/* SOURCE: https://github.com/chronicle/GCTI Generated with: cat ./GCTI/YARA/CobaltStrike/* >> ./signature-base/yara/gen_gcti_cobaltstrike.yar */ /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Artifact32_and_Resources_Dropper_v1_49_to_v3_14 { meta: description = "Cobalt Strike's resources/artifact32{.exe,.dll,big.exe,big.dll} and resources/dropper.exe signature for versions 1.49 to 3.14" hash = "40fc605a8b95bbd79a3bd7d9af73fbeebe3fada577c99e7a111f6168f6a0d37a" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "243e3761-cbea-561c-97da-f6ba12ebc7ee" strings: // Decoder function for the embedded payload $payloadDecoder = { 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 18 8B [2] 89 ?? C1 ?? 1F C1 ?? 1E 01 ?? 83 ?? 03 29 ?? 03 [2] 0F B6 00 31 ?? 88 ?? 8B [2] 89 ?? 03 [2] 8B [2] 03 [2] 0F B6 12 } condition: any of them } rule CobaltStrike_Resources_Artifact32_v3_1_and_v3_2 { meta: description = "Cobalt Strike's resources/artifact32{.dll,.exe,svc.exe,big.exe,big.dll,bigsvc.exe} and resources/artifact32uac(alt).dll signature for versions 3.1 and 3.2" hash = "4f14bcd7803a8e22e81e74d6061d0df9e8bac7f96f1213d062a29a8523ae4624" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "4fff7f42-9f50-5945-8ec0-2438ac5c7000" strings: /* 89 ?? mov eax, ecx B? 04 00 00 00 mov edi, 4 99 cdq F7 FF idiv edi 8B [2] mov edi, [ebp+arg_8] 8A [2] mov al, [edi+edx] 30 ?? xor [ebx], al 8A ?? mov al, [ebx] 4? inc ebx 88 [2] mov [esi+ecx], al */ $decoderFunc = { 89 ?? B? 04 00 00 00 99 F7 FF 8B [2] 8A [2] 30 ?? 8A ?? 4? 88 } condition: all of them } rule CobaltStrike_Resources_Artifact32_v3_14_to_v4_x { meta: description = "Cobalt Strike's resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0" hash = "888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "8a010305-dce5-55f4-b2dd-a736721efe22" strings: /* C7 [3] 5C 00 00 00 mov dword ptr [esp+28h], 5Ch ; '\' C7 [3] 65 00 00 00 mov dword ptr [esp+24h], 65h ; 'e' C7 [3] 70 00 00 00 mov dword ptr [esp+20h], 70h ; 'p' C7 [3] 69 00 00 00 mov dword ptr [esp+1Ch], 69h ; 'i' C7 [3] 70 00 00 00 mov dword ptr [esp+18h], 70h ; 'p' F7 F1 div ecx C7 [3] 5C 00 00 00 mov dword ptr [esp+14h], 5Ch ; '\' C7 [3] 2E 00 00 00 mov dword ptr [esp+10h], 2Eh ; '.' C7 [3] 5C 00 00 00 mov dword ptr [esp+0Ch], 5Ch ; '\' */ $pushFmtStr = { C7 [3] 5C 00 00 00 C7 [3] 65 00 00 00 C7 [3] 70 00 00 00 C7 [3] 69 00 00 00 C7 [3] 70 00 00 00 F7 F1 C7 [3] 5C 00 00 00 C7 [3] 2E 00 00 00 C7 [3] 5C 00 00 00 } $fmtStr = "%c%c%c%c%c%c%c%c%cMSSE-%d-server" condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* Disabled due to bad performance */ // rule CobaltStrike_Resources_Artifact32svc_Exe_v1_49_to_v3_14 // { // meta: // description = "Cobalt Strike's resources/artifact32svc(big).exe and resources/artifact32uac(alt).exe signature for versions v1.49 to v3.14" // hash = "323ddf9623368b550def9e8980fde0557b6fe2dcd945fda97aa3b31c6c36d682" // author = "gssincla@google.com" // reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" // date = "2022-11-18" // strings: // /* // 8B [2] mov eax, [ebp+var_C] // 89 ?? mov ecx, eax // 03 [2] add ecx, [ebp+lpBuffer] // 8B [2] mov eax, [ebp+var_C] // 03 [2] add eax, [ebp+lpBuffer] // 0F B6 18 movzx ebx, byte ptr [eax] // 8B [2] mov eax, [ebp+var_C] // 89 ?? mov edx, eax // C1 [2] sar edx, 1Fh // C1 [2] shr edx, 1Eh // 01 ?? add eax, edx // 83 [2] and eax, 3 // 29 ?? sub eax, edx // 03 [2] add eax, [ebp+arg_8] // 0F B6 00 movzx eax, byte ptr [eax] // 31 ?? xor eax, ebx // 88 ?? mov [ecx], al // */ // $decoderFunc = { 8B [2] 89 ?? 03 [2] 8B [2] 03 [5] 8B [2] 89 ?? C1 [2] C1 [2] 01 ?? 83 [2] 29 ?? 03 [5] 31 ?? 88 } // condition: // any of them // } rule CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x { meta: description = "Cobalt Strike's resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)" hash = "871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "732169be-e334-5774-b0ac-54b217a8b681" strings: /* 89 ?? mov eax, ecx B? 04 00 00 00 mov edi, 4 99 cdq F7 FF idiv edi 8B [2] mov edi, [ebp+var_20] 8A [2] mov al, [edi+edx] 30 [2] xor [ebx+ecx], al */ $decoderFunc = { 89 ?? B? 04 00 00 00 99 F7 FF 8B [2] 8A [2] 30 } condition: $decoderFunc } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14 { meta: description = "Cobalt Strike's resources/artifact64{.dll,.exe,big.exe,big.dll,bigsvc.exe,big.x64.dll} and resources/rtifactuac(alt)64.dll signature for versions v1.49, v2.x, v3.0, and v3.3 through v3.14" hash = "9ec57d306764517b5956b49d34a3a87d4a6b26a2bb3d0fdb993d055e0cc9920d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "67902782-500e-5a89-8b2a-59ee21bcba3e" strings: /* 8B [2] mov eax, [rbp+var_4] 48 98 cdqe 48 89 C1 mov rcx, rax 48 03 4D 10 add rcx, [rbp+arg_0] 8B 45 FC mov eax, [rbp+var_4] 48 98 cdqe 48 03 45 10 add rax, [rbp+arg_0] 44 0F B6 00 movzx r8d, byte ptr [rax] 8B 45 FC mov eax, [rbp+var_4] 89 C2 mov edx, eax C1 FA 1F sar edx, 1Fh C1 EA 1E shr edx, 1Eh 01 D0 add eax, edx 83 E0 03 and eax, 3 29 D0 sub eax, edx 48 98 cdqe 48 03 45 20 add rax, [rbp+arg_10] 0F B6 00 movzx eax, byte ptr [rax] 44 31 C0 xor eax, r8d 88 01 mov [rcx], al */ $a = { 8B [2] 48 98 48 [2] 48 [3] 8B [2] 48 98 48 [3] 44 [3] 8B [2] 89 ?? C1 ?? 1F C1 ?? 1E 01 ?? 83 ?? 03 29 ?? 48 98 48 [3] 0F B6 00 44 [2] 88 } condition: $a } rule CobaltStrike_Resources_Artifact64_v3_1_v3_2_v3_14_and_v4_0 { meta: description = "Cobalt Strike's resources/artifact64{svcbig.exe,.dll,big.dll,svc.exe} and resources/artifactuac(big)64.dll signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x" hash = "2e7a39bd6ac270f8f548855b97c4cef2c2ce7f54c54dd4d1aa0efabeecf3ba90" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "c9e9b8e0-16fe-5abc-b1fe-0e3e586f6db6" strings: /* 31 C0 xor eax, eax EB 0F jmp short loc_6BAC16B5 41 83 E1 03 and r9d, 3 47 8A 0C 08 mov r9b, [r8+r9] 44 30 0C 01 xor [rcx+rax], r9b 48 FF C0 inc rax 39 D0 cmp eax, edx 41 89 C1 mov r9d, eax 7C EA jl short loc_6BAC16A6 4C 8D 05 53 29 00 00 lea r8, aRundll32Exe; "rundll32.exe" E9 D1 FE FF FF jmp sub_6BAC1599 */ $decoderFunction = { 31 ?? EB 0F 41 [2] 03 47 [3] 44 [3] 48 [2] 39 ?? 41 [2] 7C EA 4C [6] E9 } condition: $decoderFunction } rule CobaltStrike_Resources_Artifact64_v3_14_to_v4_x { meta: description = "Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x" hash = "decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "1c7731d3-429b-57aa-9c17-8de7d0841b1e" strings: /* 41 B8 5C 00 00 00 mov r8d, 5Ch ; '\' C7 44 24 50 5C 00 00 00 mov [rsp+68h+var_18], 5Ch ; '\' C7 44 24 48 65 00 00 00 mov [rsp+68h+var_20], 65h ; 'e' C7 44 24 40 70 00 00 00 mov [rsp+68h+var_28], 70h ; 'p' C7 44 24 38 69 00 00 00 mov [rsp+68h+var_30], 69h ; 'i' C7 44 24 30 70 00 00 00 mov [rsp+68h+var_38], 70h ; 'p' C7 44 24 28 5C 00 00 00 mov dword ptr [rsp+68h+lpThreadId], 5Ch ; '\' C7 44 24 20 2E 00 00 00 mov [rsp+68h+dwCreationFlags], 2Eh ; '.' 89 54 24 58 mov [rsp+68h+var_10], edx 48 8D 15 22 38 00 00 lea rdx, Format; Format E8 0D 17 00 00 call sprintf */ $fmtBuilder = { 41 ?? 5C 00 00 00 C7 [3] 5C 00 00 00 C7 [3] 65 00 00 00 C7 [3] 70 00 00 00 C7 [3] 69 00 00 00 C7 [3] 70 00 00 00 C7 [3] 5C 00 00 00 C7 [3] 2E 00 00 00 89 [3] 48 [6] E8 } $fmtString = "%c%c%c%c%c%c%c%c%cMSSE-%d-server" condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Beacon_Dll_v1_44 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.44" hash = "75102e8041c58768477f5f982500da7e03498643b6ece86194f4b3396215f9c2" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "935ee27f-ce1b-5491-b4a3-cb78f199ab1b" strings: /* 0F B7 D2 movzx edx, dx 4A dec edx; switch 5 cases 53 push ebx 8B D9 mov ebx, ecx; a2 83 FA 04 cmp edx, 4 77 36 ja short def_1000106C; jumptable 1000106C default case FF 24 ?? jmp ds:jpt_1000106C[edx*4]; switch jump */ $version_sig = { 0F B7 D2 4A 53 8B D9 83 FA 04 77 36 FF 24 } /* B1 69 mov cl, 69h ; 'i' 30 88 [4] xor byte ptr word_10018F20[eax], cl 40 inc eax 3D 28 01 00 00 cmp eax, 128h 7C F2 jl short loc_10001AD4 */ $decode = { B1 ?? 30 88 [4] 40 3D 28 01 00 00 7C F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v1_45 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.45" hash = "1a92b2024320f581232f2ba1e9a11bef082d5e9723429b3e4febb149458d1bb1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "04d4d0ee-f1ee-5888-8108-ca55243c770a" strings: /* 51 push ecx 0F B7 D2 movzx edx, dx 4A dec edx; switch 9 cases 53 push ebx 56 push esi 83 FA 08 cmp edx, 8 77 6B ja short def_1000106C; jumptable 1000106C default case FF 24 ?? jmp ds:jpt_1000106C[edx*4]; switch jump */ $version_sig = { 51 0F B7 D2 4A 53 56 83 FA 08 77 6B FF 24 } /* B1 69 mov cl, 69h ; 'i' 30 88 [4] xor byte ptr word_10019F20[eax], cl 40 inc eax 3D 28 01 00 00 cmp eax, 128h 7C F2 jl short loc_10002664 */ $decode = { B1 ?? 30 88 [4] 40 3D 28 01 00 00 7C F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v1_46 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.46" hash = "44e34f4024878024d4804246f57a2b819020c88ba7de160415be38cd6b5e2f76" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "79715042-1963-5e48-8b64-7d915da58d84" strings: /* 8B F2 mov esi, edx 83 F9 0C cmp ecx, 0Ch 0F 87 8E 00 00 00 ja def_1000107F; jumptable 1000107F default case, case 8 FF 24 ?? jmp ds:jpt_1000107F[ecx*4]; switch jump */ $version_sig = { 8B F2 83 F9 0C 0F 87 8E 00 00 00 FF 24 } /* B1 69 mov cl, 69h ; 'i' 30 88 [4] xor byte ptr word_1001D040[eax], cl 40 inc eax 3D A8 01 00 00 cmp eax, 1A8h 7C F2 jl short loc_10002A04 */ $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 7C F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v1_47 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.47" hash = "8ff6dc80581804391183303bb39fca2a5aba5fe13d81886ab21dbd183d536c8d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "ac2249a9-210c-581f-8dd1-7619356dca7d" strings: /* 83 F8 12 cmp eax, 12h 77 10 ja short def_100010BB; jumptable 100010BB default case, case 8 FF 24 ?? jmp ds:jpt_100010BB[eax*4]; switch jump */ $version_sig = { 83 F8 12 77 10 FF 24 } /* B1 69 mov cl, 69h ; 'i' 30 88 [4] xor byte ptr word_1001E040[eax], cl 40 inc eax 3D A8 01 00 00 cmp eax, 1A8h */ $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v1_48 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.48" hash = "dd4e445572cd5e32d7e9cc121e8de337e6f19ff07547e3f2c6b7fce7eafd15e4" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "dd15099f-ad19-58df-9ed4-ce66d7ee8540" strings: /* 48 dec eax; switch 24 cases 57 push edi 8B F1 mov esi, ecx 8B DA mov ebx, edx 83 F8 17 cmp eax, 17h 77 12 ja short def_1000115D; jumptable 1000115D default case, case 8 FF 24 ?? jmp ds:jpt_1000115D[eax*4]; switch jump */ $version_sig = { 48 57 8B F1 8B DA 83 F8 17 77 12 FF 24 } /* B1 69 mov cl, 69h ; 'i' 30 88 [4] xor byte ptr word_1001F048[eax], cl 40 inc eax 3D A8 01 00 00 cmp eax, 1A8h 7C F2 jl short loc_100047B4 */ $decode = { B1 ?? 30 88 [4] 40 3D A8 01 00 00 7C F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v1_49 { meta: description = "Cobalt Strike's resources/beacon.dll Version 1.49" hash = "52b4bd87e21ee0cbaaa0fc007fd3f894c5fc2c4bae5cbc2a37188de3c2c465fe" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "871e28c9-b580-5a32-8529-2290ded1a1b6" strings: /* 48 dec eax; switch 31 cases 56 push esi 83 F8 1E cmp eax, 1Eh 0F 87 23 01 00 00 ja def_1000115B; jumptable 1000115B default case, cases 8,30 FF 24 85 80 12 00 10 jmp ds:jpt_1000115B[eax*4]; switch jump */ $version_sig = { 48 56 83 F8 1E 0F 87 23 01 00 00 FF 24 } /* B1 69 mov cl, 69h ; 'i' 90 nop 30 88 [4] xor byte ptr word_10022038[eax], cl 40 inc eax 3D A8 01 00 00 cmp eax, 1A8h 7C F2 jl short loc_10005940 */ $decoder = { B1 ?? 90 30 88 [4] 40 3D A8 01 00 00 7C F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v2_0_49 { meta: description = "Cobalt Strike's resources/beacon.dll Version 2.0.49" hash = "ed08c1a21906e313f619adaa0a6e5eb8120cddd17d0084a30ada306f2aca3a4e" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "087c584a-5ceb-536a-8842-53fbd668df54" strings: /* 83 F8 22 cmp eax, 22h 0F 87 96 01 00 00 ja def_1000115D; jumptable 1000115D default case, cases 8,30 FF 24 ?? jmp ds:jpt_1000115D[eax*4]; switch jump */ $version_sig = { 83 F8 22 0F 87 96 01 00 00 FF 24 } /* B1 69 mov cl, 69h ; 'i' EB 03 jmp short loc_10006930 8D 49 00 lea ecx, [ecx+0] 30 88 [4] xor byte ptr word_10023038[eax], cl 40 inc eax 3D 30 05 00 00 cmp eax, 530h 72 F2 jb short loc_10006930 */ $decoder = { B1 ?? EB 03 8D 49 00 30 88 [4] 40 3D 30 05 00 00 72 F2 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v2_1_and_v2_2 { // v2.1 and v2.2 use the exact same beacon binary (matching hashes) meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.1 and 2.2" hash = "ae7a1d12e98b8c9090abe19bcaddbde8db7b119c73f7b40e76cdebb2610afdc2" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "384fb247-aae7-52e1-a45d-6bda0f80a04e" strings: /* 49 dec ecx; switch 37 cases 56 push esi 57 push edi 83 F9 24 cmp ecx, 24h 0F 87 8A 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 8,30 FF 24 ?? jmp ds:jpt_1000112E[ecx*4]; switch jump */ $version_sig = { 49 56 57 83 F9 24 0F 87 8A 01 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v2_3 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.3" hash = "00dd982cb9b37f6effb1a5a057b6571e533aac5e9e9ee39a399bb3637775ff83" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "aed092f1-fbb1-5efe-be8d-fb7c5aba1cde" strings: /* 49 dec ecx; switch 39 cases 56 push esi 57 push edi 83 F9 26 cmp ecx, 26h 0F 87 A9 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 8,30 FF 24 ?? jmp ds:jpt_1000112E[ecx*4]; switch jump */ $version_sig = { 49 56 57 83 F9 26 0F 87 A9 01 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v2_4 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.4" hash = "78c6f3f2b80e6140c4038e9c2bcd523a1b205d27187e37dc039ede4cf560beed" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "347a6b06-84a8-53ff-80a1-05fa1a48a412" strings: /* 4A dec edx; switch 48 cases 56 push esi 57 push edi 83 FA 2F cmp edx, 2Fh 0F 87 F9 01 00 00 ja def_1000112E; jumptable 1000112E default case, cases 6-8,30 FF 24 ?? jmp ds:jpt_1000112E[edx*4]; switch jump */ $version_sig = { 4A 56 57 83 FA 2F 0F 87 F9 01 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v2_5 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.5" hash = "d99693e3e521f42d19824955bef0cefb79b3a9dbf30f0d832180577674ee2b58" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "a89f9239-099c-5b97-b1df-e8ce2b95ea52" strings: /* 48 dec eax; switch 59 cases 57 push edi 8B F2 mov esi, edx 83 F8 3A cmp eax, 3Ah 0F 87 6E 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30 FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump */ $version_sig = { 48 57 8B F2 83 F8 3A 0F 87 6E 02 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_0 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.0" hash = "30251f22df7f1be8bc75390a2f208b7514647835f07593f25e470342fd2e3f52" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "132a1be8-f529-5141-ba03-fdf6df3d55d4" strings: /* 48 dec eax; switch 61 cases 57 push edi 8B F2 mov esi, edx 83 F8 3C cmp eax, 3Ch 0F 87 89 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30 FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump */ $version_sig = { 48 57 8B F2 83 F8 3C 0F 87 89 02 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_1 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.1" hash = "4de723e784ef4e1633bbbd65e7665adcfb03dd75505b2f17d358d5a40b7f35cf" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" // v3.1 and v3.2 share the same C2 handler code. We are using a function that // is not included in v3.2 to mark the v3.1 version along with the decoder // which allows us to narrow in on only v3.1 samples id = "aa511dee-69ea-53bd-be90-d2d03d08c550" strings: /* 55 push ebp 8B EC mov ebp, esp 83 EC 58 sub esp, 58h A1 [4] mov eax, ___security_cookie 33 C5 xor eax, ebp 89 45 FC mov [ebp+var_4], eax E8 DF F5 FF FF call sub_10002109 6A 50 push 50h ; 'P'; namelen 8D 45 A8 lea eax, [ebp+name] 50 push eax; name FF 15 [4] call ds:gethostname 8D 45 ?? lea eax, [ebp+name] 50 push eax; name FF 15 [4] call ds:__imp_gethostbyname 85 C0 test eax, eax 74 14 jz short loc_10002B58 8B 40 0C mov eax, [eax+0Ch] 83 38 00 cmp dword ptr [eax], 0 74 0C jz short loc_10002B58 8B 00 mov eax, [eax] FF 30 push dword ptr [eax]; in FF 15 [4] call ds:inet_ntoa EB 05 jmp short loc_10002B5D B8 [4] mov eax, offset aUnknown; "unknown" 8B 4D FC mov ecx, [ebp+var_4] 33 CD xor ecx, ebp; StackCookie E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x) C9 leave */ $version_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_2 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.2" hash = "b490eeb95d150530b8e155da5d7ef778543836a03cb5c27767f1ae4265449a8d" rs2 ="a93647c373f16d61c38ba6382901f468247f12ba8cbe56663abb2a11ff2a5144" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "3ccbc0f2-241c-5c10-8930-4a3d264d3b57" strings: /* 48 dec eax; switch 62 cases 57 push edi 8B F2 mov esi, edx 83 F8 3D cmp eax, 3Dh 0F 87 83 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30 FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump */ $version_sig = { 48 57 8B F2 83 F8 3D 0F 87 83 02 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } // Since v3.1 and v3.2 are so similiar, we use the v3.1 version_sig // as a negating condition to diff between 3.1 and 3.2 /* 55 push ebp 8B EC mov ebp, esp 83 EC 58 sub esp, 58h A1 [4] mov eax, ___security_cookie 33 C5 xor eax, ebp 89 45 FC mov [ebp+var_4], eax E8 DF F5 FF FF call sub_10002109 6A 50 push 50h ; 'P'; namelen 8D 45 A8 lea eax, [ebp+name] 50 push eax; name FF 15 [4] call ds:gethostname 8D 45 ?? lea eax, [ebp+name] 50 push eax; name FF 15 [4] call ds:__imp_gethostbyname 85 C0 test eax, eax 74 14 jz short loc_10002B58 8B 40 0C mov eax, [eax+0Ch] 83 38 00 cmp dword ptr [eax], 0 74 0C jz short loc_10002B58 8B 00 mov eax, [eax] FF 30 push dword ptr [eax]; in FF 15 [4] call ds:inet_ntoa EB 05 jmp short loc_10002B5D B8 [4] mov eax, offset aUnknown; "unknown" 8B 4D FC mov ecx, [ebp+var_4] 33 CD xor ecx, ebp; StackCookie E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x) C9 leave */ $version3_1_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 } condition: $version_sig and $decoder and not $version3_1_sig } rule CobaltStrike_Resources_Beacon_Dll_v3_3 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.3" hash = "158dba14099f847816e2fc22f254c60e09ac999b6c6e2ba6f90c6dd6d937bc42" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "7cce26c9-1403-535f-bd9d-19667c7e313c" strings: /* 48 dec eax; switch 66 cases 57 push edi 8B F1 mov esi, ecx 83 F8 41 cmp eax, 41h 0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,30 FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump */ $version_sig = { 48 57 8B F1 83 F8 41 0F 87 F0 02 00 00 FF 24 } /* 80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h 40 inc eax 3D 10 06 00 00 cmp eax, 610h 72 F1 jb short loc_1000674A */ $decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_4 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.4" hash = "5c40bfa04a957d68a095dd33431df883e3a075f5b7dea3e0be9834ce6d92daa3" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "58a34ab6-c061-59a2-b929-8519d3d844e7" strings: /* 48 dec eax; switch 67 cases 57 push edi 8B F1 mov esi, ecx 83 F8 42 cmp eax, 42h 0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30 FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump */ $version_sig = { 48 57 8B F1 83 F8 42 0F 87 F0 02 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_5_hf1_and_3_5_1 { // Version 3.5-hf1 and 3.5.1 use the exact same beacon binary (same hash) meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.5-hf1 and 3.5.1 (3.5.x)" hash = "c78e70cd74f4acda7d1d0bd85854ccacec79983565425e98c16a9871f1950525" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "1532596e-be0e-58c2-8d3b-5120c793d677" strings: /* 48 dec eax; switch 68 cases 57 push edi 8B F1 mov esi, ecx 83 F8 43 cmp eax, 43h 0F 87 07 03 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30 FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump */ $version_sig = { 48 57 8B F1 83 F8 43 0F 87 07 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_6 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.6" hash = "495a744d0a0b5f08479c53739d08bfbd1f3b9818d8a9cbc75e71fcda6c30207d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "7e7b5c22-82b3-5298-b794-b06d94a668d5" strings: /* 48 dec eax; switch 72 cases 57 push edi 8B F9 mov edi, ecx 83 F8 47 cmp eax, 47h 0F 87 2F 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30 FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump */ $version_sig = { 48 57 8B F9 83 F8 47 0F 87 2F 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_7 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.7" hash = "f18029e6b12158fb3993f4951dab2dc6e645bb805ae515d205a53a1ef41ca9b2" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "6352a31c-34b8-5886-8e34-ef9221c22e6e" strings: /* 48 dec eax; switch 74 cases 57 push edi 8B F9 mov edi, ecx 83 F8 49 cmp eax, 49h 0F 87 47 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30 FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump */ $version_sig = { 48 57 8B F9 83 F8 49 0F 87 47 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_8 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.8" hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "6c65cbf8-2c60-5315-b3b2-48dfcee75733" strings: /* 48 dec eax; switch 76 cases 57 push edi 8B F9 mov edi, ecx 83 F8 4B cmp eax, 4Bh 0F 87 5D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30 FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump */ $version_sig = { 48 57 8B F9 83 F8 4B 0F 87 5D 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } // XMRig uses a v3.8 sample to trick sandboxes into running their code. // These samples are the same and useless. This string removes many // of them from our detection $xmrig_srcpath = "C:/Users/SKOL-NOTE/Desktop/Loader/script.go" // To remove others, we look for known xmrig C2 domains in the config: $c2_1 = "ns7.softline.top" xor $c2_2 = "ns8.softline.top" xor $c2_3 = "ns9.softline.top" xor //$a = /[A-Za-z]{1020}.{4}$/ condition: $version_sig and $decoder and (2 of ($c2_*) or $xmrig_srcpath) } /* missing specific signatures for 3.9 and 3.10 since we don't have samples */ rule CobaltStrike_Resources_Beacon_Dll_v3_11 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.11" hash = "2428b93464585229fd234677627431cae09cfaeb1362fe4f648b8bee59d68f29" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" // Original version from April 9, 2018 id = "00e42396-db81-5d43-90ee-5a97b379019e" strings: /* 48 dec eax; switch 81 cases 57 push edi 8B FA mov edi, edx 83 F8 50 cmp eax, 50h 0F 87 11 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36 FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump */ $version_sig = { 48 57 8B FA 83 F8 50 0F 87 11 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_11_bugfix_and_v3_12 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.11-bugfix and 3.12" hash = "5912c96fffeabb2c5c5cdd4387cfbfafad5f2e995f310ace76ca3643b866e3aa" rs2 ="4476a93abe48b7481c7b13dc912090b9476a2cdf46a1c4287b253098e3523192" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" // Covers both 3.11 (bug fix form May 25, 2018) and v3.12 id = "08ff2a2f-97bd-5839-b414-d67fbf2cdb0f" strings: /* 48 dec eax; switch 81 cases 57 push edi 8B FA mov edi, edx 83 F8 50 cmp eax, 50h 0F 87 0D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36 FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump */ $version_sig = { 48 57 8B FA 83 F8 50 0F 87 0D 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_13 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.13" hash = "362119e3bce42e91cba662ea80f1a7957a5c2b1e92075a28352542f31ac46a0c" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "98dd32e6-9bb5-57b2-a5e5-1c74a0d1e6d3" strings: /* 4A dec edx; switch 91 cases 56 push esi 57 push edi 83 FA 5A cmp edx, 5Ah 0F 87 2D 03 00 00 ja def_10008D01; jumptable 10008D01 default case, cases 2,6-8,20,21,26,30,36,63-66 FF 24 ?? jmp ds:jpt_10008D01[edx*4]; switch jump */ $version_sig = { 4A 56 57 83 FA 5A 0F 87 2D 03 00 00 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_Dll_v3_14 { meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.14" hash = "254c68a92a7108e8c411c7b5b87a2f14654cd9f1324b344f036f6d3b6c7accda" rs2 ="87b3eb55a346b52fb42b140c03ac93fc82f5a7f80697801d3f05aea1ad236730" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "00edfc72-c7b8-5100-8275-ae3548b96e49" strings: /* 83 FA 5B cmp edx, 5Bh 77 15 ja short def_1000939E; jumptable 1000939E default case, cases 2,6-8,20,21,26,30,36,63-66 FF 24 ?? jmp ds:jpt_1000939E[edx*4]; switch jump */ $version_sig = { 83 FA 5B 77 15 FF 24 } /* 80 B0 [4] 69 xor byte_1002E020[eax], 69h 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10008741 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_Dll_v4_0_suspected { meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.0 (suspected, not confirmed)" hash = "e2b2b72454776531bbc6a4a5dd579404250901557f887a6bccaee287ac71b248" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "50ff6e44-ebc0-5000-a816-b385a6675768" strings: /* 51 push ecx 4A dec edx; switch 99 cases 56 push esi 57 push edi 83 FA 62 cmp edx, 62h 0F 87 8F 03 00 00 ja def_100077C3; jumptable 100077C3 default case, cases 2,6-8,20,21,25,26,30,34-36,63-66 FF 24 95 56 7B 00 10 jmp ds:jpt_100077C3[edx*4]; switch jump */ $version_sig = { 51 4A 56 57 83 FA 62 0F 87 8F 03 00 00 FF 24 95 56 7B 00 10 } /* 80 B0 20 00 03 10 ?? xor byte_10030020[eax], 2Eh 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_1000912B */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_Dll_v4_1_and_v4_2 { meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.1 and 4.2" hash = "daa42f4380cccf8729129768f3588bb98e4833b0c40ad0620bb575b5674d5fc3" rs2 ="9de55f27224a4ddb6b2643224a5da9478999c7b2dea3a3d6b3e1808148012bcf" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "793df916-bdf7-5743-b008-0113caf38bae" strings: /* 48 dec eax; switch 100 cases 57 push edi 8B F2 mov esi, edx 83 F8 63 cmp eax, 63h 0F 87 3C 03 00 00 ja def_10007F28; jumptable 10007F28 default case, cases 2,6-8,20,21,25,26,29,30,34-36,58,63-66,80,81,95-97 FF 24 ?? jmp ds:jpt_10007F28[eax*4]; switch jump */ $version_sig = { 48 57 8B F2 83 F8 63 0F 87 3C 03 00 00 FF 24 } /* 80 B0 [4] 3E xor byte_10031010[eax], 3Eh 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10009791 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.3 and 4.4" hash = "51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f" rs2 ="78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "976e087c-f371-5fc6-85f8-9c803a91f549" strings: /* 48 dec eax; switch 102 cases 57 push edi 8B F2 mov esi, edx 83 F8 65 cmp eax, 65h 0F 87 47 03 00 00 ja def_10007EAD; jumptable 10007EAD default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97 FF 24 ?? jmp ds:jpt_10007EAD[eax*4]; switch jump */ $version_sig = { 48 57 8B F2 83 F8 65 0F 87 47 03 00 00 FF 24 } /* 80 B0 [4] 3E xor byte_10031010[eax], 3Eh 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_10009791 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_Dll_v4_7_suspected { meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.7 (suspected, not confirmed)" hash = "da9e91b3d8df3d53425dd298778782be3bdcda40037bd5c92928395153160549" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "4b6f90dd-69f3-5555-9195-6a0aed0fff58" strings: /* 53 push ebx 56 push esi 48 dec eax; switch 104 cases 57 push edi 8B F2 mov esi, edx 83 F8 67 cmp eax, 67h 0F 87 5E 03 00 00 ja def_10008997; jumptable 10008997 default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97 */ $version_sig = { 53 56 48 57 8B F2 83 F8 67 0F 87 5E 03 00 00 } /* 80 B0 [5] xor byte_10033020[eax], 2Eh 40 inc eax 3D 00 10 00 00 cmp eax, 1000h 7C F1 jl short loc_1000ADA1 */ $decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 } condition: all of them } /* 64-bit Beacons. These signatures are a bit different. The decoders are all identical in the 4.x series and the command processor doesn't use a switch/case idiom, but rather an expanded set of if/then/else branches. This invalidates our method for detecting the versions of the beacons by looking at the case count check used by the 32-bit versions. As such, we are locking in on "random", non-overlapping between version, sections of code in the command processor. While a reasonable method is to look for blocks of Jcc which will have specific address offsets per version, this generally is insufficient due to the lack of code changes. As such, the best method appears to be to look for specific function call offsets NOTE: There are only VERY subtle differences between the following versions: * 3.2 and 3.3 * 3.4 and 3.5-hf1/3.5.1 * 3.12, 3.13 and 3.14 * 4.3 and 4.4-4.6 . Be very careful if you modify the $version_sig field for either of those rules. */ rule CobaltStrike_Resources_Beacon_x64_v3_2 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.2" hash = "5993a027f301f37f3236551e6ded520e96872723a91042bfc54775dcb34c94a1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "61188243-0b90-5bff-bcc8-50f10ed941f6" strings: /* 4C 8D 05 9F F8 FF FF lea r8, sub_18000C4B0 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 05 1A 00 00 call sub_18000E620 EB 0A jmp short loc_18000CC27 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 41 21 00 00 call sub_18000ED68 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0] 48 83 C4 20 add rsp, 20h */ $version_sig = { 4C 8D 05 9F F8 FF FF 8B D3 48 8B CF E8 05 1A 00 00 EB 0A 8B D3 48 8B CF E8 41 21 00 00 48 8B 5C 24 30 48 83 C4 20 } /* 80 31 ?? xor byte ptr [rcx], 69h FF C2 inc edx 48 FF C1 inc rcx 48 63 C2 movsxd rax, edx 48 3D 10 06 00 00 cmp rax, 610h */ $decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_3 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.3" hash = "7b00721efeff6ed94ab108477d57b03022692e288cc5814feb5e9d83e3788580" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "fb96ecff-809e-5704-974e-a2d8ef022daa" strings: /* 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 89 66 00 00 call sub_1800155E8 E9 23 FB FF FF jmp loc_18000EA87 41 B8 01 00 00 00 mov r8d, 1 E9 F3 FD FF FF jmp loc_18000ED62 48 8D 0D 2A F8 FF FF lea rcx, sub_18000E7A0 E8 8D 2B 00 00 call sub_180011B08 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0] 48 83 C4 20 add rsp, 20h */ $version_sig = { 8B D3 48 8B CF E8 89 66 00 00 E9 23 FB FF FF 41 B8 01 00 00 00 E9 F3 FD FF FF 48 8D 0D 2A F8 FF FF E8 8D 2B 00 00 48 8B 5C 24 30 48 83 C4 20 } /* 80 31 ?? xor byte ptr [rcx], 69h FF C2 inc edx 48 FF C1 inc rcx 48 63 C2 movsxd rax, edx 48 3D 10 06 00 00 cmp rax, 610h */ $decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_4 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.4" hash = "5a4d48c2eda8cda79dc130f8306699c8203e026533ce5691bf90363473733bf0" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "97ef152c-86c7-513c-a881-e7d594d38dcf" strings: /* 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 56 6F 00 00 call sub_180014458 E9 17 FB FF FF jmp loc_18000D01E 41 B8 01 00 00 00 mov r8d, 1 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 41 4D 00 00 call sub_180012258 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0] 48 83 C4 20 add rsp, 20h */ $version_sig = { 8B D3 48 8B CF E8 56 6F 00 00 E9 17 FB FF FF 41 B8 01 00 00 00 8B D3 48 8B CF E8 41 4D 00 00 48 8B 5C 24 30 48 83 C4 20 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_18001600E */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_5_hf1_and_v3_5_1 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.5-hf1 and 3.5.1" hash = "934134ab0ee65ec76ae98a9bb9ad0e9571d80f4bf1eb3491d58bacf06d42dc8d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "0c0e87d3-e0e2-5ddc-9d89-5e56443da4b8" strings: /* 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 38 70 00 00 call sub_180014548 E9 FD FA FF FF jmp loc_18000D012 41 B8 01 00 00 00 mov r8d, 1 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 3F 4D 00 00 call sub_180012264 48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0] 48 83 C4 20 add rsp, 20h 5F pop rdi */ $version_sig = { 8B D3 48 8B CF E8 38 70 00 00 E9 FD FA FF FF 41 B8 01 00 00 00 8B D3 48 8B CF E8 3F 4D 00 00 48 8B 5C 24 30 48 83 C4 20 5F } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180016B3E */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_6 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.6" hash = "92b0a4aec6a493bcb1b72ce04dd477fd1af5effa0b88a9d8283f26266bb019a1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "9651a1ca-d8ea-5b0b-bcba-a850c2e07791" strings: /* 48 89 5C 24 08 mov [rsp+arg_0], rbx 57 push rdi 48 83 EC 20 sub rsp, 20h 41 8B D8 mov ebx, r8d 48 8B FA mov rdi, rdx 83 F9 27 cmp ecx, 27h ; ''' 0F 87 47 03 00 00 ja loc_18000D110 0F 84 30 03 00 00 jz loc_18000D0FF 83 F9 14 cmp ecx, 14h 0F 87 A4 01 00 00 ja loc_18000CF7C 0F 84 7A 01 00 00 jz loc_18000CF58 83 F9 0C cmp ecx, 0Ch 0F 87 C8 00 00 00 ja loc_18000CEAF 0F 84 B3 00 00 00 jz loc_18000CEA0 */ $version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 27 0F 87 47 03 00 00 0F 84 30 03 00 00 83 F9 14 0F 87 A4 01 00 00 0F 84 7A 01 00 00 83 F9 0C 0F 87 C8 00 00 00 0F 84 B3 00 00 00 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180016B3E */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_7 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.7" hash = "81296a65a24c0f6f22208b0d29e7bb803569746ce562e2fa0d623183a8bcca60" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "27fad98a-2882-5c52-af6e-c7dcf5559624" strings: /* 48 89 5C 24 08 mov [rsp+arg_0], rbx 57 push rdi 48 83 EC 20 sub rsp, 20h 41 8B D8 mov ebx, r8d 48 8B FA mov rdi, rdx 83 F9 28 cmp ecx, 28h ; '(' 0F 87 7F 03 00 00 ja loc_18000D148 0F 84 67 03 00 00 jz loc_18000D136 83 F9 15 cmp ecx, 15h 0F 87 DB 01 00 00 ja loc_18000CFB3 0F 84 BF 01 00 00 jz loc_18000CF9D */ $version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 28 0F 87 7F 03 00 00 0F 84 67 03 00 00 83 F9 15 0F 87 DB 01 00 00 0F 84 BF 01 00 00 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180016ECA */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_8 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.8" hash = "547d44669dba97a32cb9e95cfb8d3cd278e00599e6a11080df1a9d09226f33ae" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "89809d81-9a8b-5cf3-a251-689bf52e98e0" strings: /* 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 7A 52 00 00 call sub_18001269C EB 0D jmp short loc_18000D431 45 33 C0 xor r8d, r8d 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi; Src E8 8F 55 00 00 call sub_1800129C0 */ $version_sig = { 8B D3 48 8B CF E8 7A 52 00 00 EB 0D 45 33 C0 8B D3 48 8B CF E8 8F 55 00 00 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_18001772E */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_11 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.11 (two subversions)" hash = "64007e104dddb6b5d5153399d850f1e1f1720d222bed19a26d0b1c500a675b1a" rs2 = "815f313e0835e7fdf4a6d93f2774cf642012fd21ce870c48ff489555012e0047" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "bf0c7661-2583-5fca-beb5-abb2b50c860d" strings: /* 48 83 EC 20 sub rsp, 20h 41 8B D8 mov ebx, r8d 48 8B FA mov rdi, rdx 83 F9 2D cmp ecx, 2Dh ; '-' 0F 87 B2 03 00 00 ja loc_18000D1EF 0F 84 90 03 00 00 jz loc_18000D1D3 83 F9 17 cmp ecx, 17h 0F 87 F8 01 00 00 ja loc_18000D044 0F 84 DC 01 00 00 jz loc_18000D02E 83 F9 0E cmp ecx, 0Eh 0F 87 F9 00 00 00 ja loc_18000CF54 0F 84 DD 00 00 00 jz loc_18000CF3E FF C9 dec ecx 0F 84 C0 00 00 00 jz loc_18000CF29 83 E9 02 sub ecx, 2 0F 84 A6 00 00 00 jz loc_18000CF18 FF C9 dec ecx */ $version_sig = { 48 83 EC 20 41 8B D8 48 8B FA 83 F9 2D 0F 87 B2 03 00 00 0F 84 90 03 00 00 83 F9 17 0F 87 F8 01 00 00 0F 84 DC 01 00 00 83 F9 0E 0F 87 F9 00 00 00 0F 84 DD 00 00 00 FF C9 0F 84 C0 00 00 00 83 E9 02 0F 84 A6 00 00 00 FF C9 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180017DCA */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_12 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.12" hash = "8a28b7a7e32ace2c52c582d0076939d4f10f41f4e5fa82551e7cc8bdbcd77ebc" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "6eeae9f4-96e0-5a98-a8dc-779c916cd968" strings: /* 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 F8 2E 00 00 call sub_180010384 EB 16 jmp short loc_18000D4A4 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 00 5C 00 00 call f_OTH__Command_75 EB 0A jmp short loc_18000D4A4 8B D3 mov edx, ebx 48 8B CF mov rcx, rdi E8 64 4F 00 00 call f_OTH__Command_74 */ $version_sig = { 8B D3 48 8B CF E8 F8 2E 00 00 EB 16 8B D3 48 8B CF E8 00 5C 00 00 EB 0A 8B D3 48 8B CF E8 64 4F 00 00 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180018205 */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_13 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.13" hash = "945e10dcd57ba23763481981c6035e0d0427f1d3ba71e75decd94b93f050538e" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "202eb8ea-7afb-515b-9306-67514abf5e55" strings: /* 48 8D 0D 01 5B FF FF lea rcx, f_NET__ExfiltrateData 48 83 C4 28 add rsp, 28h E9 A8 54 FF FF jmp f_OTH__Command_85 8B D0 mov edx, eax 49 8B CA mov rcx, r10; lpSrc E8 22 55 FF FF call f_OTH__Command_84 */ $version_sig = { 48 8D 0D 01 5B FF FF 48 83 C4 28 E9 A8 54 FF FF 8B D0 49 8B CA E8 22 55 FF FF } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180018C01 */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Resources_Beacon_x64_v3_14 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.14" hash = "297a8658aaa4a76599a7b79cb0da5b8aa573dd26c9e2c8f071e591200cf30c93" rs2 = "39b9040e3dcd1421a36e02df78fe031cbdd2fb1a9083260b8aedea7c2bc406bf" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "d69171e3-86f4-5187-8874-5eee2045f746" strings: /* 8B D0 mov edx, eax 49 8B CA mov rcx, r10; Src 48 83 C4 28 add rsp, 28h E9 B1 1F 00 00 jmp f_OTH__Command_69 8B D0 mov edx, eax 49 8B CA mov rcx, r10; Source 48 83 C4 28 add rsp, 28h */ $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 B1 1F 00 00 8B D0 49 8B CA 48 83 C4 28 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 69h 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_1800196BD */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_Dll_x86_v4_0_suspected { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.0 (suspected, not confirmed)" hash = "55aa2b534fcedc92bb3da54827d0daaa23ece0f02a10eb08f5b5247caaa63a73" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "28a735c4-87d1-5e14-9379-46a6fd0cdd2a" strings: /* 41 B8 01 00 00 00 mov r8d, 1 8B D0 mov edx, eax 49 8B CA mov rcx, r10 48 83 C4 28 add rsp, 28h E9 D1 B3 FF FF jmp sub_180010C5C 8B D0 mov edx, eax 49 8B CA mov rcx, r10 48 83 C4 28 add rsp, 28h E9 AF F5 FF FF jmp f_UNK__Command_92__ChangeFlag 45 33 C0 xor r8d, r8d 4C 8D 0D 8D 70 FF FF lea r9, sub_18000C930 8B D0 mov edx, eax 49 8B CA mov rcx, r10 E8 9B B0 FF FF call f_OTH__Command_91__WrapInjection */ $version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 D1 B3 FF FF 8B D0 49 8B CA 48 83 C4 28 E9 AF F5 FF FF 45 33 C0 4C 8D 0D 8D 70 FF FF 8B D0 49 8B CA E8 9B B0 FF FF } $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_x64_v4_1_and_v_4_2 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.1 and 4.2" hash = "29ec171300e8d2dad2e1ca2b77912caf0d5f9d1b633a81bb6534acb20a1574b2" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "dc320d17-98fc-5df3-ba05-4d134129317e" strings: /* 83 F9 34 cmp ecx, 34h ; '4' 0F 87 8E 03 00 00 ja loc_180016259 0F 84 7A 03 00 00 jz loc_18001624B 83 F9 1C cmp ecx, 1Ch 0F 87 E6 01 00 00 ja loc_1800160C0 0F 84 D7 01 00 00 jz loc_1800160B7 83 F9 0E cmp ecx, 0Eh 0F 87 E9 00 00 00 ja loc_180015FD2 0F 84 CE 00 00 00 jz loc_180015FBD FF C9 dec ecx 0F 84 B8 00 00 00 jz loc_180015FAF 83 E9 02 sub ecx, 2 0F 84 9F 00 00 00 jz loc_180015F9F FF C9 dec ecx */ $version_sig = { 83 F9 34 0F 87 8E 03 00 00 0F 84 7A 03 00 00 83 F9 1C 0F 87 E6 01 00 00 0F 84 D7 01 00 00 83 F9 0E 0F 87 E9 00 00 00 0F 84 CE 00 00 00 FF C9 0F 84 B8 00 00 00 83 E9 02 0F 84 9F 00 00 00 FF C9 } $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_x64_v4_3 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Version 4.3" hash = "3ac9c3525caa29981775bddec43d686c0e855271f23731c376ba48761c27fa3d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "572616c7-d1ec-5aa1-b142-4f2edf73737f" strings: /* 8B D0 mov edx, eax 49 8B CA mov rcx, r10; Source 48 83 C4 28 add rsp, 28h E9 D3 88 FF FF jmp f_OTH__CommandAbove_10 4C 8D 05 84 6E FF FF lea r8, f_NET__ExfiltrateData 8B D0 mov edx, eax 49 8B CA mov rcx, r10 48 83 C4 28 add rsp, 28h */ $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 D3 88 FF FF 4C 8D 05 84 6E FF FF 8B D0 49 8B CA 48 83 C4 28 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 2Eh 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_1800186E1 */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.4 through at least 4.6" hash = "3280fec57b7ca94fd2bdb5a4ea1c7e648f565ac077152c5a81469030ccf6ab44" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "79b6bfd4-1e45-5bd9-ac5c-19eb176ce698" strings: /* 8B D0 mov edx, eax 49 8B CA mov rcx, r10; Source 48 83 C4 28 add rsp, 28h E9 83 88 FF FF jmp f_OTH__CommandAbove_10 4C 8D 05 A4 6D FF FF lea r8, f_NET__ExfiltrateData 8B D0 mov edx, eax 49 8B CA mov rcx, r10 48 83 C4 28 add rsp, 28h */ $version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 83 88 FF FF 4C 8D 05 A4 6D FF FF 8B D0 49 8B CA 48 83 C4 28 } /* 80 34 28 2E xor byte ptr [rax+rbp], 2Eh 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_1800184D9 */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } rule CobaltStrike_Sleeve_Beacon_x64_v4_5_variant { meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)" hash = "8f0da7a45945b630cd0dfb5661036e365dcdccd085bc6cff2abeec6f4c9f1035" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "45715da9-8f16-5304-b216-1ca36c508c77" strings: /* 41 B8 01 00 00 00 mov r8d, 1 8B D0 mov edx, eax 49 8B CA mov rcx, r10 48 83 C4 28 add rsp, 28h E9 E8 AB FF FF jmp sub_1800115A4 8B D0 mov edx, eax 49 8B CA mov rcx, r10 E8 1A EB FF FF call f_UNK__Command_92__ChangeFlag 48 83 C4 28 add rsp, 28h */ $version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 E8 AB FF FF 8B D0 49 8B CA E8 1A EB FF FF 48 83 C4 28 } /* 80 34 28 ?? xor byte ptr [rax+rbp], 2Eh 48 FF C0 inc rax 48 3D 00 10 00 00 cmp rax, 1000h 7C F1 jl short loc_180018E1F */ $decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 } condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bind64_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/bind64.bin signature for versions v2.5 to v4.x" hash = "5dd136f5674f66363ea6463fd315e06690d6cb10e3cc516f2d378df63382955d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "a01e7bc3-40e9-5f87-8fd6-926972be273b" strings: /* 48 31 C0 xor rax, rax AC lodsb 41 C1 C9 0D ror r9d, 0Dh 41 01 C1 add r9d, eax 38 E0 cmp al, ah 75 F1 jnz short loc_100000000000007D 4C 03 4C 24 08 add r9, [rsp+40h+var_38] 45 39 D1 cmp r9d, r10d 75 D8 jnz short loc_100000000000006E 58 pop rax 44 8B 40 24 mov r8d, [rax+24h] 49 01 D0 add r8, rdx 66 41 8B 0C 48 mov cx, [r8+rcx*2] 44 8B 40 1C mov r8d, [rax+1Ch] 49 01 D0 add r8, rdx 41 8B 04 88 mov eax, [r8+rcx*4] 48 01 D0 add rax, rdx */ $apiLocator = { 48 [2] AC 41 [2] 0D 41 [2] 38 ?? 75 ?? 4C [4] 45 [2] 75 ?? 5? 44 [2] 24 49 [2] 66 [4] 44 [2] 1C 49 [2] 41 [3] 48 } // the signature for reverse64 and bind really differ slightly, here we are using the inclusion of additional calls // found in bind64 to differentate between this and reverse64 // Note that we can reasonably assume that the constants being passed to the call rbp will be just that, constant, // since we are triggering on the API hasher. If that hasher is unchanged, then the hashes we look for should be // unchanged. This means we can use these values as anchors in our signature. /* 41 BA C2 DB 37 67 mov r10d, bind FF D5 call rbp 48 31 D2 xor rdx, rdx 48 89 F9 mov rcx, rdi 41 BA B7 E9 38 FF mov r10d, listen FF D5 call rbp 4D 31 C0 xor r8, r8 48 31 D2 xor rdx, rdx 48 89 F9 mov rcx, rdi 41 BA 74 EC 3B E1 mov r10d, accept FF D5 call rbp 48 89 F9 mov rcx, rdi 48 89 C7 mov rdi, rax 41 BA 75 6E 4D 61 mov r10d, closesocket */ $calls = { 41 BA C2 DB 37 67 FF D5 48 [2] 48 [2] 41 BA B7 E9 38 FF FF D5 4D [2] 48 [2] 48 [2] 41 BA 74 EC 3B E1 FF D5 48 [2] 48 [2] 41 BA 75 6E 4D 61 } condition: $apiLocator and $calls } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bind_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/bind.bin signature for versions 2.5 to 4.x" hash = "3727542c0e3c2bf35cacc9e023d1b2d4a1e9e86ee5c62ee5b66184f46ca126d1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "32f129c1-9845-5843-9e16-7d9af217b8e2" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for the stagers overlap significantly. Looking for bind.bin specific bytes helps delineate sample types /* 5D pop ebp 68 33 32 00 00 push '23' 68 77 73 32 5F push '_2sw' */ $ws2_32 = { 5D 68 33 32 00 00 68 77 73 32 5F } // bind.bin, unlike reverse.bin, listens for incoming connections. Using the API hashes for listen and accept is a solid // approach to finding bind.bin specific samples /* 5? push ebx 5? push edi 68 B7 E9 38 FF push listen FF ?? call ebp 5? push ebx 5? push ebx 5? push edi 68 74 EC 3B E1 push accept */ $listenaccept = { 5? 5? 68 B7 E9 38 FF FF ?? 5? 5? 5? 68 74 EC 3B E1 } condition: $apiLocator and $ws2_32 and $listenaccept } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x { meta: description = "Cobalt Strike's resources/browserpivot.bin from v1.48 to v3.14 and sleeve/browserpivot.dll from v4.0 to at least v4.4" hash = "12af9f5a7e9bfc49c82a33d38437e2f3f601639afbcdc9be264d3a8d84fd5539" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "55086544-6684-526b-914f-505a562be458" strings: /* FF [1-5] call ds:recv // earlier versions (v1.x to 2.x) this is CALL EBP 83 ?? FF cmp eax, 0FFFFFFFFh 74 ?? jz short loc_100020D5 85 C0 test eax, eax (74 | 76) ?? jz short loc_100020D5 // earlier versions (v1.x to 2.x) used jbe (76) here 03 ?? add esi, eax 83 ?? 02 cmp esi, 2 72 ?? jb short loc_100020D1 80 ?? 3E FF 0A cmp byte ptr [esi+edi-1], 0Ah 75 ?? jnz short loc_100020D1 80 ?? 3E FE 0D cmp byte ptr [esi+edi-2], 0Dh */ $socket_recv = { FF [1-5] 83 ?? FF 74 ?? 85 C0 (74 | 76) ?? 03 ?? 83 ?? 02 72 ?? 80 ?? 3E FF 0A 75 ?? 80 ?? 3E FE 0D } // distinctive regex (sscanf) format string $fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]" condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x { meta: description = "Cobalt Strike's resources/browserpivot.x64.bin from v1.48 to v3.14 and sleeve/browserpivot.x64.dll from v4.0 to at least v4.4" hash = "0ad32bc4fbf3189e897805cec0acd68326d9c6f714c543bafb9bc40f7ac63f55" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "a5dfae85-ff9c-5ca5-9ac0-041c6108a6ed" strings: /* FF 15 [4] call cs:recv 83 ?? FF cmp eax, 0FFFFFFFFh 74 ?? jz short loc_1800018FB 85 ?? test eax, eax 74 ?? jz short loc_1800018FB 03 ?? add ebx, eax 83 ?? 02 cmp ebx, 2 72 ?? jb short loc_1800018F7 8D ?? FF lea eax, [rbx-1] 80 [2] 0A cmp byte ptr [rax+rdi], 0Ah 75 ?? jnz short loc_1800018F7 8D ?? FE lea eax, [rbx-2] 80 [2] 0D cmp byte ptr [rax+rdi], 0Dh */ $socket_recv = { FF 15 [4] 83 ?? FF 74 ?? 85 ?? 74 ?? 03 ?? 83 ?? 02 72 ?? 8D ?? FF 80 [2] 0A 75 ?? 8D ?? FE 80 [2] 0D } // distinctive regex (sscanf) format string $fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]" condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x { meta: description = "Cobalt Strike's resources/bypassuac(-x86).dll from v1.49 to v3.14 (32-bit version) and sleeve/bypassuac.dll from v4.0 to at least v4.4" hash = "91d12e1d09a642feedee5da966e1c15a2c5aea90c79ac796e267053e466df365" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "614046b5-cf81-56a5-8824-b3a7e14a8ed5" strings: /* A1 [4] mov eax, fileop 6A 00 push 0 8B ?? mov ecx, [eax] 5? push edx 5? push eax FF ?? 48 call dword ptr [ecx+48h] 85 ?? test eax, eax 75 ?? jnz short loc_10001177 A1 [4] mov eax, fileop 5? push eax 8B ?? mov ecx, [eax] FF ?? 54 call dword ptr [ecx+54h] */ $deleteFileCOM = { A1 [4] 6A 00 8B ?? 5? 5? FF ?? 48 85 ?? 75 ?? A1 [4] 5? 8B ?? FF ?? 54 } /* A1 [4] mov eax, fileop 6A 00 push 0 FF ?? 08 push [ebp+copyName] 8B ?? mov ecx, [eax] FF [5] push dstFile FF [5] push srcFile 5? push eax FF ?? 40 call dword ptr [ecx+40h] 85 ?? test eax, eax 75 ?? jnz short loc_10001026 // this line can also be 0F 85 <32-bit offset> A1 [4] mov eax, fileop 5? push eax 8B ?? mov ecx, [eax] FF ?? 54 call dword ptr [ecx+54h] */ $copyFileCOM = { A1 [4] 6A 00 FF [2] 8B ?? FF [5] FF [5] 5? FF ?? 40 85 ?? [2 - 6] A1 [4] 5? 8B ?? FF ?? 54 } condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x { meta: description = "Cobalt Strike's resources/bypassuac-x64.dll from v3.3 to v3.14 (64-bit version) and sleeve/bypassuac.x64.dll from v4.0 to at least v4.4" hash = "9ecf56e9099811c461d592c325c65c4f9f27d947cbdf3b8ef8a98a43e583aecb" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "eef83901-63d9-55a3-b115-03f420416177" strings: /* 48 8B 0D 07 A4 01 00 mov rcx, cs:fileop 45 33 C0 xor r8d, r8d 48 8B 01 mov rax, [rcx] FF 90 90 00 00 00 call qword ptr [rax+90h] 85 C0 test eax, eax 75 D9 jnz short loc_180001022 48 8B 0D F0 A3 01 00 mov rcx, cs:fileop 48 8B 11 mov rdx, [rcx] FF 92 A8 00 00 00 call qword ptr [rdx+0A8h] 85 C0 test eax, eax */ $deleteFileCOM = { 48 8B [5] 45 33 ?? 48 8B ?? FF 90 90 00 00 00 85 C0 75 ?? 48 8B [5] 48 8B ?? FF 92 A8 00 00 00 85 C0 } /* 48 8B 0D 32 A3 01 00 mov rcx, cs:fileop 4C 8B 05 3B A3 01 00 mov r8, cs:dstFile 48 8B 15 2C A3 01 00 mov rdx, cs:srcFile 48 8B 01 mov rax, [rcx] 4C 8B CD mov r9, rbp 48 89 5C 24 20 mov [rsp+38h+var_18], rbx FF 90 80 00 00 00 call qword ptr [rax+80h] 85 C0 test eax, eax 0F 85 7B FF FF FF jnz loc_1800010B0 48 8B 0D 04 A3 01 00 mov rcx, cs:fileop 48 8B 11 mov rdx, [rcx] FF 92 A8 00 00 00 call qword ptr [rdx+0A8h] */ $copyFileCOM = { 48 8B [5] 4C 8B [5] 48 8B [5] 48 8B ?? 4C 8B ?? 48 89 [3] FF 90 80 00 00 00 85 C0 0F 85 [4] 48 8B [5] 48 8B 11 FF 92 A8 00 00 00 } condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bypassuactoken_Dll_v3_11_to_v3_14 { meta: description = "Cobalt Strike's resources/bypassuactoken.dll from v3.11 to v3.14 (32-bit version)" hash = "df1c7256dfd78506e38c64c54c0645b6a56fc56b2ffad8c553b0f770c5683070" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "b9f25fa5-bd1d-5ba0-9b1d-bb97e1dbf76b" strings: /* 5? push eax; ReturnLength 5? push edi; TokenInformationLength 5? push edi; TokenInformation 8B ?? mov ebx, ecx 6A 19 push 19h; TokenInformationClass 5? push ebx; TokenHandle FF 15 [4] call ds:GetTokenInformation 85 C0 test eax, eax 75 ?? jnz short loc_10001100 FF 15 [4] call ds:GetLastError 83 ?? 7A cmp eax, 7Ah ; 'z' 75 ?? jnz short loc_10001100 FF [2] push [ebp+ReturnLength]; uBytes 5? push edi; uFlags FF 15 [4] call ds:LocalAlloc 8B ?? mov esi, eax 8D [2] lea eax, [ebp+ReturnLength] 5? push eax; ReturnLength FF [2] push [ebp+ReturnLength]; TokenInformationLength 5? push esi; TokenInformation 6A 19 push 19h; TokenInformationClass 5? push ebx; TokenHandle FF 15 [4] call ds:GetTokenInformation 85 C0 test eax, eax 74 ?? jz short loc_10001103 FF ?? push dword ptr [esi]; pSid FF 15 [4] call ds:GetSidSubAuthorityCount 8A ?? mov al, [eax] FE C8 dec al 0F B6 C0 movzx eax, al 5? push eax; nSubAuthority FF ?? push dword ptr [esi]; pSid FF 15 [4] call ds:GetSidSubAuthority B? 01 00 00 00 mov ecx, 1 5? push esi; hMem 81 ?? 00 30 00 00 cmp dword ptr [eax], 3000h */ $isHighIntegrityProcess = { 5? 5? 5? 8B ?? 6A 19 5? FF 15 [4] 85 C0 75 ?? FF 15 [4] 83 ?? 7A 75 ?? FF [2] 5? FF 15 [4] 8B ?? 8D [2] 5? FF [2] 5? 6A 19 5? FF 15 [4] 85 C0 74 ?? FF ?? FF 15 [4] 8A ?? FE C8 0F B6 C0 5? FF ?? FF 15 [4] B? 01 00 00 00 5? 81 ?? 00 30 00 00 } /* 6A 3C push 3Ch ; '<'; Size 8D ?? C4 lea eax, [ebp+pExecInfo] 8B ?? mov edi, edx 6A 00 push 0; Val 5? push eax; void * 8B ?? mov esi, ecx E8 [4] call _memset 83 C4 0C add esp, 0Ch C7 [2] 3C 00 00 00 mov [ebp+pExecInfo.cbSize], 3Ch ; '<' 8D [2] lea eax, [ebp+pExecInfo] C7 [2] 40 00 00 00 mov [ebp+pExecInfo.fMask], 40h ; '@' C7 [6] mov [ebp+pExecInfo.lpFile], offset aTaskmgrExe; "taskmgr.exe" C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpParameters], 0 5? push eax; pExecInfo C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpDirectory], 0 C7 [6] mov [ebp+pExecInfo.lpVerb], offset aRunas; "runas" C7 [2] 00 00 00 00 mov [ebp+pExecInfo.nShow], 0 FF 15 [4] call ds:ShellExecuteExW FF 75 FC push [ebp+pExecInfo.hProcess]; Process */ $executeTaskmgr = { 6A 3C 8D ?? C4 8B ?? 6A 00 5? 8B ?? E8 [4] 83 C4 0C C7 [2] 3C 00 00 00 8D [2] C7 [2] 40 00 00 00 C7 [6] C7 [2] 00 00 00 00 5? C7 [2] 00 00 00 00 C7 [6] C7 [2] 00 00 00 00 FF 15 [4] FF 75 FC } condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14 { meta: description = "Cobalt Strike's resources/bypassuactoken.x64.dll from v3.11 to v3.14 (64-bit version)" hash = "853068822bbc6b1305b2a9780cf1034f5d9d7127001351a6917f9dbb42f30d67" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "c89befcd-a622-5947-9ce3-a6031901a45a" strings: /* 83 F8 7A cmp eax, 7Ah ; 'z' 75 59 jnz short loc_1800014BC 8B 54 24 48 mov edx, dword ptr [rsp+38h+uBytes]; uBytes 33 C9 xor ecx, ecx; uFlags FF 15 49 9C 00 00 call cs:LocalAlloc 44 8B 4C 24 48 mov r9d, dword ptr [rsp+38h+uBytes]; TokenInformationLength 8D 53 19 lea edx, [rbx+19h]; TokenInformationClass 48 8B F8 mov rdi, rax 48 8D 44 24 48 lea rax, [rsp+38h+uBytes] 48 8B CE mov rcx, rsi; TokenHandle 4C 8B C7 mov r8, rdi; TokenInformation 48 89 44 24 20 mov [rsp+38h+ReturnLength], rax; ReturnLength FF 15 B0 9B 00 00 call cs:GetTokenInformation 85 C0 test eax, eax 74 2D jz short loc_1800014C1 48 8B 0F mov rcx, [rdi]; pSid FF 15 AB 9B 00 00 call cs:GetSidSubAuthorityCount 8D 73 01 lea esi, [rbx+1] 8A 08 mov cl, [rax] 40 2A CE sub cl, sil 0F B6 D1 movzx edx, cl; nSubAuthority 48 8B 0F mov rcx, [rdi]; pSid FF 15 9F 9B 00 00 call cs:GetSidSubAuthority 81 38 00 30 00 00 cmp dword ptr [rax], 3000h */ $isHighIntegrityProcess = { 83 ?? 7A 75 ?? 8B [3] 33 ?? FF 15 [4] 44 [4] 8D [2] 48 8B ?? 48 8D [3] 48 8B ?? 4C 8B ?? 48 89 [3] FF 15 [4] 85 C0 74 ?? 48 8B ?? FF 15 [4] 8D [2] 8A ?? 40 [2] 0F B6 D1 48 8B 0F FF 15 [4] 81 ?? 00 30 00 00 } /* 44 8D 42 70 lea r8d, [rdx+70h]; Size 48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; void * E8 2E 07 00 00 call memset 83 64 24 50 00 and [rsp+98h+pExecInfo.nShow], 0 48 8D 05 E2 9B 00 00 lea rax, aTaskmgrExe; "taskmgr.exe" 0F 57 C0 xorps xmm0, xmm0 66 0F 7F 44 24 40 movdqa xmmword ptr [rsp+98h+pExecInfo.lpParameters], xmm0 48 89 44 24 38 mov [rsp+98h+pExecInfo.lpFile], rax 48 8D 05 E5 9B 00 00 lea rax, aRunas; "runas" 48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; pExecInfo C7 44 24 20 70 00 00 00 mov [rsp+98h+pExecInfo.cbSize], 70h ; 'p' C7 44 24 24 40 00 00 00 mov [rsp+98h+pExecInfo.fMask], 40h ; '@' 48 89 44 24 30 mov [rsp+98h+pExecInfo.lpVerb], rax FF 15 05 9B 00 00 call cs:ShellExecuteExW */ $executeTaskmgr = { 44 8D ?? 70 48 8D [3] E8 [4] 83 [3] 00 48 8D [5] 0F 57 ?? 66 0F 7F [3] 48 89 [3] 48 8D [5] 48 8D [3] C7 [3] 70 00 00 00 C7 [3] 40 00 00 00 48 89 [3] FF 15 } condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x { meta: description = "Cobalt Strike's resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x" hash = "932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "c0b81deb-ed20-5f7e-8e15-e6a9e9362594" strings: // the command.ps1 and compress.ps1 are the same file. Between v3.7 and v3.8 the file was renamed from command to compress. $ps1 = "$s=New-Object \x49O.MemoryStream(,[Convert]::\x46romBase64String(" nocase $ps2 ="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();" nocase condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Covertvpn_Dll_v2_1_to_v4_x { meta: description = "Cobalt Strike's resources/covertvpn.dll signature for version v2.2 to v4.4" hash = "0a452a94d53e54b1df6ba02bc2f02e06d57153aad111171a94ec65c910d22dcf" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "a65b855c-5703-5b9f-bb57-da8ebf898f9b" strings: /* 5? push esi 68 [4] push offset ProcName; "IsWow64Process" 68 [4] push offset ModuleName; "kernel32" C7 [3-5] 00 00 00 00 mov [ebp+var_9C], 0 // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x FF 15 [4] call ds:GetModuleHandleA 50 push eax; hModule FF 15 [4] call ds:GetProcAddress 8B ?? mov esi, eax 85 ?? test esi, esi 74 ?? jz short loc_1000298B 8D [3-5] lea eax, [ebp+var_9C] // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x 5? push eax FF 15 [4] call ds:GetCurrentProcess 50 push eax */ $dropComponentsAndActivateDriver_prologue = { 5? 68 [4] 68 [4] C7 [3-5] 00 00 00 00 FF 15 [4] 50 FF 15 [4] 8B ?? 85 ?? 74 ?? 8D [3-5] 5? FF 15 [4] 50 } /* 6A 00 push 0; AccessMode 5? push esi; FileName E8 [4] call __access 83 C4 08 add esp, 8 83 F8 FF cmp eax, 0FFFFFFFFh 74 ?? jz short loc_100028A7 5? push esi 68 [4] push offset aWarningSExists; "Warning: %s exists\n" // this may not exist in v2.x samples E8 [4] call nullsub_1 83 C4 08 add esp, 8 // if the push doesnt exist, then this is 04, not 08 // v2.x has a PUSH ESI here... so we need to skip that 6A 00 push 0; hTemplateFile 68 80 01 00 00 push 180h; dwFlagsAndAttributes 6A 02 push 2; dwCreationDisposition 6A 00 push 0; lpSecurityAttributes 6A 05 push 5; dwShareMode 68 00 00 00 40 push 40000000h; dwDesiredAccess 5? push esi; lpFileName FF 15 [4] call ds:CreateFileA 8B ?? mov edi, eax 83 ?? FF cmp edi, 0FFFFFFFFh 75 ?? jnz short loc_100028E2 FF 15 [4] call ds:GetLastError 5? push eax */ $dropFile = { 6A 00 5? E8 [4] 83 C4 08 83 F8 FF 74 ?? 5? [0-5] E8 [4] 83 C4 ?? [0-2] 6A 00 68 80 01 00 00 6A 02 6A 00 6A 05 68 00 00 00 40 5? FF 15 [4] 8B ?? 83 ?? FF 75 ?? FF 15 [4] 5? } $nfp = "npf.sys" nocase $wpcap = "wpcap.dll" nocase condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49 { meta: description = "Cobalt Strike's resources/covertvpn-injector.exe signature for version v1.44 to v2.0.49" hash = "d741751520f46602f5a57d1ed49feaa5789115aeeba7fa4fc7cbb534ee335462" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "48485ae2-1d99-5fa8-b8e8-0047e92ef447" strings: /* C7 04 24 [4] mov dword ptr [esp], offset aKernel32; "kernel32" E8 [4] call GetModuleHandleA 83 EC 04 sub esp, 4 C7 44 24 04 [4] mov dword ptr [esp+4], offset aIswow64process; "IsWow64Process" 89 04 24 mov [esp], eax; hModule E8 59 14 00 00 call GetProcAddress 83 EC 08 sub esp, 8 89 45 ?? mov [ebp+var_C], eax 83 7D ?? 00 cmp [ebp+var_C], 0 74 ?? jz short loc_4019BA E8 [4] call GetCurrentProcess 8D [2] lea edx, [ebp+fIs64bit] 89 [3] mov [esp+4], edx 89 04 24 mov [esp], eax */ $dropComponentsAndActivateDriver_prologue = { C7 04 24 [4] E8 [4] 83 EC 04 C7 44 24 04 [4] 89 04 24 E8 59 14 00 00 83 EC 08 89 45 ?? 83 7D ?? 00 74 ?? E8 [4] 8D [2] 89 [3] 89 04 24 } /* C7 44 24 04 00 00 00 00 mov dword ptr [esp+4], 0; AccessMode 8B [2] mov eax, [ebp+FileName] 89 ?? 24 mov [esp], eax; FileName E8 [4] call _access 83 F8 FF cmp eax, 0FFFFFFFFh 74 ?? jz short loc_40176D 8B [2] mov eax, [ebp+FileName] 89 ?? 24 04 mov [esp+4], eax C7 04 24 [4] mov dword ptr [esp], offset aWarningSExists; "Warning: %s exists\n" E8 [4] call log E9 [4] jmp locret_401871 C7 44 24 18 00 00 00 00 mov dword ptr [esp+18h], 0; hTemplateFile C7 44 24 14 80 01 00 00 mov dword ptr [esp+14h], 180h; dwFlagsAndAttributes C7 44 24 10 02 00 00 00 mov dword ptr [esp+10h], 2; dwCreationDisposition C7 44 24 0C 00 00 00 00 mov dword ptr [esp+0Ch], 0; lpSecurityAttributes C7 44 24 08 05 00 00 00 mov dword ptr [esp+8], 5; dwShareMode C7 44 24 04 00 00 00 40 mov dword ptr [esp+4], 40000000h; dwDesiredAccess 8B [2] mov eax, [ebp+FileName] 89 04 24 mov [esp], eax; lpFileName E8 [4] call CreateFileA 83 EC 1C sub esp, 1Ch 89 45 ?? mov [ebp+hFile], eax */ $dropFile = { C7 44 24 04 00 00 00 00 8B [2] 89 ?? 24 E8 [4] 83 F8 FF 74 ?? 8B [2] 89 ?? 24 04 C7 04 24 [4] E8 [4] E9 [4] C7 44 24 18 00 00 00 00 C7 44 24 14 80 01 00 00 C7 44 24 10 02 00 00 00 C7 44 24 0C 00 00 00 00 C7 44 24 08 05 00 00 00 C7 44 24 04 00 00 00 40 8B [2] 89 04 24 E8 [4] 83 EC 1C 89 45 ?? } $nfp = "npf.sys" nocase $wpcap = "wpcap.dll" nocase condition: all of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x { meta: description = "Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x" hash = "10f946b88486b690305b87c14c244d7bc741015c3fef1c4625fa7f64917897f1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "e1b0e368-9bcf-5d9b-b2b3-8414742f213e" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for the stagers overlap significantly. Looking for dnsstager.bin specific bytes helps delineate sample types $dnsapi = { 68 64 6E 73 61 } condition: $apiLocator and $dnsapi } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x { meta: description = "Cobalt Strike's resources/elevate.dll signature for v3.0 to v3.14 and sleeve/elevate.dll for v4.x" hash = "6deeb2cafe9eeefe5fc5077e63cc08310f895e9d5d492c88c4e567323077aa2f" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "170f62a2-ba4f-5be8-9ec5-402eb7bbde4e" strings: /* 6A 00 push 0; lParam 6A 28 push 28h ; '('; wParam 68 00 01 00 00 push 100h; Msg 5? push edi; hWnd C7 [5] 01 00 00 00 mov dword_10017E70, 1 FF ?? call esi ; PostMessageA 6A 00 push 0; lParam 6A 27 push 27h ; '''; wParam 68 00 01 00 00 push 100h; Msg 5? push edi; hWnd FF ?? call esi ; PostMessageA 6A 00 push 0; lParam 6A 00 push 0; wParam 68 01 02 00 00 push 201h; Msg 5? push edi; hWnd FF ?? call esi ; PostMessageA */ $wnd_proc = { 6A 00 6A 28 68 00 01 00 00 5? C7 [5] 01 00 00 00 FF ?? 6A 00 6A 27 68 00 01 00 00 5? FF ?? 6A 00 6A 00 68 01 02 00 00 5? FF ?? } condition: $wnd_proc } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x { meta: description = "Cobalt Strike's resources/elevate.x64.dll signature for v3.0 to v3.14 and sleeve/elevate.x64.dll for v4.x" hash = "c3ee8a9181fed39cec3bd645b32b611ce98d2e84c5a9eff31a8acfd9c26410ec" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "91d5c343-1084-5cfc-9dfa-46f530eb9625" strings: /* 81 FA 21 01 00 00 cmp edx, 121h 75 4A jnz short loc_1800017A9 83 3D 5A 7E 01 00 00 cmp cs:dword_1800195C0, 0 75 41 jnz short loc_1800017A9 45 33 C9 xor r9d, r9d; lParam 8D 57 DF lea edx, [rdi-21h]; Msg C7 05 48 7E 01 00 01 00 00 00 mov cs:dword_1800195C0, 1 45 8D 41 28 lea r8d, [r9+28h]; wParam FF 15 36 DB 00 00 call cs:PostMessageA 45 33 C9 xor r9d, r9d; lParam 8D 57 DF lea edx, [rdi-21h]; Msg 45 8D 41 27 lea r8d, [r9+27h]; wParam 48 8B CB mov rcx, rbx; hWnd FF 15 23 DB 00 00 call cs:PostMessageA 45 33 C9 xor r9d, r9d; lParam 45 33 C0 xor r8d, r8d; wParam BA 01 02 00 00 mov edx, 201h; Msg 48 8B CB mov rcx, rbx; hWnd */ $wnd_proc = { 81 ?? 21 01 00 00 75 ?? 83 [5] 00 75 ?? 45 33 ?? 8D [2] C7 [5] 01 00 00 00 45 [2] 28 FF 15 [4] 45 33 ?? 8D [2] 45 [2] 27 48 [2] FF 15 [4] 45 33 ?? 45 33 ?? BA 01 02 00 00 48 } condition: $wnd_proc } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Httpsstager64_Bin_v3_2_through_v4_x { meta: description = "Cobalt Strike's resources/httpsstager64.bin signature for versions v3.2 to v4.x" hash = "109b8c55816ddc0defff360c93e8a07019ac812dd1a42209ea7e95ba79b5a573" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "c16e73fc-484a-5f7e-8127-d85a0254d842" strings: /* 48 31 C0 xor rax, rax AC lodsb 41 C1 C9 0D ror r9d, 0Dh 41 01 C1 add r9d, eax 38 E0 cmp al, ah 75 F1 jnz short loc_100000000000007D 4C 03 4C 24 08 add r9, [rsp+40h+var_38] 45 39 D1 cmp r9d, r10d 75 D8 jnz short loc_100000000000006E 58 pop rax 44 8B 40 24 mov r8d, [rax+24h] 49 01 D0 add r8, rdx 66 41 8B 0C 48 mov cx, [r8+rcx*2] 44 8B 40 1C mov r8d, [rax+1Ch] 49 01 D0 add r8, rdx 41 8B 04 88 mov eax, [r8+rcx*4] 48 01 D0 add rax, rdx */ $apiLocator = { 48 [2] AC 41 [2] 0D 41 [2] 38 ?? 75 ?? 4C [4] 45 [2] 75 ?? 5? 44 [2] 24 49 [2] 66 [4] 44 [2] 1C 49 [2] 41 [3] 48 } // the signature for httpstager64 and httpsstager64 really only differ by the flags passed to WinInet API // and the inclusion of the InternetSetOptionA call. We will trigger off that API /* BA 1F 00 00 00 mov edx, 1Fh 6A 00 push 0 68 80 33 00 00 push 3380h 49 89 E0 mov r8, rsp 41 B9 04 00 00 00 mov r9d, 4 41 BA 75 46 9E 86 mov r10d, InternetSetOptionA */ $InternetSetOptionA = { BA 1F 00 00 00 6A 00 68 80 33 00 00 49 [2] 41 ?? 04 00 00 00 41 ?? 75 46 9E 86 } condition: $apiLocator and $InternetSetOptionA } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Httpsstager_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/httpsstager.bin signature for versions 2.5 to 4.x" hash = "5ebe813a4c899b037ac0ee0962a439833964a7459b7a70f275ac73ea475705b3" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "f45aa40a-3936-50f9-a60e-de7181862d19" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for httpstager and httpsstager really only differ by the flags passed to WinInet API // and the inclusion of the InternetSetOptionA call. We will trigger off that API /* 6A 04 push 4 5? push eax 6A 1F push 1Fh 5? push esi 68 75 46 9E 86 push InternetSetOptionA FF ?? call ebp */ $InternetSetOptionA = { 6A 04 5? 6A 1F 5? 68 75 46 9E 86 FF } condition: $apiLocator and $InternetSetOptionA } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Httpstager64_Bin_v3_2_through_v4_x { meta: description = "Cobalt Strike's resources/httpstager64.bin signature for versions v3.2 to v4.x" hash = "ad93d1ee561bc25be4a96652942f698eac9b133d8b35ab7e7d3489a25f1d1e76" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "5530dce8-e5a1-5133-9b05-464e3397084a" strings: /* 48 31 C0 xor rax, rax AC lodsb 41 C1 C9 0D ror r9d, 0Dh 41 01 C1 add r9d, eax 38 E0 cmp al, ah 75 F1 jnz short loc_100000000000007D 4C 03 4C 24 08 add r9, [rsp+40h+var_38] 45 39 D1 cmp r9d, r10d 75 D8 jnz short loc_100000000000006E 58 pop rax 44 8B 40 24 mov r8d, [rax+24h] 49 01 D0 add r8, rdx 66 41 8B 0C 48 mov cx, [r8+rcx*2] 44 8B 40 1C mov r8d, [rax+1Ch] 49 01 D0 add r8, rdx 41 8B 04 88 mov eax, [r8+rcx*4] 48 01 D0 add rax, rdx */ $apiLocator = { 48 [2] AC 41 [2] 0D 41 [2] 38 ?? 75 ?? 4C [4] 45 [2] 75 ?? 5? 44 [2] 24 49 [2] 66 [4] 44 [2] 1C 49 [2] 41 [3] 48 } // the signature for httpstager64 and httpsstager64 really the inclusion or exclusion of InternetSetOptionA. However, // there is a subtle difference in the jmp after the InternetOpenA call (short jmp for x86 and long jmp for x64) /* 41 BA 3A 56 79 A7 mov r10d, InternetOpenA FF D5 call rbp EB 61 jmp short j_get_c2_ip */ $postInternetOpenJmp = { 41 ?? 3A 56 79 A7 FF ?? EB } condition: $apiLocator and $postInternetOpenJmp } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Httpstager_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/httpstager.bin signature for versions 2.5 to 4.x" hash = "a47569af239af092880751d5e7b68d0d8636d9f678f749056e702c9b063df256" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "86109485-c26c-5c51-8d04-dd1add9a8c57" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for httpstager and httpsstager really only differ by the flags passed to WinInet API // and the httpstager controls the download loop slightly different than the httpsstager /* B? 00 2F 00 00 mov edi, 2F00h 39 ?? cmp edi, eax 74 ?? jz short loc_100000E9 31 ?? xor edi, edi E9 [4] jmp loc_100002CA // opcode could also be EB for a short jump (v2.5-v3.10) */ $downloaderLoop = { B? 00 2F 00 00 39 ?? 74 ?? 31 ?? ( E9 | EB ) } condition: $apiLocator and $downloaderLoop } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Reverse64_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/reverse64.bin signature for versions v2.5 to v4.x" hash = "d2958138c1b7ef681a63865ec4a57b0c75cc76896bf87b21c415b7ec860397e8" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "966e6e4c-85e2-5c94-8245-25367802b7d2" strings: /* 48 31 C0 xor rax, rax AC lodsb 41 C1 C9 0D ror r9d, 0Dh 41 01 C1 add r9d, eax 38 E0 cmp al, ah 75 F1 jnz short loc_100000000000007D 4C 03 4C 24 08 add r9, [rsp+40h+var_38] 45 39 D1 cmp r9d, r10d 75 D8 jnz short loc_100000000000006E 58 pop rax 44 8B 40 24 mov r8d, [rax+24h] 49 01 D0 add r8, rdx 66 41 8B 0C 48 mov cx, [r8+rcx*2] 44 8B 40 1C mov r8d, [rax+1Ch] 49 01 D0 add r8, rdx 41 8B 04 88 mov eax, [r8+rcx*4] 48 01 D0 add rax, rdx */ $apiLocator = { 48 [2] AC 41 [2] 0D 41 [2] 38 ?? 75 ?? 4C [4] 45 [2] 75 ?? 5? 44 [2] 24 49 [2] 66 [4] 44 [2] 1C 49 [2] 41 [3] 48 } // the signature for reverse64 and bind really differ slightly, here we are using the lack of additional calls // found in reverse64 to differentate between this and bind64 // Note that we can reasonably assume that the constants being passed to the call rbp will be just that, constant, // since we are triggering on the API hasher. If that hasher is unchanged, then the hashes we look for should be // unchanged. This means we can use these values as anchors in our signature. /* 41 BA EA 0F DF E0 mov r10d, WSASocketA FF D5 call rbp 48 89 C7 mov rdi, rax 6A 10 push 10h 41 58 pop r8 4C 89 E2 mov rdx, r12 48 89 F9 mov rcx, rdi 41 BA 99 A5 74 61 mov r10d, connect FF D5 call rbp */ $calls = { 48 89 C1 41 BA EA 0F DF E0 FF D5 48 [2] 6A ?? 41 ?? 4C [2] 48 [2] 41 BA 99 A5 74 61 FF D5 } condition: $apiLocator and $calls } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x" hash = "887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "182dbcd0-1180-5516-abe3-cf2eebbd0e39" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for the stagers overlap significantly. Looking for reverse.bin specific bytes helps delineate sample types /* 5D pop ebp 68 33 32 00 00 push '23' 68 77 73 32 5F push '_2sw' */ $ws2_32 = { 5D 68 33 32 00 00 68 77 73 32 5F } // reverse.bin makes outbound connection (using connect) while bind.bin listens for incoming connections (using listen) // so the presence of the connect API hash is a solid method for distinguishing between the two. /* 6A 10 push 10h [0]5? push esi 5? push edi 68 99 A5 74 61 push connect */ $connect = { 6A 10 5? 5? 68 99 A5 74 61 } condition: $apiLocator and $ws2_32 and $connect } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Smbstager_Bin_v2_5_through_v4_x { meta: description = "Cobalt Strike's resources/smbstager.bin signature for versions 2.5 to 4.x" hash = "946af5a23e5403ea1caccb2e0988ec1526b375a3e919189f16491eeabc3e7d8c" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "074b7d83-e3d8-541c-804b-2417c21f54d5" strings: /* 31 ?? xor eax, eax AC lodsb C1 ?? 0D ror edi, 0Dh 01 ?? add edi, eax 38 ?? cmp al, ah 75 ?? jnz short loc_10000054 03 [2] add edi, [ebp-8] 3B [2] cmp edi, [ebp+24h] 75 ?? jnz short loc_1000004A 5? pop eax 8B ?? 24 mov ebx, [eax+24h] 01 ?? add ebx, edx 66 8B [2] mov cx, [ebx+ecx*2] 8B ?? 1C mov ebx, [eax+1Ch] 01 ?? add ebx, edx 8B ?? 8B mov eax, [ebx+ecx*4] 01 ?? add eax, edx 89 [3] mov [esp+28h+var_4], eax 5? pop ebx 5? pop ebx */ $apiLocator = { 31 ?? AC C1 ?? 0D 01 ?? 38 ?? 75 ?? 03 [2] 3B [2] 75 ?? 5? 8B ?? 24 01 ?? 66 8B [2] 8B ?? 1C 01 ?? 8B ?? 8B 01 ?? 89 [3] 5? 5? } // the signature for the stagers overlap significantly. Looking for smbstager.bin specific bytes helps delineate sample types $smb = { 68 C6 96 87 52 } // This code block helps differentiate between smbstager.bin and metasploit's engine which has reasonable level of overlap /* 6A 40 push 40h ; '@' 68 00 10 00 00 push 1000h 68 FF FF 07 00 push 7FFFFh 6A 00 push 0 68 58 A4 53 E5 push VirtualAlloc */ $smbstart = { 6A 40 68 00 10 00 00 68 FF FF 07 00 6A 00 68 58 A4 53 E5 } condition: $apiLocator and $smb and $smbstart } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Template_Py_v3_3_to_v4_x { meta: description = "Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x" hash = "d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "16aef9a9-b217-5462-93dc-f6273c99ddd0" strings: $arch = "platform.architecture()" $nope = "WindowsPE" $alloc = "ctypes.windll.kernel32.VirtualAlloc" $movemem = "ctypes.windll.kernel32.RtlMoveMemory" $thread = "ctypes.windll.kernel32.CreateThread" $wait = "ctypes.windll.kernel32.WaitForSingleObject" condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Template_Sct_v3_3_to_v4_x { meta: description = "Cobalt Strike's resources/template.sct signature for versions v3.3 to v4.x" hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "9d2b1dfa-5f76-503f-9198-6ed0d039e0cb" strings: $scriptletstart = "" nocase $registration = "" nocase $cdata = "" nocase $antiregistration = "" nocase $scriptletend = "" condition: all of them and @scriptletstart[1] < @registration[1] and @registration[1] < @classid[1] and @classid[1] < @scriptlang[1] and @scriptlang[1] < @cdata[1] }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources__Template_Vbs_v3_3_to_v4_x { meta: description = "Cobalt Strike's resources/btemplate.vbs signature for versions v3.3 to v4.x" hash = "e0683f953062e63b2aabad7bc6d76a78748504b114329ef8e2ece808b3294135" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "62f35d02-1e4e-5651-b575-888ce06b8bdd" strings: $ea = "Excel.Application" nocase $vis = "Visible = False" nocase $wsc = "Wscript.Shell" nocase $regkey1 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" nocase $regkey2 = "\\Excel\\Security\\AccessVBOM" nocase $regwrite = ".RegWrite" nocase $dw = "REG_DWORD" $code = ".CodeModule.AddFromString" /* Hex encoded Auto_*/ /*Open */ $ao = { 41 75 74 6f 5f 4f 70 65 6e } $da = ".DisplayAlerts" condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14 { meta: description = "Cobalt Strike's resources/template.x64.ps1, resources/template.x32 from v3.11 to v3.14 and resources/template.ps1 from v1.45 to v2.5 " hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "c9fa6a39-0098-5dde-9762-94bc6b2df299" strings: $importVA = "[DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc" nocase $importCT = "[DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread" nocase $importWFSO = "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject" nocase $compiler = "New-Object Microsoft.CSharp.CSharpCodeProvider" nocase $params = "New-Object System.CodeDom.Compiler.CompilerParameters" nocase $paramsSys32 = ".ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))" nocase $paramsGIM = ".GenerateInMemory = $True" nocase $result = "$compiler.CompileAssemblyFromSource($params, $assembly)" nocase //$data = "[Byte[]]$var_code = [System.Convert]::FromBase64String(" nocase //$64bitSpecific = "[IntPtr]::size -eq 8" condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13 { meta: description = "Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13" hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "5a808113-aacb-56ca-b3ec-166c73c54b85" strings: $dda = "[AppDomain]::CurrentDomain.DefineDynamicAssembly" nocase $imm = "InMemoryModule" nocase $mdt = "MyDelegateType" nocase $rd = "New-Object System.Reflection.AssemblyName('ReflectedDelegate')" nocase $data = "[Byte[]]$var_code = [System.Convert]::FromBase64String(" nocase $64bitSpecific = "[IntPtr]::size -eq 8" $mandatory = "Mandatory = $True" condition: all of them }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Template_x86_Vba_v3_8_to_v4_x { meta: description = "Cobalt Strike's resources/template.x86.vba signature for versions v3.8 to v4.x" hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "11c7758e-93b2-5fe3-873d-b98de579d2b4" strings: $createstuff = "Function CreateStuff Lib \"kernel32\" Alias \"CreateRemoteThread\"" nocase $allocstuff = "Function AllocStuff Lib \"kernel32\" Alias \"VirtualAllocEx\"" nocase $writestuff = "Function WriteStuff Lib \"kernel32\" Alias \"WriteProcessMemory\"" nocase $runstuff = "Function RunStuff Lib \"kernel32\" Alias \"CreateProcessA\"" nocase $vars = "Dim rwxpage As Long" nocase $res = "RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)" $rwxpage = "AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)" condition: all of them and @vars[1] < @res[1] and @allocstuff[1] < @rwxpage[1] }/* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Xor_Bin_v2_x_to_v4_x { meta: description = "Cobalt Strike's resource/xor.bin signature for version 2.x through 4.x" hash = "211ccc5d28b480760ec997ed88ab2fbc5c19420a3d34c1df7991e65642638a6f" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "1754746c-3a42-5f7d-808a-ba2e1c0a270e" strings: /* The method for making this signatures consists of extracting each stub from the various resources/xor.bin files in the cobaltstrike.jar files. For each stub found, sort them by byte count (size). Then for all entries in the same size category, compare them nibble by nibble. Any mismatched nibbles get 0'd. After all stubs have been compared to each other thereby creating a mask, any 0 nibbles are turned to ? wildcards. The results are seen below */ $stub52 = {fc e8 ?? ?? ?? ?? [1-32] eb 27 5? 8b ?? 83 c? ?4 8b ?? 31 ?? 83 c? ?4 5? 8b ?? 31 ?? 89 ?? 31 ?? 83 c? ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb ea 5? ff e? e8 d4 ff ff ff} $stub56 = {fc e8 ?? ?? ?? ?? [1-32] eb 2b 5d 8b ?? ?? 83 c5 ?4 8b ?? ?? 31 ?? 83 c5 ?4 55 8b ?? ?? 31 ?? 89 ?? ?? 31 ?? 83 c5 ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e8 5? ff e? e8 d? ff ff ff} condition: any of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Resources_Xor_Bin__64bit_v3_12_to_v4_x { meta: description = "Cobalt Strike's resource/xor64.bin signature for version 3.12 through 4.x" hash = "01dba8783768093b9a34a1ea2a20f72f29fd9f43183f3719873df5827a04b744" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "5bb465ee-3bbd-5bfe-8b63-1f243de217bc" strings: /* The method for making this signatures consists of extracting each stub from the various resources/xor64.bin files in the cobaltstrike.jar files. For each stub found, sort them by byte count (size). Then for all entries in the same size category, compare them nibble by nibble. Any mismatched nibbles get 0'd. After all stubs have been compared to each other thereby creating a mask, any 0 nibbles are turned to ? wildcards. The results are seen below */ $stub58 = {fc e8 ?? ?? ?? ?? [1-32] eb 33 5? 8b ?? 00 4? 83 ?? ?4 8b ?? 00 31 ?? 4? 83 ?? ?4 5? 8b ?? 00 31 ?? 89 ?? 00 31 ?? 4? 83 ?? ?4 83 ?? ?4 31 ?? 39 ?? 74 ?2 eb e7 5? fc 4? 83 ?? f0 ff} $stub59 = {fc e8 ?? ?? ?? ?? [1-32] eb 2e 5? 8b ?? 48 83 c? ?4 8b ?? 31 ?? 48 83 c? ?4 5? 8b ?? 31 ?? 89 ?? 31 ?? 48 83 c? ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e9 5? 48 83 ec ?8 ff e? e8 cd ff ff ff} $stub63 = {fc e8 ?? ?? ?? ?? [1-32] eb 32 5d 8b ?? ?? 48 83 c5 ?4 8b ?? ?? 31 ?? 48 83 c5 ?4 55 8b ?? ?? 31 ?? 89 ?? ?? 31 ?? 48 83 c5 ?4 83 e? ?4 31 ?? 39 ?? 74 ?2 eb e7 5? 48 83 ec ?8 ff e? e8 c9 ff ff ff} condition: any of them } /* * Copyright 2022 Google LLC * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ rule CobaltStrike_Sleeve_BeaconLoader_HA_x86_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.HA.x86.o (HeapAlloc) Versions 4.3 through at least 4.6" hash = "8e4a1862aa3693f0e9011ade23ad3ba036c76ae8ccfb6585dc19ceb101507dcd" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "0ee3fa6f-367c-596f-a3bc-3bcfa61b97aa" strings: /* C6 45 F0 48 mov [ebp+var_10], 48h ; 'H' C6 45 F1 65 mov [ebp+var_F], 65h ; 'e' C6 45 F2 61 mov [ebp+var_E], 61h ; 'a' C6 45 F3 70 mov [ebp+var_D], 70h ; 'p' C6 45 F4 41 mov [ebp+var_C], 41h ; 'A' C6 45 F5 6C mov [ebp+var_B], 6Ch ; 'l' C6 45 F6 6C mov [ebp+var_A], 6Ch ; 'l' C6 45 F7 6F mov [ebp+var_9], 6Fh ; 'o' C6 45 F8 63 mov [ebp+var_8], 63h ; 'c' C6 45 F9 00 mov [ebp+var_7], 0 */ $core_sig = { C6 45 F0 48 C6 45 F1 65 C6 45 F2 61 C6 45 F3 70 C6 45 F4 41 C6 45 F5 6C C6 45 F6 6C C6 45 F7 6F C6 45 F8 63 C6 45 F9 00 } // These strings can narrow down the specific version //$ver_43 = { 9B 2C 3E 60 } // Version 4.3 //$ver_44_45_46 = { 55 F8 86 5F } // Versions 4.4, 4.5, and 4.6 condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_MVF_x86_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x86.o (MapViewOfFile) Versions 4.3 through at least 4.6" hash = "cded3791caffbb921e2afa2de4c04546067c3148c187780066e8757e67841b44" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "3f7c0553-989e-53e7-87a9-3fa1c47f4b62" strings: /* C6 45 EC 4D mov [ebp+var_14], 4Dh ; 'M' C6 45 ED 61 mov [ebp+var_13], 61h ; 'a' C6 45 EE 70 mov [ebp+var_12], 70h ; 'p' C6 45 EF 56 mov [ebp+var_11], 56h ; 'V' C6 45 F0 69 mov [ebp+var_10], 69h ; 'i' C6 45 F1 65 mov [ebp+var_F], 65h ; 'e' C6 45 F2 77 mov [ebp+var_E], 77h ; 'w' C6 45 F3 4F mov [ebp+var_D], 4Fh ; 'O' C6 45 F4 66 mov [ebp+var_C], 66h ; 'f' C6 45 F5 46 mov [ebp+var_B], 46h ; 'F' C6 45 F6 69 mov [ebp+var_A], 69h ; 'i' C6 45 F7 6C mov [ebp+var_9], 6Ch ; 'l' C6 45 F8 65 mov [ebp+var_8], 65h ; 'e' C6 45 F9 00 mov [ebp+var_7], 0 */ $core_sig = { C6 45 EC 4D C6 45 ED 61 C6 45 EE 70 C6 45 EF 56 C6 45 F0 69 C6 45 F1 65 C6 45 F2 77 C6 45 F3 4F C6 45 F4 66 C6 45 F5 46 C6 45 F6 69 C6 45 F7 6C C6 45 F8 65 C6 45 F9 00 } // These strings can narrow down the specific version //$ver_43 = { 9C 2C 3E 60 } // Version 4.3 //$ver_44_45_46 = { 55 F8 86 5F } // Versions 4.4, 4.5, and 4.6 condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_VA_x86_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6" hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "5f89c4be-f4c5-54d3-b923-d125de53902f" strings: /* C6 45 B0 56 mov [ebp+var_50], 56h ; 'V' C6 45 B1 69 mov [ebp+var_50+1], 69h ; 'i' C6 45 B2 72 mov [ebp+var_50+2], 72h ; 'r' C6 45 B3 74 mov [ebp+var_50+3], 74h ; 't' C6 45 B4 75 mov [ebp+var_50+4], 75h ; 'u' C6 45 B5 61 mov [ebp+var_50+5], 61h ; 'a' C6 45 B6 6C mov [ebp+var_50+6], 6Ch ; 'l' C6 45 B7 41 mov [ebp+var_50+7], 41h ; 'A' C6 45 B8 6C mov [ebp+var_50+8], 6Ch ; 'l' C6 45 B9 6C mov [ebp+var_50+9], 6Ch ; 'l' C6 45 BA 6F mov [ebp+var_50+0Ah], 6Fh ; 'o' C6 45 BB 63 mov [ebp+var_50+0Bh], 63h ; 'c' C6 45 BC 00 mov [ebp+var_50+0Ch], 0 */ $core_sig = { C6 45 B0 56 C6 45 B1 69 C6 45 B2 72 C6 45 B3 74 C6 45 B4 75 C6 45 B5 61 C6 45 B6 6C C6 45 B7 41 C6 45 B8 6C C6 45 B9 6C C6 45 BA 6F C6 45 BB 63 C6 45 BC 00 } /* 8B 4D FC mov ecx, [ebp+var_4] 83 C1 01 add ecx, 1 89 4D FC mov [ebp+var_4], ecx 8B 55 FC mov edx, [ebp+var_4] 3B 55 0C cmp edx, [ebp+arg_4] 73 19 jnb short loc_231 0F B6 45 10 movzx eax, [ebp+arg_8] 8B 4D 08 mov ecx, [ebp+arg_0] 03 4D FC add ecx, [ebp+var_4] 0F BE 11 movsx edx, byte ptr [ecx] 33 D0 xor edx, eax 8B 45 08 mov eax, [ebp+arg_0] 03 45 FC add eax, [ebp+var_4] 88 10 mov [eax], dl EB D6 jmp short loc_207 */ $deobfuscator = { 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 0C 73 19 0F B6 45 10 8B 4D 08 03 4D FC 0F BE 11 33 D0 8B 45 08 03 45 FC 88 10 EB D6 } condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_x86_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.x86.o Versions 4.3 through at least 4.6" hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "32a47966-f3bb-52c3-a977-82a1b09ddf2c" strings: /* C6 45 B0 56 mov [ebp+var_50], 56h ; 'V' C6 45 B1 69 mov [ebp+var_50+1], 69h ; 'i' C6 45 B2 72 mov [ebp+var_50+2], 72h ; 'r' C6 45 B3 74 mov [ebp+var_50+3], 74h ; 't' C6 45 B4 75 mov [ebp+var_50+4], 75h ; 'u' C6 45 B5 61 mov [ebp+var_50+5], 61h ; 'a' C6 45 B6 6C mov [ebp+var_50+6], 6Ch ; 'l' C6 45 B7 41 mov [ebp+var_50+7], 41h ; 'A' C6 45 B8 6C mov [ebp+var_50+8], 6Ch ; 'l' C6 45 B9 6C mov [ebp+var_50+9], 6Ch ; 'l' C6 45 BA 6F mov [ebp+var_50+0Ah], 6Fh ; 'o' C6 45 BB 63 mov [ebp+var_50+0Bh], 63h ; 'c' C6 45 BC 00 mov [ebp+var_50+0Ch], 0 */ $core_sig = { C6 45 B0 56 C6 45 B1 69 C6 45 B2 72 C6 45 B3 74 C6 45 B4 75 C6 45 B5 61 C6 45 B6 6C C6 45 B7 41 C6 45 B8 6C C6 45 B9 6C C6 45 BA 6F C6 45 BB 63 C6 45 BC 00 } /* 8B 4D FC mov ecx, [ebp+var_4] 83 C1 01 add ecx, 1 89 4D FC mov [ebp+var_4], ecx 8B 55 FC mov edx, [ebp+var_4] 3B 55 0C cmp edx, [ebp+arg_4] 73 19 jnb short loc_231 0F B6 45 10 movzx eax, [ebp+arg_8] 8B 4D 08 mov ecx, [ebp+arg_0] 03 4D FC add ecx, [ebp+var_4] 0F BE 11 movsx edx, byte ptr [ecx] 33 D0 xor edx, eax 8B 45 08 mov eax, [ebp+arg_0] 03 45 FC add eax, [ebp+var_4] 88 10 mov [eax], dl EB D6 jmp short loc_207 */ $deobfuscator = { 8B 4D FC 83 C1 01 89 4D FC 8B 55 FC 3B 55 0C 73 19 0F B6 45 10 8B 4D 08 03 4D FC 0F BE 11 33 D0 8B 45 08 03 45 FC 88 10 EB D6 } condition: $core_sig and not $deobfuscator } // 64-bit BeaconLoaders rule CobaltStrike_Sleeve_BeaconLoader_HA_x64_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.HA.x64.o (HeapAlloc) Versions 4.3 through at least 4.6" hash = "d64f10d5a486f0f2215774e8ab56087f32bef19ac666e96c5627c70d345a354d" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "9b16ff13-2d8e-51dc-9f99-6c45eff76feb" strings: /* C6 44 24 38 48 mov [rsp+78h+var_40], 48h ; 'H' C6 44 24 39 65 mov [rsp+78h+var_3F], 65h ; 'e' C6 44 24 3A 61 mov [rsp+78h+var_3E], 61h ; 'a' C6 44 24 3B 70 mov [rsp+78h+var_3D], 70h ; 'p' C6 44 24 3C 41 mov [rsp+78h+var_3C], 41h ; 'A' C6 44 24 3D 6C mov [rsp+78h+var_3B], 6Ch ; 'l' C6 44 24 3E 6C mov [rsp+78h+var_3A], 6Ch ; 'l' C6 44 24 3F 6F mov [rsp+78h+var_39], 6Fh ; 'o' C6 44 24 40 63 mov [rsp+78h+var_38], 63h ; 'c' C6 44 24 41 00 mov [rsp+78h+var_37], 0 */ $core_sig = { C6 44 24 38 48 C6 44 24 39 65 C6 44 24 3A 61 C6 44 24 3B 70 C6 44 24 3C 41 C6 44 24 3D 6C C6 44 24 3E 6C C6 44 24 3F 6F C6 44 24 40 63 C6 44 24 41 00 } // These strings can narrow down the specific version //$ver_43 = { 96 2C 3E 60 } // Version 4.3 //$ver_44_45_46 = { D1 56 86 5F } // Versions 4.4, 4.5, and 4.6 condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_MVF_x64_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x64.o (MapViewOfFile) Versions 4.3 through at least 4.6" hash = "9d5b6ccd0d468da389657309b2dc325851720390f9a5f3d3187aff7d2cd36594" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "38e063db-3d76-5a94-812a-945fcf46a232" strings: /* C6 44 24 58 4D mov [rsp+98h+var_40], 4Dh ; 'M' C6 44 24 59 61 mov [rsp+98h+var_3F], 61h ; 'a' C6 44 24 5A 70 mov [rsp+98h+var_3E], 70h ; 'p' C6 44 24 5B 56 mov [rsp+98h+var_3D], 56h ; 'V' C6 44 24 5C 69 mov [rsp+98h+var_3C], 69h ; 'i' C6 44 24 5D 65 mov [rsp+98h+var_3B], 65h ; 'e' C6 44 24 5E 77 mov [rsp+98h+var_3A], 77h ; 'w' C6 44 24 5F 4F mov [rsp+98h+var_39], 4Fh ; 'O' C6 44 24 60 66 mov [rsp+98h+var_38], 66h ; 'f' C6 44 24 61 46 mov [rsp+98h+var_37], 46h ; 'F' C6 44 24 62 69 mov [rsp+98h+var_36], 69h ; 'i' C6 44 24 63 6C mov [rsp+98h+var_35], 6Ch ; 'l' C6 44 24 64 65 mov [rsp+98h+var_34], 65h ; 'e' */ $core_sig = { C6 44 24 58 4D C6 44 24 59 61 C6 44 24 5A 70 C6 44 24 5B 56 C6 44 24 5C 69 C6 44 24 5D 65 C6 44 24 5E 77 C6 44 24 5F 4F C6 44 24 60 66 C6 44 24 61 46 C6 44 24 62 69 C6 44 24 63 6C C6 44 24 64 65 } // These strings can narrow down the specific version //$ver_43 = { 96 2C 3E 60 } // Version 4.3 //$ver_44_45_46 = { D2 57 86 5F } // Versions 4.4, 4.5, and 4.6 condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6" hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "8ca04f82-a8a8-5162-8b0c-8a7bce678a85" strings: /* C6 44 24 48 56 mov [rsp+88h+var_40], 56h ; 'V' C6 44 24 49 69 mov [rsp+88h+var_40+1], 69h ; 'i' C6 44 24 4A 72 mov [rsp+88h+var_40+2], 72h ; 'r' C6 44 24 4B 74 mov [rsp+88h+var_40+3], 74h ; 't' C6 44 24 4C 75 mov [rsp+88h+var_40+4], 75h ; 'u' C6 44 24 4D 61 mov [rsp+88h+var_40+5], 61h ; 'a' C6 44 24 4E 6C mov [rsp+88h+var_40+6], 6Ch ; 'l' C6 44 24 4F 41 mov [rsp+88h+var_40+7], 41h ; 'A' C6 44 24 50 6C mov [rsp+88h+var_40+8], 6Ch ; 'l' C6 44 24 51 6C mov [rsp+88h+var_40+9], 6Ch ; 'l' C6 44 24 52 6F mov [rsp+88h+var_40+0Ah], 6Fh ; 'o' C6 44 24 53 63 mov [rsp+88h+var_40+0Bh], 63h ; 'c' C6 44 24 54 00 mov [rsp+88h+var_40+0Ch], 0 */ $core_sig = { C6 44 24 48 56 C6 44 24 49 69 C6 44 24 4A 72 C6 44 24 4B 74 C6 44 24 4C 75 C6 44 24 4D 61 C6 44 24 4E 6C C6 44 24 4F 41 C6 44 24 50 6C C6 44 24 51 6C C6 44 24 52 6F C6 44 24 53 63 C6 44 24 54 00 } /* 8B 04 24 mov eax, [rsp+18h+var_18] FF C0 inc eax 89 04 24 mov [rsp+18h+var_18], eax 8B 44 24 28 mov eax, [rsp+18h+arg_8] 39 04 24 cmp [rsp+18h+var_18], eax 73 20 jnb short loc_2E7 8B 04 24 mov eax, [rsp+18h+var_18] 0F B6 4C 24 30 movzx ecx, [rsp+18h+arg_10] 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0] 0F BE 04 02 movsx eax, byte ptr [rdx+rax] 33 C1 xor eax, ecx 8B 0C 24 mov ecx, [rsp+18h+var_18] 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0] 88 04 0A mov [rdx+rcx], al */ $deobfuscator = { 8B 04 24 FF C0 89 04 24 8B 44 24 28 39 04 24 73 20 8B 04 24 0F B6 4C 24 30 48 8B 54 24 20 0F BE 04 02 33 C1 8B 0C 24 48 8B 54 24 20 88 04 0A } condition: all of them } rule CobaltStrike_Sleeve_BeaconLoader_x64_o_v4_3_v4_4_v4_5_and_v4_6 { meta: description = "Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6" hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9" author = "gssincla@google.com" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" date = "2022-11-18" id = "07f751e4-f001-5b95-b229-31fbaa867cea" strings: /* 33 C0 xor eax, eax 83 F8 01 cmp eax, 1 74 63 jz short loc_378 48 8B 44 24 20 mov rax, [rsp+38h+var_18] 0F B7 00 movzx eax, word ptr [rax] 3D 4D 5A 00 00 cmp eax, 5A4Dh 75 45 jnz short loc_369 48 8B 44 24 20 mov rax, [rsp+38h+var_18] 48 63 40 3C movsxd rax, dword ptr [rax+3Ch] 48 89 44 24 28 mov [rsp+38h+var_10], rax 48 83 7C 24 28 40 cmp [rsp+38h+var_10], 40h ; '@' 72 2F jb short loc_369 48 81 7C 24 28 00 04 00 00 cmp [rsp+38h+var_10], 400h 73 24 jnb short loc_369 48 8B 44 24 20 mov rax, [rsp+38h+var_18] 48 8B 4C 24 28 mov rcx, [rsp+38h+var_10] 48 03 C8 add rcx, rax 48 8B C1 mov rax, rcx 48 89 44 24 28 mov [rsp+38h+var_10], rax 48 8B 44 24 28 mov rax, [rsp+38h+var_10] 81 38 50 45 00 00 cmp dword ptr [rax], 4550h 75 02 jnz short loc_369 */ $core_sig = { 33 C0 83 F8 01 74 63 48 8B 44 24 20 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 48 8B 44 24 28 81 38 50 45 00 00 75 02 } /* 8B 04 24 mov eax, [rsp+18h+var_18] FF C0 inc eax 89 04 24 mov [rsp+18h+var_18], eax 8B 44 24 28 mov eax, [rsp+18h+arg_8] 39 04 24 cmp [rsp+18h+var_18], eax 73 20 jnb short loc_2E7 8B 04 24 mov eax, [rsp+18h+var_18] 0F B6 4C 24 30 movzx ecx, [rsp+18h+arg_10] 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0] 0F BE 04 02 movsx eax, byte ptr [rdx+rax] 33 C1 xor eax, ecx 8B 0C 24 mov ecx, [rsp+18h+var_18] 48 8B 54 24 20 mov rdx, [rsp+18h+arg_0] 88 04 0A mov [rdx+rcx], al */ $deobfuscator = { 8B 04 24 FF C0 89 04 24 8B 44 24 28 39 04 24 73 20 8B 04 24 0F B6 4C 24 30 48 8B 54 24 20 0F BE 04 02 33 C1 8B 0C 24 48 8B 54 24 20 88 04 0A } condition: $core_sig and not $deobfuscator }