08e8d462fe
RED PILL 🔴 💊
801 lines
31 KiB
Text
801 lines
31 KiB
Text
|
|
rule Cobaltbaltstrike_RAW_Payload_dns_stager_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "817c4a72-7be1-5a58-987d-fe203d7778ea"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x00a3 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x00bd | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x012f | 0xc99cc96a | dnsapi.dll_DnsQuery_A
|
|
0x0198 | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x01a4 | 0xe035f044 | kernel32.dll_Sleep
|
|
0x01e4 | 0xcc8e00f4 | kernel32.dll_lstrlenA
|
|
*/
|
|
uint32(@h01+0x00a3) == 0xe553a458 and
|
|
uint32(@h01+0x00bd) == 0x0726774c and
|
|
uint32(@h01+0x012f) == 0xc99cc96a and
|
|
uint32(@h01+0x0198) == 0x56a2b5f0 and
|
|
uint32(@h01+0x01a4) == 0xe035f044 and
|
|
uint32(@h01+0x01e4) == 0xcc8e00f4
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_smb_stager_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "29911a14-08ea-54de-9c07-630c6516bd49"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x00a1 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x00c4 | 0xd4df7045 | kernel32.dll_CreateNamedPipeA
|
|
0x00d2 | 0xe27d6f28 | kernel32.dll_ConnectNamedPipe
|
|
0x00f8 | 0xbb5f9ead | kernel32.dll_ReadFile
|
|
0x010d | 0xbb5f9ead | kernel32.dll_ReadFile
|
|
0x0131 | 0xfcddfac0 | kernel32.dll_DisconnectNamedPipe
|
|
0x0139 | 0x528796c6 | kernel32.dll_CloseHandle
|
|
0x014b | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
*/
|
|
uint32(@h01+0x00a1) == 0xe553a458 and
|
|
uint32(@h01+0x00c4) == 0xd4df7045 and
|
|
uint32(@h01+0x00d2) == 0xe27d6f28 and
|
|
uint32(@h01+0x00f8) == 0xbb5f9ead and
|
|
uint32(@h01+0x010d) == 0xbb5f9ead and
|
|
uint32(@h01+0x0131) == 0xfcddfac0 and
|
|
uint32(@h01+0x0139) == 0x528796c6 and
|
|
uint32(@h01+0x014b) == 0x56a2b5f0
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Bind_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "ec0a9e27-3650-5393-a93b-2a461b9a0e29"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x00ac | 0x006b8029 | ws2_32.dll_WSAStartup
|
|
0x00bb | 0xe0df0fea | ws2_32.dll_WSASocketA
|
|
0x00d5 | 0x6737dbc2 | ws2_32.dll_bind
|
|
0x00de | 0xff38e9b7 | ws2_32.dll_listen
|
|
0x00e8 | 0xe13bec74 | ws2_32.dll_accept
|
|
0x00f1 | 0x614d6e75 | ws2_32.dll_closesocket
|
|
0x00fa | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x0107 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x011a | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x0128 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x013d | 0x614d6e75 | ws2_32.dll_closesocket
|
|
*/
|
|
uint32(@h01+0x009c) == 0x0726774c and
|
|
uint32(@h01+0x00ac) == 0x006b8029 and
|
|
uint32(@h01+0x00bb) == 0xe0df0fea and
|
|
uint32(@h01+0x00d5) == 0x6737dbc2 and
|
|
uint32(@h01+0x00de) == 0xff38e9b7 and
|
|
uint32(@h01+0x00e8) == 0xe13bec74 and
|
|
uint32(@h01+0x00f1) == 0x614d6e75 and
|
|
uint32(@h01+0x00fa) == 0x56a2b5f0 and
|
|
uint32(@h01+0x0107) == 0x5fc8d902 and
|
|
uint32(@h01+0x011a) == 0xe553a458 and
|
|
uint32(@h01+0x0128) == 0x5fc8d902 and
|
|
uint32(@h01+0x013d) == 0x614d6e75
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Bind_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "3575408a-3309-5723-a49a-9c2088d43de9"
|
|
strings:
|
|
// x64 default eop
|
|
$h01 = { FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x0100 | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x0111 | 0x006b8029 | ws2_32.dll_WSAStartup
|
|
0x012d | 0xe0df0fea | ws2_32.dll_WSASocketA
|
|
0x0142 | 0x6737dbc2 | ws2_32.dll_bind
|
|
0x0150 | 0xff38e9b7 | ws2_32.dll_listen
|
|
0x0161 | 0xe13bec74 | ws2_32.dll_accept
|
|
0x016f | 0x614d6e75 | ws2_32.dll_closesocket
|
|
0x0198 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x01b8 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x01d2 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x01ee | 0x614d6e75 | ws2_32.dll_closesocket
|
|
*/
|
|
uint32(@h01+0x0100) == 0x0726774c and
|
|
uint32(@h01+0x0111) == 0x006b8029 and
|
|
uint32(@h01+0x012d) == 0xe0df0fea and
|
|
uint32(@h01+0x0142) == 0x6737dbc2 and
|
|
uint32(@h01+0x0150) == 0xff38e9b7 and
|
|
uint32(@h01+0x0161) == 0xe13bec74 and
|
|
uint32(@h01+0x016f) == 0x614d6e75 and
|
|
uint32(@h01+0x0198) == 0x5fc8d902 and
|
|
uint32(@h01+0x01b8) == 0xe553a458 and
|
|
uint32(@h01+0x01d2) == 0x5fc8d902 and
|
|
uint32(@h01+0x01ee) == 0x614d6e75
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Reverse_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "ac824189-614d-5bff-9bbb-a4244cace563"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x00ac | 0x006b8029 | ws2_32.dll_WSAStartup
|
|
0x00bb | 0xe0df0fea | ws2_32.dll_WSASocketA
|
|
0x00d5 | 0x6174a599 | ws2_32.dll_connect
|
|
0x00e5 | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x00f2 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x0105 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x0113 | 0x5fc8d902 | ws2_32.dll_recv
|
|
*/
|
|
uint32(@h01+0x009c) == 0x0726774c and
|
|
uint32(@h01+0x00ac) == 0x006b8029 and
|
|
uint32(@h01+0x00bb) == 0xe0df0fea and
|
|
uint32(@h01+0x00d5) == 0x6174a599 and
|
|
uint32(@h01+0x00e5) == 0x56a2b5f0 and
|
|
uint32(@h01+0x00f2) == 0x5fc8d902 and
|
|
uint32(@h01+0x0105) == 0xe553a458 and
|
|
uint32(@h01+0x0113) == 0x5fc8d902
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Reverse_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "21151a9c-1d15-514f-b33b-c9eff08463fb"
|
|
strings:
|
|
// x64 default eop
|
|
$h01 = { FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x0100 | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x0111 | 0x006b8029 | ws2_32.dll_WSAStartup
|
|
0x012d | 0xe0df0fea | ws2_32.dll_WSASocketA
|
|
0x0142 | 0x6174a599 | ws2_32.dll_connect
|
|
0x016b | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x018b | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x01a5 | 0x5fc8d902 | ws2_32.dll_recv
|
|
0x01c1 | 0x614d6e75 | ws2_32.dll_closesocket
|
|
*/
|
|
uint32(@h01+0x0100) == 0x0726774c and
|
|
uint32(@h01+0x0111) == 0x006b8029 and
|
|
uint32(@h01+0x012d) == 0xe0df0fea and
|
|
uint32(@h01+0x0142) == 0x6174a599 and
|
|
uint32(@h01+0x016b) == 0x5fc8d902 and
|
|
uint32(@h01+0x018b) == 0xe553a458 and
|
|
uint32(@h01+0x01a5) == 0x5fc8d902 and
|
|
uint32(@h01+0x01c1) == 0x614d6e75
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_http_stager_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "01f89b14-55f2-5a5e-b0d5-6bca609621fe"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x00aa | 0xa779563a | wininet.dll_InternetOpenA
|
|
0x00c6 | 0xc69f8957 | wininet.dll_InternetConnectA
|
|
0x00de | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
|
|
0x00f2 | 0x7b18062d | wininet.dll_HttpSendRequestA
|
|
0x010b | 0x5de2c5aa | kernel32.dll_GetLastError
|
|
0x0114 | 0x315e2145 | user32.dll_GetDesktopWindow
|
|
0x0123 | 0x0be057b7 | wininet.dll_InternetErrorDlg
|
|
0x02c4 | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x02d8 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x02f3 | 0xe2899612 | wininet.dll_InternetReadFile
|
|
*/
|
|
uint32(@h01+0x009c) == 0x0726774c and
|
|
uint32(@h01+0x00aa) == 0xa779563a and
|
|
uint32(@h01+0x00c6) == 0xc69f8957 and
|
|
uint32(@h01+0x00de) == 0x3b2e55eb and
|
|
uint32(@h01+0x00f2) == 0x7b18062d and
|
|
uint32(@h01+0x010b) == 0x5de2c5aa and
|
|
uint32(@h01+0x0114) == 0x315e2145 and
|
|
uint32(@h01+0x0123) == 0x0be057b7 and
|
|
uint32(@h01+0x02c4) == 0x56a2b5f0 and
|
|
uint32(@h01+0x02d8) == 0xe553a458 and
|
|
uint32(@h01+0x02f3) == 0xe2899612
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_http_stager_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "7eeeb2a1-4903-5649-ae30-fd43367ab468"
|
|
strings:
|
|
// x64 default eop
|
|
$h01 = { FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x00e9 | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x0101 | 0xa779563a | wininet.dll_InternetOpenA
|
|
0x0120 | 0xc69f8957 | wininet.dll_InternetConnectA
|
|
0x013f | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
|
|
0x0163 | 0x7b18062d | wininet.dll_HttpSendRequestA
|
|
0x0308 | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x0324 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x0342 | 0xe2899612 | wininet.dll_InternetReadFile
|
|
*/
|
|
uint32(@h01+0x00e9) == 0x0726774c and
|
|
uint32(@h01+0x0101) == 0xa779563a and
|
|
uint32(@h01+0x0120) == 0xc69f8957 and
|
|
uint32(@h01+0x013f) == 0x3b2e55eb and
|
|
uint32(@h01+0x0163) == 0x7b18062d and
|
|
uint32(@h01+0x0308) == 0x56a2b5f0 and
|
|
uint32(@h01+0x0324) == 0xe553a458 and
|
|
uint32(@h01+0x0342) == 0xe2899612
|
|
}
|
|
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_https_stager_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "f1d7e939-92b5-5441-8014-b2390854d059"
|
|
strings:
|
|
// x86 default eop
|
|
$h01 = { FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x009c | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x00af | 0xa779563a | wininet.dll_InternetOpenA
|
|
0x00cb | 0xc69f8957 | wininet.dll_InternetConnectA
|
|
0x00e7 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
|
|
0x0100 | 0x869e4675 | wininet.dll_InternetSetOptionA
|
|
0x0110 | 0x7b18062d | wininet.dll_HttpSendRequestA
|
|
0x0129 | 0x5de2c5aa | kernel32.dll_GetLastError
|
|
0x0132 | 0x315e2145 | user32.dll_GetDesktopWindow
|
|
0x0141 | 0x0be057b7 | wininet.dll_InternetErrorDlg
|
|
0x02e9 | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x02fd | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x0318 | 0xe2899612 | wininet.dll_InternetReadFile
|
|
*/
|
|
uint32(@h01+0x009c) == 0x0726774c and
|
|
uint32(@h01+0x00af) == 0xa779563a and
|
|
uint32(@h01+0x00cb) == 0xc69f8957 and
|
|
uint32(@h01+0x00e7) == 0x3b2e55eb and
|
|
uint32(@h01+0x0100) == 0x869e4675 and
|
|
uint32(@h01+0x0110) == 0x7b18062d and
|
|
uint32(@h01+0x0129) == 0x5de2c5aa and
|
|
uint32(@h01+0x0132) == 0x315e2145 and
|
|
uint32(@h01+0x0141) == 0x0be057b7 and
|
|
uint32(@h01+0x02e9) == 0x56a2b5f0 and
|
|
uint32(@h01+0x02fd) == 0xe553a458 and
|
|
uint32(@h01+0x0318) == 0xe2899612
|
|
}
|
|
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_https_stager_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "5f9c7426-63be-5049-91fc-63b5c29618bd"
|
|
strings:
|
|
// x64 default eop
|
|
$h01 = { FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 }
|
|
condition:
|
|
/*
|
|
Payload API list:
|
|
Offset | Hash value | API name
|
|
0x00e9 | 0x0726774c | kernel32.dll_LoadLibraryA
|
|
0x0101 | 0xa779563a | wininet.dll_InternetOpenA
|
|
0x0123 | 0xc69f8957 | wininet.dll_InternetConnectA
|
|
0x0142 | 0x3b2e55eb | wininet.dll_HttpOpenRequestA
|
|
0x016c | 0x869e4675 | wininet.dll_InternetSetOptionA
|
|
0x0186 | 0x7b18062d | wininet.dll_HttpSendRequestA
|
|
0x032b | 0x56a2b5f0 | kernel32.dll_ExitProcess
|
|
0x0347 | 0xe553a458 | kernel32.dll_VirtualAlloc
|
|
0x0365 | 0xe2899612 | wininet.dll_InternetReadFile
|
|
*/
|
|
uint32(@h01+0x00e9) == 0x0726774c and
|
|
uint32(@h01+0x0101) == 0xa779563a and
|
|
uint32(@h01+0x0123) == 0xc69f8957 and
|
|
uint32(@h01+0x0142) == 0x3b2e55eb and
|
|
uint32(@h01+0x016c) == 0x869e4675 and
|
|
uint32(@h01+0x0186) == 0x7b18062d and
|
|
uint32(@h01+0x032b) == 0x56a2b5f0 and
|
|
uint32(@h01+0x0347) == 0xe553a458 and
|
|
uint32(@h01+0x0365) == 0xe2899612
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_dns_stager_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "d148ca33-b233-519d-8ba4-d389de721d15"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x0149) == 0xe5005300 and
|
|
uint32(@h01+0x017d) == 0x07002600 and
|
|
uint32(@h01+0x0261) == 0xc9009c00 and
|
|
uint32(@h01+0x0333) == 0x5600a200 and
|
|
uint32(@h01+0x034b) == 0xe0003500 and
|
|
uint32(@h01+0x03cb) == 0xcc008e00
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_smb_stager_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "d88e050f-9e6c-5349-b809-ad7dc25a79b9"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x0145) == 0xe5005300 and
|
|
uint32(@h01+0x018b) == 0xd400df00 and
|
|
uint32(@h01+0x01a7) == 0xe2007d00 and
|
|
uint32(@h01+0x01f3) == 0xbb005f00 and
|
|
uint32(@h01+0x021d) == 0xbb005f00 and
|
|
uint32(@h01+0x0265) == 0xfc00dd00 and
|
|
uint32(@h01+0x0275) == 0x52008700 and
|
|
uint32(@h01+0x0299) == 0x5600a200
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Bind_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "7f17985d-b245-5e95-9b35-af669aafc263"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x013b) == 0x07002600 and
|
|
uint32(@h01+0x015b) == 0x00006b00 and
|
|
uint32(@h01+0x0179) == 0xe000df00 and
|
|
uint32(@h01+0x01ad) == 0x67003700 and
|
|
uint32(@h01+0x01bf) == 0xff003800 and
|
|
uint32(@h01+0x01d3) == 0xe1003b00 and
|
|
uint32(@h01+0x01e5) == 0x61004d00 and
|
|
uint32(@h01+0x01f7) == 0x5600a200 and
|
|
uint32(@h01+0x0211) == 0x5f00c800 and
|
|
uint32(@h01+0x0237) == 0xe5005300 and
|
|
uint32(@h01+0x0253) == 0x5f00c800 and
|
|
uint32(@h01+0x027d) == 0x61004d00
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Bind_x64_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "bd52fb44-379a-5c82-9c7c-b10c8080b53f"
|
|
strings:
|
|
// x64 default eop utf16
|
|
$h01 = { FC 00 48 00 83 00 E4 00 F0 00 E8 00 C8 00 00 00 00 00 00 00 41 00 51 00 41 00 50 00 52 00 51 00 56 00 48 00 31 00 D2 00 65 00 48 00 8B 00 52 }
|
|
condition:
|
|
uint32(@h01+0x0203) == 0x07002600 and
|
|
uint32(@h01+0x0225) == 0x00006b00 and
|
|
uint32(@h01+0x025d) == 0xe000df00 and
|
|
uint32(@h01+0x0287) == 0x67003700 and
|
|
uint32(@h01+0x02a3) == 0xff003800 and
|
|
uint32(@h01+0x02c5) == 0xe1003b00 and
|
|
uint32(@h01+0x02e1) == 0x61004d00 and
|
|
uint32(@h01+0x0333) == 0x5f00c800 and
|
|
uint32(@h01+0x0373) == 0xe5005300 and
|
|
uint32(@h01+0x03a7) == 0x5f00c800 and
|
|
uint32(@h01+0x03df) == 0x61004d00
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Reverse_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "321c1f3f-b7fc-5408-b460-6aa4423d381c"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x013b) == 0x07002600 and
|
|
uint32(@h01+0x015b) == 0x00006b00 and
|
|
uint32(@h01+0x0179) == 0xe000df00 and
|
|
uint32(@h01+0x01ad) == 0x61007400 and
|
|
uint32(@h01+0x01cd) == 0x5600a200 and
|
|
uint32(@h01+0x01e7) == 0x5f00c800 and
|
|
uint32(@h01+0x020d) == 0xe5005300 and
|
|
uint32(@h01+0x0229) == 0x5f00c800
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_TCP_Reverse_x64_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "1cc2494c-1f39-5a72-93af-c267eaf768fe"
|
|
strings:
|
|
// x64 default eop utf16
|
|
$h01 = { FC 00 48 00 83 00 E4 00 F0 00 E8 00 C8 00 00 00 00 00 00 00 41 00 51 00 41 00 50 00 52 00 51 00 56 00 48 00 31 00 D2 00 65 00 48 00 8B 00 52 }
|
|
condition:
|
|
uint32(@h01+0x0203) == 0x07002600 and
|
|
uint32(@h01+0x0225) == 0x00006b00 and
|
|
uint32(@h01+0x025d) == 0xe000df00 and
|
|
uint32(@h01+0x0287) == 0x61007400 and
|
|
uint32(@h01+0x02d9) == 0x5f00c800 and
|
|
uint32(@h01+0x0319) == 0xe5005300 and
|
|
uint32(@h01+0x034d) == 0x5f00c800 and
|
|
uint32(@h01+0x0385) == 0x61004d00
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_http_stager_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "c1602e85-5b42-5005-a6d1-7140cb57a3c7"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x013b) == 0x07002600 and
|
|
uint32(@h01+0x0157) == 0xa7007900 and
|
|
uint32(@h01+0x018f) == 0xc6009f00 and
|
|
uint32(@h01+0x01bf) == 0x3b002e00 and
|
|
uint32(@h01+0x01e7) == 0x7b001800 and
|
|
uint32(@h01+0x0219) == 0x5d00e200 and
|
|
uint32(@h01+0x022b) == 0x31005e00 and
|
|
uint32(@h01+0x0249) == 0x0b00e000 and
|
|
uint32(@h01+0x058b) == 0x5600a200 and
|
|
uint32(@h01+0x05b3) == 0xe5005300 and
|
|
uint32(@h01+0x05e9) == 0xe2008900
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_http_stager_x64_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "78672e3b-6f76-573a-8a9a-610334baa389"
|
|
strings:
|
|
// x64 default eop utf16
|
|
$h01 = { FC 00 48 00 83 00 E4 00 F0 00 E8 00 C8 00 00 00 00 00 00 00 41 00 51 00 41 00 50 00 52 00 51 00 56 00 48 00 31 00 D2 00 65 00 48 00 8B 00 52 }
|
|
condition:
|
|
uint32(@h01+0x01d5) == 0x07002600 and
|
|
uint32(@h01+0x0205) == 0xa7007900 and
|
|
uint32(@h01+0x0243) == 0xc6009f00 and
|
|
uint32(@h01+0x0281) == 0x3b002e00 and
|
|
uint32(@h01+0x02c9) == 0x7b001800 and
|
|
uint32(@h01+0x0613) == 0x5600a200 and
|
|
uint32(@h01+0x064b) == 0xe5005300 and
|
|
uint32(@h01+0x0687) == 0xe2008900
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_https_stager_x86_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "dcd3e5c8-7626-5a78-9f90-7a8e67311d90"
|
|
strings:
|
|
// x86 default eop utf-16
|
|
$h01 = { FC 00 E8 00 89 00 00 00 00 00 00 00 60 00 89 00 E5 00 31 00 D2 00 64 00 8B 00 52 00 30 00 8B 00 52 00 0C 00 8B 00 52 00 14 00 8B 00 72 00 28 }
|
|
condition:
|
|
uint32(@h01+0x013b) == 0x07002600 and
|
|
uint32(@h01+0x0161) == 0xa7007900 and
|
|
uint32(@h01+0x0199) == 0xc6009f00 and
|
|
uint32(@h01+0x01d1) == 0x3b002e00 and
|
|
uint32(@h01+0x0203) == 0x86009e00 and
|
|
uint32(@h01+0x0223) == 0x7b001800 and
|
|
uint32(@h01+0x0255) == 0x5d00e200 and
|
|
uint32(@h01+0x0267) == 0x31005e00 and
|
|
uint32(@h01+0x0285) == 0x0b00e000 and
|
|
uint32(@h01+0x05d5) == 0x5600a200 and
|
|
uint32(@h01+0x05fd) == 0xe5005300 and
|
|
uint32(@h01+0x0633) == 0xe2008900
|
|
}
|
|
|
|
rule Cobaltbaltstrike_RAW_Payload_https_stager_x64_UTF16
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "aa93dd56-9589-5958-9711-ca2f9c763665"
|
|
strings:
|
|
// x64 default eop utf-16
|
|
$h01 = { FC 00 48 00 83 00 E4 00 F0 00 E8 00 C8 00 00 00 00 00 00 00 41 00 51 00 41 00 50 00 52 00 51 00 56 00 48 00 31 00 D2 00 65 00 48 00 8B 00 52 }
|
|
condition:
|
|
uint32(@h01+0x01d5) == 0x07002600 and
|
|
uint32(@h01+0x0205) == 0xa7007900 and
|
|
uint32(@h01+0x0249) == 0xc6009f00 and
|
|
uint32(@h01+0x0287) == 0x3b002e00 and
|
|
uint32(@h01+0x02db) == 0x86009e00 and
|
|
uint32(@h01+0x030f) == 0x7b001800 and
|
|
uint32(@h01+0x0659) == 0x5600a200 and
|
|
uint32(@h01+0x0691) == 0xe5005300 and
|
|
uint32(@h01+0x06cd) == 0xe2008900
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Payload_Encoded
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "b5176740-2dda-5e5d-8c0f-47a27846753d"
|
|
strings:
|
|
// x86 array
|
|
$s01 = "0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b" ascii wide nocase
|
|
$s02 = "0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,0x8b" ascii wide nocase
|
|
// x64 array
|
|
$s03 = "0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51" ascii wide nocase
|
|
$s04 = "0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51" ascii wide nocase
|
|
// x86 hex
|
|
$s05 = "fce8890000006089e531d2648b52308b" ascii wide nocase
|
|
$s06 = "fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b" ascii wide nocase
|
|
// x64 hex
|
|
$s07 = "fc4883e4f0e8c8000000415141505251" ascii wide nocase
|
|
$s08 = "fc 48 83 e4 f0 e8 c8 00 00 00 41 51 41 50 52 51" ascii wide nocase
|
|
// x86 base64
|
|
$s09 = "/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJX" ascii wide
|
|
// x64 base64
|
|
$s10 = "/EiD5PDoyAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHA" ascii wide
|
|
// x86 base64 + xor 0x23
|
|
$s11 = "38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0" ascii wide
|
|
// x64 base64 + xor 0x23
|
|
$s12 = "32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLj" ascii wide
|
|
// x86 base64 utf16
|
|
$s13 = "/ADoAIkAAAAAAAAAYACJAOUAMQDSAGQAiwBSADAAiwBSAAwAiwBSABQAiwByACg" ascii wide
|
|
// x64 base64 utf16
|
|
$s14 = "/ABIAIMA5ADwAOgAyAAAAAAAAABBAFEAQQBQAFIAUQBWAEgAMQDSAGUASACLAFI" ascii wide
|
|
// x86 base64 + xor 0x23 utf16
|
|
$s15 = "3yPLI6ojIyMjIyMjQyOqI8YjEiPxI0cjqCNxIxMjqCNxIy8jqCNxIzcjqCNRIwsj" ascii wide
|
|
// x64 base64 + xor 0x23 utf16
|
|
$s16 = "3yNrI6AjxyPTI8sj6yMjIyMjIyNiI3IjYiNzI3EjciN1I2sjEiPxI0YjayOoI3Ej" ascii wide
|
|
// x86 vba
|
|
$s17 = "Array(-4,-24,-119,0,0,0,96,-119,-27,49,-46,100,-117,82,48,-117" ascii wide
|
|
$s18 = "Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117" ascii wide
|
|
// x64 vba
|
|
$s19 = "Array(-4,72,-125,-28,-16,-24,-56,0,0,0,65,81,65,80,82,81" ascii wide
|
|
$s20 = "Array(-4, 72, -125, -28, -16, -24, -56, 0, 0, 0, 65, 81, 65, 80, 82, 81" ascii wide
|
|
// x86 vbs
|
|
$s21 = "Chr(-4)&Chr(-24)&Chr(-119)&Chr(0)&Chr(0)&Chr(0)&Chr(96)&Chr(-119)&Chr(-27)&\"1\"&Chr(-46)&\"d\"&Chr(-117)&\"R0\"&Chr(-117)" ascii wide
|
|
// x64 vbs
|
|
$s22 = "Chr(-4)&\"H\"&Chr(-125)&Chr(-28)&Chr(-16)&Chr(-24)&Chr(-56)&Chr(0)&Chr(0)&Chr(0)&\"AQAPRQVH" ascii wide
|
|
// x86 veil
|
|
$s23 = "\\xfc\\xe8\\x89\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xd2\\x64\\x8b\\x52\\x30\\x8b" ascii wide nocase
|
|
// x64 veil
|
|
$s24 = "\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc8\\x00\\x00\\x00\\x41\\x51\\x41\\x50\\x52\\x51" ascii wide nocase
|
|
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule Cobaltbaltstrike_strike_Payload_XORed
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "0e075644-e278-5c5b-bdcc-dc2d6a32ce73"
|
|
strings:
|
|
$h01 = { 10 ?? 00 00 ?? ?? ?? 00 ?? ?? ?? ?? 61 61 61 61 }
|
|
condition:
|
|
//x86 payload
|
|
uint32be(@h01+8) ^ uint32be(@h01+16) == 0xFCE88900 or
|
|
//x64 payload
|
|
uint32be(@h01+8) ^ uint32be(@h01+16) == 0xFC4883E4 or
|
|
//x86 beacon
|
|
uint32be(@h01+8) ^ uint32be(@h01+16) == 0x4D5AE800 or
|
|
//x64 beacon
|
|
uint32be(@h01+8) ^ uint32be(@h01+16) == 0x4D5A4152 or
|
|
//NOP slide
|
|
uint32be(@h01+8) ^ uint32be(@h01+16) == 0x90909090
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Beacon_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "6ffaafe6-2758-53e4-b5b8-6d8350baf428"
|
|
strings:
|
|
// x86 default MZ header
|
|
$h01 = { 4D 5A E8 00 00 00 00 5B 89 DF 52 45 55 89 E5 81 C3 ?? ?? ?? ?? FF D3 68 }
|
|
// decoded config blob
|
|
$h11 = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? 00 }
|
|
// xored config blob v3
|
|
$h12 = { 69 68 69 68 69 6B ?? ?? 69 6B 69 68 69 6B ?? ?? 69 }
|
|
// xored config blob v4
|
|
$h13 = { 2E 2F 2E 2F 2E 2C ?? ?? 2E 2C 2E 2F 2E 2C ?? ?? 2E }
|
|
condition:
|
|
$h01 and
|
|
any of ($h1*)
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Beacon_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "5d6d86ec-9e05-5596-b623-30f44c6f44db"
|
|
strings:
|
|
// x64 default MZ header
|
|
$h01 = { 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D EA FF FF FF 48 89 }
|
|
// decoded config blob
|
|
$h11 = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? 00 }
|
|
// xored config blob v3
|
|
$h12 = { 69 68 69 68 69 6B ?? ?? 69 6B 69 68 69 6B ?? ?? 69 }
|
|
// xored config blob v4
|
|
$h13 = { 2E 2F 2E 2F 2E 2C ?? ?? 2E 2C 2E 2F 2E 2C ?? ?? 2E }
|
|
condition:
|
|
$h01 and
|
|
any of ($h1*)
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Beacon_Encoded
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "497e2a32-015a-5786-a6fa-de7084bfc389"
|
|
strings:
|
|
// x86 array
|
|
$s01 = "0x4d, 0x5a, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x89, 0xdf, 0x52, 0x45, 0x55, 0x89, 0xe5, 0x81" ascii wide nocase
|
|
$s02 = "0x4d,0x5a,0xe8,0x00,0x00,0x00,0x00,0x5b,0x89,0xdf,0x52,0x45,0x55,0x89,0xe5,0x81" ascii wide nocase
|
|
// x64 array
|
|
$s03 = "0x4d, 0x5a, 0x41, 0x52, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x20, 0x00, 0x00, 0x00, 0x48" ascii wide nocase
|
|
$s04 = "0x4d,0x5a,0x41,0x52,0x55,0x48,0x89,0xe5,0x48,0x81,0xec,0x20,0x00,0x00,0x00,0x48" ascii wide nocase
|
|
// x86 hex
|
|
$s05 = "4d5ae8000000005b89df52455589e581" ascii wide nocase
|
|
$s06 = "4d 5a e8 00 00 00 00 5b 89 df 52 45 55 89 e5 81" ascii wide nocase
|
|
// x64 hex
|
|
$s07 = "4d5a4152554889e54881ec2000000048" ascii wide nocase
|
|
$s08 = "4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48" ascii wide nocase
|
|
// x86 base64
|
|
$s09 = "TVroAAAAAFuJ31JFVYnlg" ascii wide
|
|
// x64 base64
|
|
$s10 = "TVpBUlVIieVIgewgAAAAS" ascii wide
|
|
// x86 base64 + xor 0x23
|
|
$s11 = "bnnLIyMjI3iq/HFmdqrGo" ascii wide
|
|
// x64 base64 + xor 0x23
|
|
$s12 = "bnlicXZrqsZros8DIyMja" ascii wide
|
|
// x86 base64 utf16
|
|
$s13 = "TQBaAOgAAAAAAAAAAABbAIkA3wBSAEUAVQCJAOUAg" ascii wide
|
|
// x64 base64 utf16
|
|
$s14 = "TQBaAEEAUgBVAEgAiQDlAEgAgQDsACAAAAAAAAAAS" ascii wide
|
|
// x86 base64 + xor 0x23 utf16
|
|
$s15 = "biN5I2IjcSN2I2sjqiPGI2sjoiPPIwMjIyMjIyMja" ascii wide
|
|
// x64 base64 + xor 0x23 utf16
|
|
$s16 = "biN5I8sjIyMjIyMjIyN4I6oj/CNxI2YjdiOqI8Yjo" ascii wide
|
|
// x86 vba
|
|
$s17 = "Array(77,90,-24,0,0,0,0,91,-119,-33,82,69,85,-119,-27,-127" ascii wide
|
|
$s18 = "Array(77, 90, -24, 0, 0, 0, 0, 91, -119, -33, 82, 69, 85, -119, -27, -127" ascii wide
|
|
// x64 vba
|
|
$s19 = "Array(77,90,65,82,85,72,-119,-27,72,-127,-20,32,0,0,0,72" ascii wide
|
|
$s20 = "Array(77, 90, 65, 82, 85, 72, -119, -27, 72, -127, -20, 32, 0, 0, 0, 72" ascii wide
|
|
// x86 vbs
|
|
$s21 = "MZ\"&Chr(-27)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(91)&Chr(-119)&Chr(-33)&\"REU\"&Chr(-119)&Chr(-27)&Chr(-127)" ascii wide
|
|
// x64 vbs
|
|
$s22 = "MZARUH\"&Chr(-119)&Chr(-27)&\"H\"&Chr(-127)&Chr(-20)&Chr(32)&Chr(0)&Chr(0)&Chr(0)&\"H" ascii wide
|
|
// x86 veil
|
|
$s23 = "\\x4d\\x5a\\xe8\\x00\\x00\\x00\\x00\\x5b\\x89\\xdf\\x52\\x45\\x55\\x89\\xe5\\x81" ascii wide nocase
|
|
// x64 veil
|
|
$s24 = "\\x4d\\x5a\\x41\\x52\\x55\\x48\\x89\\xe5\\x48\\x81\\xec\\x20\\x00\\x00\\x00\\x48" ascii wide nocase
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Beacon_XORed_x86
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "d93c20e6-3e01-5132-88a0-63ace507cae9"
|
|
strings:
|
|
// x86 xor decrypt loop
|
|
// 52 bytes variant
|
|
$h01 = { FC E8??000000 [0-32] EB27 ?? 8B?? 83??04 8B?? 31?? 83??04 ?? 8B?? 31?? 89?? 31?? 83??04 83??04 31?? 39?? 7402 EBEA ?? FF?? E8D4FFFFFF }
|
|
// 56 bytes variant
|
|
$h02 = { FC E8??000000 [0-32] EB2B ?? 8B??00 83C504 8B??00 31?? 83C504 55 8B??00 31?? 89??00 31?? 83C504 83??04 31?? 39?? 7402 EBE8 ?? FF?? E8D0FFFFFF }
|
|
// end of xor decrypt loop
|
|
$h11 = { 7402 EB(E8|EA) ?? FF?? E8(D0|D4)FFFFFF }
|
|
condition:
|
|
any of ($h0*) and (
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x4D5AE800 or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x904D5AE8 or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x90904D5A or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x9090904D or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x90909090
|
|
)
|
|
}
|
|
|
|
rule Cobaltbaltstrike_Beacon_XORed_x64
|
|
{
|
|
meta:
|
|
author = "Avast Threat Intel Team"
|
|
description = "Detects CobaltStrike payloads"
|
|
reference = "https://github.com/avast/ioc"
|
|
id = "15be610a-7552-5473-8da2-639220313783"
|
|
strings:
|
|
// x64 xor decrypt loop
|
|
$h01 = { FC 4883E4F0 EB33 5D 8B4500 4883C504 8B4D00 31C1 4883C504 55 8B5500 31C2 895500 31D0 4883C504 83E904 31D2 39D1 7402 EBE7 58 FC 4883E4F0 FFD0 E8C8FFFFFF }
|
|
// end of xor decrypt loop
|
|
$h11 = { FC 4883E4F0 FFD0 E8C8FFFFFF }
|
|
condition:
|
|
$h01 and (
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x4D5A4152 or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x904D5A41 or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x90904D5A or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x9090904D or
|
|
uint32be(@h11+12) ^ uint32be(@h11+20) == 0x90909090
|
|
)
|
|
}
|