-
Notifications
You must be signed in to change notification settings - Fork 605
/
apt_cobaltstrike.yar
122 lines (109 loc) · 5.14 KB
/
apt_cobaltstrike.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/*
LICENSE
Copyright (C) 2015 JPCERT Coordination Center. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following acknowledgments and disclaimers.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following acknowledgments and disclaimers
in the documentation and/or other materials provided with the distribution.
3. Products derived from this software may not include "JPCERT Coordination
Center" in the name of such derived product, nor shall "JPCERT
Coordination Center" be used to endorse or promote products derived
from this software without prior written permission. For written
permission, please contact [email protected].
ACKNOWLEDGMENTS AND DISCLAIMERS
Copyright (C) 2015 JPCERT Coordination Center
This software is based upon work funded and supported by the Ministry of
Economy, Trade and Industry.
Any opinions, findings and conclusions or recommendations expressed in this
software are those of the author(s) and do not necessarily reflect the views
of the Ministry of Economy, Trade and Industry.
NO WARRANTY. THIS JPCERT COORDINATION CENTER SOFTWARE IS FURNISHED ON
AN "AS-IS" BASIS. JPCERT COORDINATION CENTER MAKES NO WARRANTIES OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,
EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE SOFTWARE. JPCERT
COORDINATION CENTER DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH
RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This software has been approved for public release and unlimited distribution.
*/
rule APT_CobaltStrike_Beacon_Indicator {
meta:
description = "Detects CobaltStrike beacons"
author = "JPCERT"
reference = "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py"
date = "2018-11-09"
id = "8508c7a0-0131-59b1-b537-a6d1c6cb2b35"
strings:
$v1 = { 73 70 72 6E 67 00 }
$v2 = { 69 69 69 69 69 69 69 69 }
condition:
uint16(0) == 0x5a4d and filesize < 300KB and all of them
}
rule HKTL_CobaltStrike_Beacon_Strings {
meta:
author = "Elastic"
description = "Identifies strings used in Cobalt Strike Beacon DLL"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
id = "af558aa2-a3dc-5a7a-bc74-42bb2246091c"
strings:
$s1 = "%02d/%02d/%02d %02d:%02d:%02d"
$s2 = "Started service %s on %s"
$s3 = "%s as %s\\%s: %d"
condition:
2 of them
}
rule HKTL_CobaltStrike_Beacon_XOR_Strings {
meta:
author = "Elastic"
description = "Identifies XOR'd strings used in Cobalt Strike Beacon DLL"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
/* Used for beacon config decoding in THOR */
xor_s1 = "%02d/%02d/%02d %02d:%02d:%02d"
xor_s2 = "Started service %s on %s"
xor_s3 = "%s as %s\\%s: %d"
id = "359160a8-cf1c-58a8-bf7f-c09a8d661308"
strings:
$s1 = "%02d/%02d/%02d %02d:%02d:%02d" xor(0x01-0xff)
$s2 = "Started service %s on %s" xor(0x01-0xff)
$s3 = "%s as %s\\%s: %d" xor(0x01-0xff)
$fp1 = "MalwareRemovalTool"
condition:
2 of ($s*) and not 1 of ($fp*)
}
rule HKTL_CobaltStrike_Beacon_4_2_Decrypt {
meta:
author = "Elastic"
description = "Identifies deobfuscation routine used in Cobalt Strike Beacon DLL version 4.2"
reference = "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures"
date = "2021-03-16"
id = "63b71eef-0af5-5765-b957-ccdc9dde053b"
strings:
$a_x64 = {4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03}
$a_x86 = {8B 46 04 8B 08 8B 50 04 83 C0 08 89 55 08 89 45 0C 85 C9 75 04 85 D2 74 23 3B CA 73 E6 8B 06 8D 3C 08 33 D2}
condition:
any of them
}
rule HKTL_Win_CobaltStrike : Commodity {
meta:
author = "[email protected]"
date = "2021-05-25"
description = "The CobaltStrike malware family."
hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c"
reference = "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"
id = "113ba304-261f-5c59-bc56-57515c239b6d"
strings:
$s1 = "%s (admin)" fullword
$s2 = {48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 74 65 74 2D 73 74 72 65 61 6D 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 25 64 0D 0A 0D 0A 00}
$s3 = "%02d/%02d/%02d %02d:%02d:%02d" fullword
$s4 = "%s as %s\\%s: %d" fullword
$s5 = "%s&%s=%s" fullword
$s6 = "rijndael" fullword
$s7 = "(null)"
condition:
all of them
}