov [rsp+78h+var_37], 0
302 | */
303 |
304 | $core_sig = {
305 | C6 44 24 38 48
306 | C6 44 24 39 65
307 | C6 44 24 3A 61
308 | C6 44 24 3B 70
309 | C6 44 24 3C 41
310 | C6 44 24 3D 6C
311 | C6 44 24 3E 6C
312 | C6 44 24 3F 6F
313 | C6 44 24 40 63
314 | C6 44 24 41 00
315 | }
316 |
317 | // These strings can narrow down the specific version
318 | //$ver_43 = { 96 2C 3E 60 } // Version 4.3
319 | //$ver_44_45_46 = { D1 56 86 5F } // Versions 4.4, 4.5, and 4.6
320 |
321 | condition:
322 | all of them
323 | }
324 |
325 |
326 | rule CobaltStrike_Sleeve_BeaconLoader_MVF_x64_o_v4_3_v4_4_v4_5_and_v4_6
327 | {
328 | meta:
329 | description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x64.o (MapViewOfFile) Versions 4.3 through at least 4.6"
330 | hash = "9d5b6ccd0d468da389657309b2dc325851720390f9a5f3d3187aff7d2cd36594"
331 | author = "gssincla@google.com"
332 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
333 | date = "2022-11-18"
334 |
335 | strings:
336 | /*
337 | C6 44 24 58 4D mov [rsp+98h+var_40], 4Dh ; 'M'
338 | C6 44 24 59 61 mov [rsp+98h+var_3F], 61h ; 'a'
339 | C6 44 24 5A 70 mov [rsp+98h+var_3E], 70h ; 'p'
340 | C6 44 24 5B 56 mov [rsp+98h+var_3D], 56h ; 'V'
341 | C6 44 24 5C 69 mov [rsp+98h+var_3C], 69h ; 'i'
342 | C6 44 24 5D 65 mov [rsp+98h+var_3B], 65h ; 'e'
343 | C6 44 24 5E 77 mov [rsp+98h+var_3A], 77h ; 'w'
344 | C6 44 24 5F 4F mov [rsp+98h+var_39], 4Fh ; 'O'
345 | C6 44 24 60 66 mov [rsp+98h+var_38], 66h ; 'f'
346 | C6 44 24 61 46 mov [rsp+98h+var_37], 46h ; 'F'
347 | C6 44 24 62 69 mov [rsp+98h+var_36], 69h ; 'i'
348 | C6 44 24 63 6C mov [rsp+98h+var_35], 6Ch ; 'l'
349 | C6 44 24 64 65 mov [rsp+98h+var_34], 65h ; 'e'
350 | */
351 |
352 | $core_sig = {
353 | C6 44 24 58 4D
354 | C6 44 24 59 61
355 | C6 44 24 5A 70
356 | C6 44 24 5B 56
357 | C6 44 24 5C 69
358 | C6 44 24 5D 65
359 | C6 44 24 5E 77
360 | C6 44 24 5F 4F
361 | C6 44 24 60 66
362 | C6 44 24 61 46
363 | C6 44 24 62 69
364 | C6 44 24 63 6C
365 | C6 44 24 64 65
366 | }
367 |
368 | // These strings can narrow down the specific version
369 | //$ver_43 = { 96 2C 3E 60 } // Version 4.3
370 | //$ver_44_45_46 = { D2 57 86 5F } // Versions 4.4, 4.5, and 4.6
371 |
372 | condition:
373 | all of them
374 | }
375 |
376 | rule CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6
377 | {
378 | meta:
379 | description = "Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6"
380 | hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9"
381 | author = "gssincla@google.com"
382 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
383 | date = "2022-11-18"
384 |
385 | strings:
386 | /*
387 | C6 44 24 48 56 mov [rsp+88h+var_40], 56h ; 'V'
388 | C6 44 24 49 69 mov [rsp+88h+var_40+1], 69h ; 'i'
389 | C6 44 24 4A 72 mov [rsp+88h+var_40+2], 72h ; 'r'
390 | C6 44 24 4B 74 mov [rsp+88h+var_40+3], 74h ; 't'
391 | C6 44 24 4C 75 mov [rsp+88h+var_40+4], 75h ; 'u'
392 | C6 44 24 4D 61 mov [rsp+88h+var_40+5], 61h ; 'a'
393 | C6 44 24 4E 6C mov [rsp+88h+var_40+6], 6Ch ; 'l'
394 | C6 44 24 4F 41 mov [rsp+88h+var_40+7], 41h ; 'A'
395 | C6 44 24 50 6C mov [rsp+88h+var_40+8], 6Ch ; 'l'
396 | C6 44 24 51 6C mov [rsp+88h+var_40+9], 6Ch ; 'l'
397 | C6 44 24 52 6F mov [rsp+88h+var_40+0Ah], 6Fh ; 'o'
398 | C6 44 24 53 63 mov [rsp+88h+var_40+0Bh], 63h ; 'c'
399 | C6 44 24 54 00 mov [rsp+88h+var_40+0Ch], 0
400 | */
401 |
402 | $core_sig = {
403 | C6 44 24 48 56
404 | C6 44 24 49 69
405 | C6 44 24 4A 72
406 | C6 44 24 4B 74
407 | C6 44 24 4C 75
408 | C6 44 24 4D 61
409 | C6 44 24 4E 6C
410 | C6 44 24 4F 41
411 | C6 44 24 50 6C
412 | C6 44 24 51 6C
413 | C6 44 24 52 6F
414 | C6 44 24 53 63
415 | C6 44 24 54 00
416 | }
417 |
418 |
419 | /*
420 | 8B 04 24 mov eax, [rsp+18h+var_18]
421 | FF C0 inc eax
422 | 89 04 24 mov [rsp+18h+var_18], eax
423 | 8B 44 24 28 mov eax, [rsp+18h+arg_8]
424 | 39 04 24 cmp [rsp+18h+var_18], eax
425 | 73 20 jnb short loc_2E7
426 | 8B 04 24 mov eax, [rsp+18h+var_18]
427 | 0F B6 4C 24 30 movzx ecx, [rsp+18h+arg_10]
428 | 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0]
429 | 0F BE 04 02 movsx eax, byte ptr [rdx+rax]
430 | 33 C1 xor eax, ecx
431 | 8B 0C 24 mov ecx, [rsp+18h+var_18]
432 | 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0]
433 | 88 04 0A mov [rdx+rcx], al
434 | */
435 |
436 | $deobfuscator = {
437 | 8B 04 24
438 | FF C0
439 | 89 04 24
440 | 8B 44 24 28
441 | 39 04 24
442 | 73 20
443 | 8B 04 24
444 | 0F B6 4C 24 30
445 | 48 8B 54 24 20
446 | 0F BE 04 02
447 | 33 C1
448 | 8B 0C 24
449 | 48 8B 54 24 20
450 | 88 04 0A
451 | }
452 |
453 |
454 | condition:
455 | all of them
456 | }
457 |
458 | rule CobaltStrike_Sleeve_BeaconLoader_x64_o_v4_3_v4_4_v4_5_and_v4_6
459 | {
460 | meta:
461 | description = "Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6"
462 | hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9"
463 | author = "gssincla@google.com"
464 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
465 | date = "2022-11-18"
466 |
467 | strings:
468 | /*
469 | 33 C0 xor eax, eax
470 | 83 F8 01 cmp eax, 1
471 | 74 63 jz short loc_378
472 | 48 8B 44 24 20 mov rax, [rsp+38h+var_18]
473 | 0F B7 00 movzx eax, word ptr [rax]
474 | 3D 4D 5A 00 00 cmp eax, 5A4Dh
475 | 75 45 jnz short loc_369
476 | 48 8B 44 24 20 mov rax, [rsp+38h+var_18]
477 | 48 63 40 3C movsxd rax, dword ptr [rax+3Ch]
478 | 48 89 44 24 28 mov [rsp+38h+var_10], rax
479 | 48 83 7C 24 28 40 cmp [rsp+38h+var_10], 40h ; '@'
480 | 72 2F jb short loc_369
481 | 48 81 7C 24 28 00 04 00 00 cmp [rsp+38h+var_10], 400h
482 | 73 24 jnb short loc_369
483 | 48 8B 44 24 20 mov rax, [rsp+38h+var_18]
484 | 48 8B 4C 24 28 mov rcx, [rsp+38h+var_10]
485 | 48 03 C8 add rcx, rax
486 | 48 8B C1 mov rax, rcx
487 | 48 89 44 24 28 mov [rsp+38h+var_10], rax
488 | 48 8B 44 24 28 mov rax, [rsp+38h+var_10]
489 | 81 38 50 45 00 00 cmp dword ptr [rax], 4550h
490 | 75 02 jnz short loc_369
491 | */
492 |
493 | $core_sig = {
494 | 33 C0
495 | 83 F8 01
496 | 74 63
497 | 48 8B 44 24 20
498 | 0F B7 00
499 | 3D 4D 5A 00 00
500 | 75 45
501 | 48 8B 44 24 20
502 | 48 63 40 3C
503 | 48 89 44 24 28
504 | 48 83 7C 24 28 40
505 | 72 2F
506 | 48 81 7C 24 28 00 04 00 00
507 | 73 24
508 | 48 8B 44 24 20
509 | 48 8B 4C 24 28
510 | 48 03 C8
511 | 48 8B C1
512 | 48 89 44 24 28
513 | 48 8B 44 24 28
514 | 81 38 50 45 00 00
515 | 75 02
516 | }
517 |
518 | /*
519 | 8B 04 24 mov eax, [rsp+18h+var_18]
520 | FF C0 inc eax
521 | 89 04 24 mov [rsp+18h+var_18], eax
522 | 8B 44 24 28 mov eax, [rsp+18h+arg_8]
523 | 39 04 24 cmp [rsp+18h+var_18], eax
524 | 73 20 jnb short loc_2E7
525 | 8B 04 24 mov eax, [rsp+18h+var_18]
526 | 0F B6 4C 24 30 movzx ecx, [rsp+18h+arg_10]
527 | 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0]
528 | 0F BE 04 02 movsx eax, byte ptr [rdx+rax]
529 | 33 C1 xor eax, ecx
530 | 8B 0C 24 mov ecx, [rsp+18h+var_18]
531 | 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0]
532 | 88 04 0A mov [rdx+rcx], al
533 | */
534 |
535 | $deobfuscator = {
536 | 8B 04 24
537 | FF C0
538 | 89 04 24
539 | 8B 44 24 28
540 | 39 04 24
541 | 73 20
542 | 8B 04 24
543 | 0F B6 4C 24 30
544 | 48 8B 54 24 20
545 | 0F BE 04 02
546 | 33 C1
547 | 8B 0C 24
548 | 48 8B 54 24 20
549 | 88 04 0A
550 | }
551 |
552 |
553 | condition:
554 | $core_sig and not $deobfuscator
555 | }
556 |
--------------------------------------------------------------------------------
/YARA/README.md:
--------------------------------------------------------------------------------
1 | # YARA Signatures
2 |
3 | This directory contains the currently open sourced YARA signatures from
4 | GCTI. Each directory contains signatures specific to a particular malware/
5 | tool family.
6 |
7 | Currently, the following signature sets include:
8 |
9 | - [CobaltStrike](CobaltStrike): Signatures for detecting the key components of the Cobalt Strike
10 | framework.
11 |
12 | - [Sliver](Sliver): Signatures for detecting the 32 and 64-bit versions of the Sliver
13 | implant.
14 |
15 |
--------------------------------------------------------------------------------
/YARA/Sliver/Sliver__Implant_32bit.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule Sliver_Implant_32bit
18 | {
19 | meta:
20 | description = "Sliver 32-bit implant (with and without --debug flag at compile)"
21 | hash = "911f4106350871ddb1396410d36f2d2eadac1166397e28a553b28678543a9357"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 | modified = "2022-11-19"
26 |
27 | strings:
28 | // We look for the specific switch/case statement case values.
29 |
30 | // case "tcppivot":
31 | /*
32 | 81 ?? 74 63 70 70 cmp dword ptr [ecx], 70706374h
33 | .
34 | .
35 | .
36 | 81 ?? 04 69 76 6F 74 cmp dword ptr [ecx+4], 746F7669h
37 | */
38 | $s_tcppivot = { 81 ?? 74 63 70 70 [2-20] 81 ?? 04 69 76 6F 74 }
39 |
40 | // case "wg":
41 | /*
42 | 66 81 ?? 77 67 cmp word ptr [eax], 6777h // "gw"
43 | */
44 | $s_wg = { 66 81 ?? 77 67 }
45 |
46 | // case "dns":
47 | /*
48 | 66 81 ?? 64 6E cmp word ptr [eax], 6E64h // "nd"
49 | .
50 | .
51 | .
52 | 80 ?? 02 73 cmp byte ptr [eax+2], 73h ; 's'
53 | */
54 | $s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
55 |
56 | // case "http":
57 | /*
58 | 81 ?? 68 74 74 70 cmp dword ptr [eax], 70747468h // "ptth"
59 | */
60 | $s_http = { 81 ?? 68 74 74 70 }
61 |
62 | // case "https":
63 | /*
64 | 81 ?? 68 74 74 70 cmp dword ptr [ecx], 70747468h // "ptth"
65 | .
66 | .
67 | .
68 | 80 ?? 04 73 cmp byte ptr [ecx+4], 73h ; 's'
69 | */
70 | $s_https = { 81 ?? 68 74 74 70 [2-20] 80 ?? 04 73 }
71 |
72 | // case "mtls": NOTE: this one can be missing due to compilate time config
73 | /*
74 | 81 ?? 6D 74 6C 73 cmp dword ptr [eax], 736C746Dh // "sltm"
75 | */
76 | $s_mtls = { 81 ?? 6D 74 6C 73 }
77 |
78 | $fp1 = "cloudfoundry" ascii fullword
79 | condition:
80 | 4 of ($s*) and not 1 of ($fp*)
81 | }
--------------------------------------------------------------------------------
/YARA/Sliver/Sliver__Implant_64bit.yara:
--------------------------------------------------------------------------------
1 | /*
2 | * Copyright 2022 Google LLC
3 | *
4 | * Licensed under the Apache License, Version 2.0 (the "License");
5 | * you may not use this file except in compliance with the License.
6 | * You may obtain a copy of the License at
7 | *
8 | * https://www.apache.org/licenses/LICENSE-2.0
9 | *
10 | * Unless required by applicable law or agreed to in writing, software
11 | * distributed under the License is distributed on an "AS IS" BASIS,
12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | * See the License for the specific language governing permissions and
14 | * limitations under the License.
15 | */
16 |
17 | rule Sliver_Implant_64bit
18 | {
19 | meta:
20 | description = "Sliver 64-bit implant (with and without --debug flag at compile)"
21 | hash = "2d1c9de42942a16c88a042f307f0ace215cdc67241432e1152080870fe95ea87"
22 | author = "gssincla@google.com"
23 | reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
24 | date = "2022-11-18"
25 | modified = "2022-11-19"
26 |
27 | strings:
28 | // We look for the specific switch/case statement case values.
29 |
30 | // case "tcppivot":
31 | /*
32 | 48 ?? 74 63 70 70 69 76 6F 74 mov rcx, 746F766970706374h
33 | */
34 | $s_tcppivot = { 48 ?? 74 63 70 70 69 76 6F 74 }
35 |
36 |
37 | // case "namedpipe":
38 | /*
39 | 48 ?? 6E 61 6D 65 64 70 69 70 mov rsi, 70697064656D616Eh // "pipdeman"
40 | .
41 | .
42 | .
43 | 80 ?? 08 65 cmp byte ptr [rdx+8], 65h ; 'e'
44 |
45 | */
46 | $s_namedpipe = { 48 ?? 6E 61 6D 65 64 70 69 70 [2-32] 80 ?? 08 65 }
47 |
48 | // case "https":
49 | /*
50 | 81 3A 68 74 74 70 cmp dword ptr [rdx], 70747468h // "ptth"
51 | .
52 | .
53 | .
54 | 80 7A 04 73 cmp byte ptr [rdx+4], 73h ; 's'
55 | */
56 | $s_https = { 81 ?? 68 74 74 70 [2-32] 80 ?? 04 73 }
57 |
58 | // case "wg":
59 | /*
60 | 66 81 3A 77 67 cmp word ptr [rdx], 6777h // "gw"
61 | */
62 | $s_wg = {66 81 ?? 77 67}
63 |
64 |
65 | // case "dns":
66 | /*
67 | 66 81 3A 64 6E cmp word ptr [rdx], 6E64h // "nd"
68 | .
69 | .
70 | .
71 | 80 7A 02 73 cmp byte ptr [rdx+2], 73h ; 's'
72 | */
73 | $s_dns = { 66 81 ?? 64 6E [2-20] 80 ?? 02 73 }
74 |
75 | // case "mtls": // This one may or may not be in the file, depending on the config flags.
76 | /*
77 | 81 ?? 6D 74 6C 73 cmp dword ptr [rdx], 736C746Dh // "mtls"
78 | */
79 | $s_mtls = { 81 ?? 6D 74 6C 73 }
80 |
81 | $fp1 = "cloudfoundry" ascii fullword
82 | condition:
83 | 5 of ($s*) and not 1 of ($fp*)
84 | }
85 |
--------------------------------------------------------------------------------
/docs/code-of-conduct.md:
--------------------------------------------------------------------------------
1 | # Code of Conduct
2 |
3 | ## Our Pledge
4 |
5 | In the interest of fostering an open and welcoming environment, we as
6 | contributors and maintainers pledge to making participation in our project and
7 | our community a harassment-free experience for everyone, regardless of age, body
8 | size, disability, ethnicity, gender identity and expression, level of
9 | experience, education, socio-economic status, nationality, personal appearance,
10 | race, religion, or sexual identity and orientation.
11 |
12 | ## Our Standards
13 |
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 |
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 |
23 | Examples of unacceptable behavior by participants include:
24 |
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 | address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 | professional setting
33 |
34 | ## Our Responsibilities
35 |
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 |
40 | Project maintainers have the right and responsibility to remove, edit, or reject
41 | comments, commits, code, wiki edits, issues, and other contributions that are
42 | not aligned to this Code of Conduct, or to ban temporarily or permanently any
43 | contributor for other behaviors that they deem inappropriate, threatening,
44 | offensive, or harmful.
45 |
46 | ## Scope
47 |
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 |
55 | This Code of Conduct also applies outside the project spaces when the Project
56 | Steward has a reasonable belief that an individual's behavior may have a
57 | negative impact on the project or its community.
58 |
59 | ## Conflict Resolution
60 |
61 | We do not believe that all conflict is bad; healthy debate and disagreement
62 | often yield positive results. However, it is never okay to be disrespectful or
63 | to engage in behavior that violates the project’s code of conduct.
64 |
65 | If you see someone violating the code of conduct, you are encouraged to address
66 | the behavior directly with those involved. Many issues can be resolved quickly
67 | and easily, and this gives people more control over the outcome of their
68 | dispute. If you are unable to resolve the matter for any reason, or if the
69 | behavior is threatening or harassing, report it. We are dedicated to providing
70 | an environment where participants feel welcome and safe.
71 |
72 | Reports should be directed to *[PROJECT STEWARD NAME(s) AND EMAIL(s)]*, the
73 | Project Steward(s) for *[PROJECT NAME]*. It is the Project Steward’s duty to
74 | receive and address reported violations of the code of conduct. They will then
75 | work with a committee consisting of representatives from the Open Source
76 | Programs Office and the Google Open Source Strategy team. If for any reason you
77 | are uncomfortable reaching out to the Project Steward, please email
78 | opensource@google.com.
79 |
80 | We will investigate every complaint, but you may not receive a direct response.
81 | We will use our discretion in determining when and how to follow up on reported
82 | incidents, which may range from not taking action to permanent expulsion from
83 | the project and project-sponsored spaces. We will notify the accused of the
84 | report and provide them an opportunity to discuss it before any action is taken.
85 | The identity of the reporter will be omitted from the details of the report
86 | supplied to the accused. In potentially harmful situations, such as ongoing
87 | harassment or threats to anyone's safety, we may take action without notice.
88 |
89 | ## Attribution
90 |
91 | This Code of Conduct is adapted from the Contributor Covenant, version 1.4,
92 | available at
93 | https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
94 |
--------------------------------------------------------------------------------
/docs/contributing.md:
--------------------------------------------------------------------------------
1 | # How to Contribute
2 |
3 | We'd love to accept your patches and contributions to this project. There are
4 | just a few small guidelines you need to follow.
5 |
6 | ## Contributor License Agreement
7 |
8 | Contributions to this project must be accompanied by a Contributor License
9 | Agreement. You (or your employer) retain the copyright to your contribution;
10 | this simply gives us permission to use and redistribute your contributions as
11 | part of the project. Head over to to see
12 | your current agreements on file or to sign a new one.
13 |
14 | You generally only need to submit a CLA once, so if you've already submitted one
15 | (even if it was for a different project), you probably don't need to do it
16 | again.
17 |
18 | ## Code Reviews
19 |
20 | All submissions, including submissions by project members, require review. We
21 | use GitHub pull requests for this purpose. Consult
22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
23 | information on using pull requests.
24 |
25 | ## Community Guidelines
26 |
27 | This project follows [Google's Open Source Community
28 | Guidelines](https://opensource.google/conduct/).
29 |
--------------------------------------------------------------------------------