YARA rules for APT41
166 rules · scoped to actor · back to APT41
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule CobaltStrike_Resources_Beacon_Dll_v3_0
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.0"
hash = "30251f22df7f1be8bc75390a2f208b7514647835f07593f25e470342fd2e3f52"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "132a1be8-f529-5141-ba03-fdf6df3d55d4"
strings:
/*
48 dec eax; switch 61 cases
57 push edi
8B F2 mov esi, edx
83 F8 3C cmp eax, 3Ch
0F 87 89 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30
FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F2 83 F8 3C 0F 87 89 02 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
40 inc eax
3D 10 06 00 00 cmp eax, 610h
72 F1 jb short loc_1000674A
*/
$decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_1
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.1"
hash = "4de723e784ef4e1633bbbd65e7665adcfb03dd75505b2f17d358d5a40b7f35cf"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
// v3.1 and v3.2 share the same C2 handler code. We are using a function that
// is not included in v3.2 to mark the v3.1 version along with the decoder
// which allows us to narrow in on only v3.1 samples
id = "aa511dee-69ea-53bd-be90-d2d03d08c550"
strings:
/*
55 push ebp
8B EC mov ebp, esp
83 EC 58 sub esp, 58h
A1 [4] mov eax, ___security_cookie
33 C5 xor eax, ebp
89 45 FC mov [ebp+var_4], eax
E8 DF F5 FF FF call sub_10002109
6A 50 push 50h ; 'P'; namelen
8D 45 A8 lea eax, [ebp+name]
50 push eax; name
FF 15 [4] call ds:gethostname
8D 45 ?? lea eax, [ebp+name]
50 push eax; name
FF 15 [4] call ds:__imp_gethostbyname
85 C0 test eax, eax
74 14 jz short loc_10002B58
8B 40 0C mov eax, [eax+0Ch]
83 38 00 cmp dword ptr [eax], 0
74 0C jz short loc_10002B58
8B 00 mov eax, [eax]
FF 30 push dword ptr [eax]; in
FF 15 [4] call ds:inet_ntoa
EB 05 jmp short loc_10002B5D
B8 [4] mov eax, offset aUnknown; "unknown"
8B 4D FC mov ecx, [ebp+var_4]
33 CD xor ecx, ebp; StackCookie
E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x)
C9 leave
*/
$version_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 }
/*
80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
40 inc eax
3D 10 06 00 00 cmp eax, 610h
72 F1 jb short loc_1000674A
*/
$decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_2
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.2"
hash = "b490eeb95d150530b8e155da5d7ef778543836a03cb5c27767f1ae4265449a8d"
rs2 ="a93647c373f16d61c38ba6382901f468247f12ba8cbe56663abb2a11ff2a5144"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "3ccbc0f2-241c-5c10-8930-4a3d264d3b57"
strings:
/*
48 dec eax; switch 62 cases
57 push edi
8B F2 mov esi, edx
83 F8 3D cmp eax, 3Dh
0F 87 83 02 00 00 ja def_10001130; jumptable 10001130 default case, cases 6-8,30
FF 24 ?? jmp ds:jpt_10001130[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F2 83 F8 3D 0F 87 83 02 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
40 inc eax
3D 10 06 00 00 cmp eax, 610h
72 F1 jb short loc_1000674A
*/
$decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
// Since v3.1 and v3.2 are so similiar, we use the v3.1 version_sig
// as a negating condition to diff between 3.1 and 3.2
/*
55 push ebp
8B EC mov ebp, esp
83 EC 58 sub esp, 58h
A1 [4] mov eax, ___security_cookie
33 C5 xor eax, ebp
89 45 FC mov [ebp+var_4], eax
E8 DF F5 FF FF call sub_10002109
6A 50 push 50h ; 'P'; namelen
8D 45 A8 lea eax, [ebp+name]
50 push eax; name
FF 15 [4] call ds:gethostname
8D 45 ?? lea eax, [ebp+name]
50 push eax; name
FF 15 [4] call ds:__imp_gethostbyname
85 C0 test eax, eax
74 14 jz short loc_10002B58
8B 40 0C mov eax, [eax+0Ch]
83 38 00 cmp dword ptr [eax], 0
74 0C jz short loc_10002B58
8B 00 mov eax, [eax]
FF 30 push dword ptr [eax]; in
FF 15 [4] call ds:inet_ntoa
EB 05 jmp short loc_10002B5D
B8 [4] mov eax, offset aUnknown; "unknown"
8B 4D FC mov ecx, [ebp+var_4]
33 CD xor ecx, ebp; StackCookie
E8 82 B7 00 00 call @__security_check_cookie@4; __security_check_cookie(x)
C9 leave
*/
$version3_1_sig = { 55 8B EC 83 EC 58 A1 [4] 33 C5 89 45 FC E8 DF F5 FF FF 6A 50 8D 45 A8 50 FF 15 [4] 8D 45 ?? 50 FF 15 [4] 85 C0 74 14 8B 40 0C 83 38 00 74 0C 8B 00 FF 30 FF 15 [4] EB 05 B8 [4] 8B 4D FC 33 CD E8 82 B7 00 00 C9 }
condition:
$version_sig and $decoder and not $version3_1_sig
}
rule CobaltStrike_Resources_Beacon_Dll_v3_3
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.3"
hash = "158dba14099f847816e2fc22f254c60e09ac999b6c6e2ba6f90c6dd6d937bc42"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "7cce26c9-1403-535f-bd9d-19667c7e313c"
strings:
/*
48 dec eax; switch 66 cases
57 push edi
8B F1 mov esi, ecx
83 F8 41 cmp eax, 41h
0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,30
FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F1 83 F8 41 0F 87 F0 02 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte ptr word_1002C040[eax], 69h
40 inc eax
3D 10 06 00 00 cmp eax, 610h
72 F1 jb short loc_1000674A
*/
$decoder = { 80 B0 [4] ?? 40 3D 10 06 00 00 72 F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_4
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.4"
hash = "5c40bfa04a957d68a095dd33431df883e3a075f5b7dea3e0be9834ce6d92daa3"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "58a34ab6-c061-59a2-b929-8519d3d844e7"
strings:
/*
48 dec eax; switch 67 cases
57 push edi
8B F1 mov esi, ecx
83 F8 42 cmp eax, 42h
0F 87 F0 02 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F1 83 F8 42 0F 87 F0 02 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_5_hf1_and_3_5_1
{
// Version 3.5-hf1 and 3.5.1 use the exact same beacon binary (same hash)
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.5-hf1 and 3.5.1 (3.5.x)"
hash = "c78e70cd74f4acda7d1d0bd85854ccacec79983565425e98c16a9871f1950525"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "1532596e-be0e-58c2-8d3b-5120c793d677"
strings:
/*
48 dec eax; switch 68 cases
57 push edi
8B F1 mov esi, ecx
83 F8 43 cmp eax, 43h
0F 87 07 03 00 00 ja def_1000112D; jumptable 1000112D default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000112D[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F1 83 F8 43 0F 87 07 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_6
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.6"
hash = "495a744d0a0b5f08479c53739d08bfbd1f3b9818d8a9cbc75e71fcda6c30207d"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "7e7b5c22-82b3-5298-b794-b06d94a668d5"
strings:
/*
48 dec eax; switch 72 cases
57 push edi
8B F9 mov edi, ecx
83 F8 47 cmp eax, 47h
0F 87 2F 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F9 83 F8 47 0F 87 2F 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_7
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.7"
hash = "f18029e6b12158fb3993f4951dab2dc6e645bb805ae515d205a53a1ef41ca9b2"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "6352a31c-34b8-5886-8e34-ef9221c22e6e"
strings:
/*
48 dec eax; switch 74 cases
57 push edi
8B F9 mov edi, ecx
83 F8 49 cmp eax, 49h
0F 87 47 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F9 83 F8 49 0F 87 47 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_8
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.8"
hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "6c65cbf8-2c60-5315-b3b2-48dfcee75733"
strings:
/*
48 dec eax; switch 76 cases
57 push edi
8B F9 mov edi, ecx
83 F8 4B cmp eax, 4Bh
0F 87 5D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F9 83 F8 4B 0F 87 5D 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
// XMRig uses a v3.8 sample to trick sandboxes into running their code.
// These samples are the same and useless. This string removes many
// of them from our detection
$xmrig_srcpath = "C:/Users/SKOL-NOTE/Desktop/Loader/script.go"
// To remove others, we look for known xmrig C2 domains in the config:
$c2_1 = "ns7.softline.top" xor
$c2_2 = "ns8.softline.top" xor
$c2_3 = "ns9.softline.top" xor
//$a = /[A-Za-z]{1020}.{4}$/
condition:
$version_sig and $decoder and (2 of ($c2_*) or $xmrig_srcpath)
}
rule CobaltStrike_Resources_Beacon_Dll_v3_11
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.11"
hash = "2428b93464585229fd234677627431cae09cfaeb1362fe4f648b8bee59d68f29"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
// Original version from April 9, 2018
id = "00e42396-db81-5d43-90ee-5a97b379019e"
strings:
/*
48 dec eax; switch 81 cases
57 push edi
8B FA mov edi, edx
83 F8 50 cmp eax, 50h
0F 87 11 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B FA 83 F8 50 0F 87 11 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_11_bugfix_and_v3_12
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.11-bugfix and 3.12"
hash = "5912c96fffeabb2c5c5cdd4387cfbfafad5f2e995f310ace76ca3643b866e3aa"
rs2 ="4476a93abe48b7481c7b13dc912090b9476a2cdf46a1c4287b253098e3523192"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
// Covers both 3.11 (bug fix form May 25, 2018) and v3.12
id = "08ff2a2f-97bd-5839-b414-d67fbf2cdb0f"
strings:
/*
48 dec eax; switch 81 cases
57 push edi
8B FA mov edi, edx
83 F8 50 cmp eax, 50h
0F 87 0D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 2,6-8,26,30,36
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B FA 83 F8 50 0F 87 0D 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_13
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.13"
hash = "362119e3bce42e91cba662ea80f1a7957a5c2b1e92075a28352542f31ac46a0c"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "98dd32e6-9bb5-57b2-a5e5-1c74a0d1e6d3"
strings:
/*
4A dec edx; switch 91 cases
56 push esi
57 push edi
83 FA 5A cmp edx, 5Ah
0F 87 2D 03 00 00 ja def_10008D01; jumptable 10008D01 default case, cases 2,6-8,20,21,26,30,36,63-66
FF 24 ?? jmp ds:jpt_10008D01[edx*4]; switch jump
*/
$version_sig = { 4A 56 57 83 FA 5A 0F 87 2D 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_Dll_v3_14
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.14"
hash = "254c68a92a7108e8c411c7b5b87a2f14654cd9f1324b344f036f6d3b6c7accda"
rs2 ="87b3eb55a346b52fb42b140c03ac93fc82f5a7f80697801d3f05aea1ad236730"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "00edfc72-c7b8-5100-8275-ae3548b96e49"
strings:
/*
83 FA 5B cmp edx, 5Bh
77 15 ja short def_1000939E; jumptable 1000939E default case, cases 2,6-8,20,21,26,30,36,63-66
FF 24 ?? jmp ds:jpt_1000939E[edx*4]; switch jump
*/
$version_sig = { 83 FA 5B 77 15 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_Dll_v4_0_suspected
{
meta:
description = "Cobalt Strike's sleeve/beacon.dll Versions 4.0 (suspected, not confirmed)"
hash = "e2b2b72454776531bbc6a4a5dd579404250901557f887a6bccaee287ac71b248"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "50ff6e44-ebc0-5000-a816-b385a6675768"
strings:
/*
51 push ecx
4A dec edx; switch 99 cases
56 push esi
57 push edi
83 FA 62 cmp edx, 62h
0F 87 8F 03 00 00 ja def_100077C3; jumptable 100077C3 default case, cases 2,6-8,20,21,25,26,30,34-36,63-66
FF 24 95 56 7B 00 10 jmp ds:jpt_100077C3[edx*4]; switch jump
*/
$version_sig = { 51 4A 56 57 83 FA 62 0F 87 8F 03 00 00 FF 24 95 56 7B 00 10 }
/*
80 B0 20 00 03 10 ?? xor byte_10030020[eax], 2Eh
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_1000912B
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_Dll_v4_1_and_v4_2
{
meta:
description = "Cobalt Strike's sleeve/beacon.dll Versions 4.1 and 4.2"
hash = "daa42f4380cccf8729129768f3588bb98e4833b0c40ad0620bb575b5674d5fc3"
rs2 ="9de55f27224a4ddb6b2643224a5da9478999c7b2dea3a3d6b3e1808148012bcf"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "793df916-bdf7-5743-b008-0113caf38bae"
strings:
/*
48 dec eax; switch 100 cases
57 push edi
8B F2 mov esi, edx
83 F8 63 cmp eax, 63h
0F 87 3C 03 00 00 ja def_10007F28; jumptable 10007F28 default case, cases 2,6-8,20,21,25,26,29,30,34-36,58,63-66,80,81,95-97
FF 24 ?? jmp ds:jpt_10007F28[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F2 83 F8 63 0F 87 3C 03 00 00 FF 24 }
/*
80 B0 [4] 3E xor byte_10031010[eax], 3Eh
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10009791
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_Dll_v4_3_v4_4_v4_5_and_v4_6
{
meta:
description = "Cobalt Strike's sleeve/beacon.dll Versions 4.3 and 4.4"
hash = "51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f"
rs2 ="78a6fbefa677eeee29d1af4a294ee57319221b329a2fe254442f5708858b37dc"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "976e087c-f371-5fc6-85f8-9c803a91f549"
strings:
/*
48 dec eax; switch 102 cases
57 push edi
8B F2 mov esi, edx
83 F8 65 cmp eax, 65h
0F 87 47 03 00 00 ja def_10007EAD; jumptable 10007EAD default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97
FF 24 ?? jmp ds:jpt_10007EAD[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F2 83 F8 65 0F 87 47 03 00 00 FF 24 }
/*
80 B0 [4] 3E xor byte_10031010[eax], 3Eh
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10009791
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_Dll_v4_7_suspected
{
meta:
description = "Cobalt Strike's sleeve/beacon.dll Versions 4.7 (suspected, not confirmed)"
hash = "da9e91b3d8df3d53425dd298778782be3bdcda40037bd5c92928395153160549"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "4b6f90dd-69f3-5555-9195-6a0aed0fff58"
strings:
/*
53 push ebx
56 push esi
48 dec eax; switch 104 cases
57 push edi
8B F2 mov esi, edx
83 F8 67 cmp eax, 67h
0F 87 5E 03 00 00 ja def_10008997; jumptable 10008997 default case, cases 2,6-8,20,21,25,26,29,30,34-36,48,58,63-66,80,81,95-97
*/
$version_sig = { 53 56 48 57 8B F2 83 F8 67 0F 87 5E 03 00 00 }
/*
80 B0 [5] xor byte_10033020[eax], 2Eh
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_1000ADA1
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_2
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.2"
hash = "5993a027f301f37f3236551e6ded520e96872723a91042bfc54775dcb34c94a1"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "61188243-0b90-5bff-bcc8-50f10ed941f6"
strings:
/*
4C 8D 05 9F F8 FF FF lea r8, sub_18000C4B0
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 05 1A 00 00 call sub_18000E620
EB 0A jmp short loc_18000CC27
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 41 21 00 00 call sub_18000ED68
48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
48 83 C4 20 add rsp, 20h
*/
$version_sig = { 4C 8D 05 9F F8 FF FF 8B D3 48 8B CF E8 05 1A 00 00
EB 0A 8B D3 48 8B CF E8 41 21 00 00 48 8B 5C 24 30
48 83 C4 20 }
/*
80 31 ?? xor byte ptr [rcx], 69h
FF C2 inc edx
48 FF C1 inc rcx
48 63 C2 movsxd rax, edx
48 3D 10 06 00 00 cmp rax, 610h
*/
$decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_3
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.3"
hash = "7b00721efeff6ed94ab108477d57b03022692e288cc5814feb5e9d83e3788580"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "fb96ecff-809e-5704-974e-a2d8ef022daa"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 89 66 00 00 call sub_1800155E8
E9 23 FB FF FF jmp loc_18000EA87
41 B8 01 00 00 00 mov r8d, 1
E9 F3 FD FF FF jmp loc_18000ED62
48 8D 0D 2A F8 FF FF lea rcx, sub_18000E7A0
E8 8D 2B 00 00 call sub_180011B08
48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
48 83 C4 20 add rsp, 20h
*/
$version_sig = { 8B D3 48 8B CF E8 89 66 00 00 E9 23 FB FF FF
41 B8 01 00 00 00 E9 F3 FD FF FF 48 8D 0D 2A F8 FF FF
E8 8D 2B 00 00 48 8B 5C 24 30 48 83 C4 20 }
/*
80 31 ?? xor byte ptr [rcx], 69h
FF C2 inc edx
48 FF C1 inc rcx
48 63 C2 movsxd rax, edx
48 3D 10 06 00 00 cmp rax, 610h
*/
$decoder = { 80 31 ?? FF C2 48 FF C1 48 63 C2 48 3D 10 06 00 00 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_4
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.4"
hash = "5a4d48c2eda8cda79dc130f8306699c8203e026533ce5691bf90363473733bf0"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "97ef152c-86c7-513c-a881-e7d594d38dcf"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 56 6F 00 00 call sub_180014458
E9 17 FB FF FF jmp loc_18000D01E
41 B8 01 00 00 00 mov r8d, 1
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 41 4D 00 00 call sub_180012258
48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
48 83 C4 20 add rsp, 20h
*/
$version_sig = { 8B D3 48 8B CF E8 56 6F 00 00 E9 17 FB FF FF
41 B8 01 00 00 00 8B D3 48 8B CF E8 41 4D 00 00
48 8B 5C 24 30 48 83 C4 20 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_18001600E
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_5_hf1_and_v3_5_1
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.5-hf1 and 3.5.1"
hash = "934134ab0ee65ec76ae98a9bb9ad0e9571d80f4bf1eb3491d58bacf06d42dc8d"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "0c0e87d3-e0e2-5ddc-9d89-5e56443da4b8"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 38 70 00 00 call sub_180014548
E9 FD FA FF FF jmp loc_18000D012
41 B8 01 00 00 00 mov r8d, 1
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 3F 4D 00 00 call sub_180012264
48 8B 5C 24 30 mov rbx, [rsp+28h+arg_0]
48 83 C4 20 add rsp, 20h
5F pop rdi
*/
$version_sig = { 8B D3 48 8B CF E8 38 70 00 00 E9 FD FA FF FF
41 B8 01 00 00 00 8B D3 48 8B CF E8 3F 4D 00 00
48 8B 5C 24 30 48 83 C4 20 5F }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180016B3E
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_6
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.6"
hash = "92b0a4aec6a493bcb1b72ce04dd477fd1af5effa0b88a9d8283f26266bb019a1"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "9651a1ca-d8ea-5b0b-bcba-a850c2e07791"
strings:
/*
48 89 5C 24 08 mov [rsp+arg_0], rbx
57 push rdi
48 83 EC 20 sub rsp, 20h
41 8B D8 mov ebx, r8d
48 8B FA mov rdi, rdx
83 F9 27 cmp ecx, 27h ; '''
0F 87 47 03 00 00 ja loc_18000D110
0F 84 30 03 00 00 jz loc_18000D0FF
83 F9 14 cmp ecx, 14h
0F 87 A4 01 00 00 ja loc_18000CF7C
0F 84 7A 01 00 00 jz loc_18000CF58
83 F9 0C cmp ecx, 0Ch
0F 87 C8 00 00 00 ja loc_18000CEAF
0F 84 B3 00 00 00 jz loc_18000CEA0
*/
$version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 27
0F 87 47 03 00 00 0F 84 30 03 00 00 83 F9 14
0F 87 A4 01 00 00 0F 84 7A 01 00 00 83 F9 0C
0F 87 C8 00 00 00 0F 84 B3 00 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180016B3E
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_7
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.7"
hash = "81296a65a24c0f6f22208b0d29e7bb803569746ce562e2fa0d623183a8bcca60"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "27fad98a-2882-5c52-af6e-c7dcf5559624"
strings:
/*
48 89 5C 24 08 mov [rsp+arg_0], rbx
57 push rdi
48 83 EC 20 sub rsp, 20h
41 8B D8 mov ebx, r8d
48 8B FA mov rdi, rdx
83 F9 28 cmp ecx, 28h ; '('
0F 87 7F 03 00 00 ja loc_18000D148
0F 84 67 03 00 00 jz loc_18000D136
83 F9 15 cmp ecx, 15h
0F 87 DB 01 00 00 ja loc_18000CFB3
0F 84 BF 01 00 00 jz loc_18000CF9D
*/
$version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 28
0F 87 7F 03 00 00 0F 84 67 03 00 00 83 F9 15
0F 87 DB 01 00 00 0F 84 BF 01 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180016ECA
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_8
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.8"
hash = "547d44669dba97a32cb9e95cfb8d3cd278e00599e6a11080df1a9d09226f33ae"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "89809d81-9a8b-5cf3-a251-689bf52e98e0"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 7A 52 00 00 call sub_18001269C
EB 0D jmp short loc_18000D431
45 33 C0 xor r8d, r8d
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi; Src
E8 8F 55 00 00 call sub_1800129C0
*/
$version_sig = { 8B D3 48 8B CF E8 7A 52 00 00 EB 0D 45 33 C0 8B D3 48 8B CF
E8 8F 55 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_18001772E
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_11
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.11 (two subversions)"
hash = "64007e104dddb6b5d5153399d850f1e1f1720d222bed19a26d0b1c500a675b1a"
rs2 = "815f313e0835e7fdf4a6d93f2774cf642012fd21ce870c48ff489555012e0047"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "bf0c7661-2583-5fca-beb5-abb2b50c860d"
strings:
/*
48 83 EC 20 sub rsp, 20h
41 8B D8 mov ebx, r8d
48 8B FA mov rdi, rdx
83 F9 2D cmp ecx, 2Dh ; '-'
0F 87 B2 03 00 00 ja loc_18000D1EF
0F 84 90 03 00 00 jz loc_18000D1D3
83 F9 17 cmp ecx, 17h
0F 87 F8 01 00 00 ja loc_18000D044
0F 84 DC 01 00 00 jz loc_18000D02E
83 F9 0E cmp ecx, 0Eh
0F 87 F9 00 00 00 ja loc_18000CF54
0F 84 DD 00 00 00 jz loc_18000CF3E
FF C9 dec ecx
0F 84 C0 00 00 00 jz loc_18000CF29
83 E9 02 sub ecx, 2
0F 84 A6 00 00 00 jz loc_18000CF18
FF C9 dec ecx
*/
$version_sig = { 48 83 EC 20 41 8B D8 48 8B FA 83 F9 2D 0F 87 B2 03 00 00
0F 84 90 03 00 00 83 F9 17 0F 87 F8 01 00 00
0F 84 DC 01 00 00 83 F9 0E 0F 87 F9 00 00 00
0F 84 DD 00 00 00 FF C9 0F 84 C0 00 00 00 83 E9 02
0F 84 A6 00 00 00 FF C9 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180017DCA
*/
$decoder = {
80 34 28 ??
48 FF C0
48 3D 00 10 00 00
7C F1
}
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_12
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.12"
hash = "8a28b7a7e32ace2c52c582d0076939d4f10f41f4e5fa82551e7cc8bdbcd77ebc"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "6eeae9f4-96e0-5a98-a8dc-779c916cd968"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 F8 2E 00 00 call sub_180010384
EB 16 jmp short loc_18000D4A4
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 00 5C 00 00 call f_OTH__Command_75
EB 0A jmp short loc_18000D4A4
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 64 4F 00 00 call f_OTH__Command_74
*/
$version_sig = { 8B D3 48 8B CF E8 F8 2E 00 00 EB 16 8B D3 48 8B CF
E8 00 5C 00 00 EB 0A 8B D3 48 8B CF E8 64 4F 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180018205
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_13
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.13"
hash = "945e10dcd57ba23763481981c6035e0d0427f1d3ba71e75decd94b93f050538e"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "202eb8ea-7afb-515b-9306-67514abf5e55"
strings:
/*
48 8D 0D 01 5B FF FF lea rcx, f_NET__ExfiltrateData
48 83 C4 28 add rsp, 28h
E9 A8 54 FF FF jmp f_OTH__Command_85
8B D0 mov edx, eax
49 8B CA mov rcx, r10; lpSrc
E8 22 55 FF FF call f_OTH__Command_84
*/
$version_sig = { 48 8D 0D 01 5B FF FF 48 83 C4 28 E9 A8 54 FF FF 8B D0
49 8B CA E8 22 55 FF FF }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180018C01
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_14
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.14"
hash = "297a8658aaa4a76599a7b79cb0da5b8aa573dd26c9e2c8f071e591200cf30c93"
rs2 = "39b9040e3dcd1421a36e02df78fe031cbdd2fb1a9083260b8aedea7c2bc406bf"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "d69171e3-86f4-5187-8874-5eee2045f746"
strings:
/*
8B D0 mov edx, eax
49 8B CA mov rcx, r10; Src
48 83 C4 28 add rsp, 28h
E9 B1 1F 00 00 jmp f_OTH__Command_69
8B D0 mov edx, eax
49 8B CA mov rcx, r10; Source
48 83 C4 28 add rsp, 28h
*/
$version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 B1 1F 00 00 8B D0 49 8B CA
48 83 C4 28 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_1800196BD
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_Dll_x86_v4_0_suspected
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.0 (suspected, not confirmed)"
hash = "55aa2b534fcedc92bb3da54827d0daaa23ece0f02a10eb08f5b5247caaa63a73"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "28a735c4-87d1-5e14-9379-46a6fd0cdd2a"
strings:
/*
41 B8 01 00 00 00 mov r8d, 1
8B D0 mov edx, eax
49 8B CA mov rcx, r10
48 83 C4 28 add rsp, 28h
E9 D1 B3 FF FF jmp sub_180010C5C
8B D0 mov edx, eax
49 8B CA mov rcx, r10
48 83 C4 28 add rsp, 28h
E9 AF F5 FF FF jmp f_UNK__Command_92__ChangeFlag
45 33 C0 xor r8d, r8d
4C 8D 0D 8D 70 FF FF lea r9, sub_18000C930
8B D0 mov edx, eax
49 8B CA mov rcx, r10
E8 9B B0 FF FF call f_OTH__Command_91__WrapInjection
*/
$version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 D1 B3 FF FF
8B D0 49 8B CA 48 83 C4 28 E9 AF F5 FF FF 45 33 C0
4C 8D 0D 8D 70 FF FF 8B D0 49 8B CA E8 9B B0 FF FF }
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_x64_v4_1_and_v_4_2
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.1 and 4.2"
hash = "29ec171300e8d2dad2e1ca2b77912caf0d5f9d1b633a81bb6534acb20a1574b2"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "dc320d17-98fc-5df3-ba05-4d134129317e"
strings:
/*
83 F9 34 cmp ecx, 34h ; '4'
0F 87 8E 03 00 00 ja loc_180016259
0F 84 7A 03 00 00 jz loc_18001624B
83 F9 1C cmp ecx, 1Ch
0F 87 E6 01 00 00 ja loc_1800160C0
0F 84 D7 01 00 00 jz loc_1800160B7
83 F9 0E cmp ecx, 0Eh
0F 87 E9 00 00 00 ja loc_180015FD2
0F 84 CE 00 00 00 jz loc_180015FBD
FF C9 dec ecx
0F 84 B8 00 00 00 jz loc_180015FAF
83 E9 02 sub ecx, 2
0F 84 9F 00 00 00 jz loc_180015F9F
FF C9 dec ecx
*/
$version_sig = { 83 F9 34 0F 87 8E 03 00 00 0F 84 7A 03 00 00 83 F9 1C 0F 87 E6 01 00 00
0F 84 D7 01 00 00 83 F9 0E 0F 87 E9 00 00 00 0F 84 CE 00 00 00 FF C9
0F 84 B8 00 00 00 83 E9 02 0F 84 9F 00 00 00 FF C9 }
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_x64_v4_3
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Version 4.3"
hash = "3ac9c3525caa29981775bddec43d686c0e855271f23731c376ba48761c27fa3d"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "572616c7-d1ec-5aa1-b142-4f2edf73737f"
strings:
/*
8B D0 mov edx, eax
49 8B CA mov rcx, r10; Source
48 83 C4 28 add rsp, 28h
E9 D3 88 FF FF jmp f_OTH__CommandAbove_10
4C 8D 05 84 6E FF FF lea r8, f_NET__ExfiltrateData
8B D0 mov edx, eax
49 8B CA mov rcx, r10
48 83 C4 28 add rsp, 28h
*/
$version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 D3 88 FF FF
4C 8D 05 84 6E FF FF 8B D0 49 8B CA 48 83 C4 28 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 2Eh
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_1800186E1
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_x64_v4_4_v_4_5_and_v4_6
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.4 through at least 4.6"
hash = "3280fec57b7ca94fd2bdb5a4ea1c7e648f565ac077152c5a81469030ccf6ab44"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "79b6bfd4-1e45-5bd9-ac5c-19eb176ce698"
strings:
/*
8B D0 mov edx, eax
49 8B CA mov rcx, r10; Source
48 83 C4 28 add rsp, 28h
E9 83 88 FF FF jmp f_OTH__CommandAbove_10
4C 8D 05 A4 6D FF FF lea r8, f_NET__ExfiltrateData
8B D0 mov edx, eax
49 8B CA mov rcx, r10
48 83 C4 28 add rsp, 28h
*/
$version_sig = { 8B D0 49 8B CA 48 83 C4 28 E9 83 88 FF FF
4C 8D 05 A4 6D FF FF 8B D0 49 8B CA 48 83 C4 28 }
/*
80 34 28 2E xor byte ptr [rax+rbp], 2Eh
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_1800184D9
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Sleeve_Beacon_x64_v4_5_variant
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)"
hash = "8f0da7a45945b630cd0dfb5661036e365dcdccd085bc6cff2abeec6f4c9f1035"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "45715da9-8f16-5304-b216-1ca36c508c77"
strings:
/*
41 B8 01 00 00 00 mov r8d, 1
8B D0 mov edx, eax
49 8B CA mov rcx, r10
48 83 C4 28 add rsp, 28h
E9 E8 AB FF FF jmp sub_1800115A4
8B D0 mov edx, eax
49 8B CA mov rcx, r10
E8 1A EB FF FF call f_UNK__Command_92__ChangeFlag
48 83 C4 28 add rsp, 28h
*/
$version_sig = { 41 B8 01 00 00 00 8B D0 49 8B CA 48 83 C4 28 E9 E8 AB FF FF
8B D0 49 8B CA E8 1A EB FF FF 48 83 C4 28 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 2Eh
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180018E1F
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bind64_Bin_v2_5_through_v4_x
{
meta:
description = "Cobalt Strike's resources/bind64.bin signature for versions v2.5 to v4.x"
hash = "5dd136f5674f66363ea6463fd315e06690d6cb10e3cc516f2d378df63382955d"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "a01e7bc3-40e9-5f87-8fd6-926972be273b"
strings:
/*
48 31 C0 xor rax, rax
AC lodsb
41 C1 C9 0D ror r9d, 0Dh
41 01 C1 add r9d, eax
38 E0 cmp al, ah
75 F1 jnz short loc_100000000000007D
4C 03 4C 24 08 add r9, [rsp+40h+var_38]
45 39 D1 cmp r9d, r10d
75 D8 jnz short loc_100000000000006E
58 pop rax
44 8B 40 24 mov r8d, [rax+24h]
49 01 D0 add r8, rdx
66 41 8B 0C 48 mov cx, [r8+rcx*2]
44 8B 40 1C mov r8d, [rax+1Ch]
49 01 D0 add r8, rdx
41 8B 04 88 mov eax, [r8+rcx*4]
48 01 D0 add rax, rdx
*/
$apiLocator = {
48 [2]
AC
41 [2] 0D
41 [2]
38 ??
75 ??
4C [4]
45 [2]
75 ??
5?
44 [2] 24
49 [2]
66 [4]
44 [2] 1C
49 [2]
41 [3]
48
}
// the signature for reverse64 and bind really differ slightly, here we are using the inclusion of additional calls
// found in bind64 to differentate between this and reverse64
// Note that we can reasonably assume that the constants being passed to the call rbp will be just that, constant,
// since we are triggering on the API hasher. If that hasher is unchanged, then the hashes we look for should be
// unchanged. This means we can use these values as anchors in our signature.
/*
41 BA C2 DB 37 67 mov r10d, bind
FF D5 call rbp
48 31 D2 xor rdx, rdx
48 89 F9 mov rcx, rdi
41 BA B7 E9 38 FF mov r10d, listen
FF D5 call rbp
4D 31 C0 xor r8, r8
48 31 D2 xor rdx, rdx
48 89 F9 mov rcx, rdi
41 BA 74 EC 3B E1 mov r10d, accept
FF D5 call rbp
48 89 F9 mov rcx, rdi
48 89 C7 mov rdi, rax
41 BA 75 6E 4D 61 mov r10d, closesocket
*/
$calls = {
41 BA C2 DB 37 67
FF D5
48 [2]
48 [2]
41 BA B7 E9 38 FF
FF D5
4D [2]
48 [2]
48 [2]
41 BA 74 EC 3B E1
FF D5
48 [2]
48 [2]
41 BA 75 6E 4D 61
}
condition:
$apiLocator and $calls
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bind_Bin_v2_5_through_v4_x
{
meta:
description = "Cobalt Strike's resources/bind.bin signature for versions 2.5 to 4.x"
hash = "3727542c0e3c2bf35cacc9e023d1b2d4a1e9e86ee5c62ee5b66184f46ca126d1"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "32f129c1-9845-5843-9e16-7d9af217b8e2"
strings:
/*
31 ?? xor eax, eax
AC lodsb
C1 ?? 0D ror edi, 0Dh
01 ?? add edi, eax
38 ?? cmp al, ah
75 ?? jnz short loc_10000054
03 [2] add edi, [ebp-8]
3B [2] cmp edi, [ebp+24h]
75 ?? jnz short loc_1000004A
5? pop eax
8B ?? 24 mov ebx, [eax+24h]
01 ?? add ebx, edx
66 8B [2] mov cx, [ebx+ecx*2]
8B ?? 1C mov ebx, [eax+1Ch]
01 ?? add ebx, edx
8B ?? 8B mov eax, [ebx+ecx*4]
01 ?? add eax, edx
89 [3] mov [esp+28h+var_4], eax
5? pop ebx
5? pop ebx
*/
$apiLocator = {
31 ??
AC
C1 ?? 0D
01 ??
38 ??
75 ??
03 [2]
3B [2]
75 ??
5?
8B ?? 24
01 ??
66 8B [2]
8B ?? 1C
01 ??
8B ?? 8B
01 ??
89 [3]
5?
5?
}
// the signature for the stagers overlap significantly. Looking for bind.bin specific bytes helps delineate sample types
/*
5D pop ebp
68 33 32 00 00 push '23'
68 77 73 32 5F push '_2sw'
*/
$ws2_32 = {
5D
68 33 32 00 00
68 77 73 32 5F
}
// bind.bin, unlike reverse.bin, listens for incoming connections. Using the API hashes for listen and accept is a solid
// approach to finding bind.bin specific samples
/*
5? push ebx
5? push edi
68 B7 E9 38 FF push listen
FF ?? call ebp
5? push ebx
5? push ebx
5? push edi
68 74 EC 3B E1 push accept
*/
$listenaccept = {
5?
5?
68 B7 E9 38 FF
FF ??
5?
5?
5?
68 74 EC 3B E1
}
condition:
$apiLocator and $ws2_32 and $listenaccept
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x
{
meta:
description = "Cobalt Strike's resources/browserpivot.bin from v1.48 to v3.14 and sleeve/browserpivot.dll from v4.0 to at least v4.4"
hash = "12af9f5a7e9bfc49c82a33d38437e2f3f601639afbcdc9be264d3a8d84fd5539"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "55086544-6684-526b-914f-505a562be458"
strings:
/*
FF [1-5] call ds:recv // earlier versions (v1.x to 2.x) this is CALL EBP
83 ?? FF cmp eax, 0FFFFFFFFh
74 ?? jz short loc_100020D5
85 C0 test eax, eax
(74 | 76) ?? jz short loc_100020D5 // earlier versions (v1.x to 2.x) used jbe (76) here
03 ?? add esi, eax
83 ?? 02 cmp esi, 2
72 ?? jb short loc_100020D1
80 ?? 3E FF 0A cmp byte ptr [esi+edi-1], 0Ah
75 ?? jnz short loc_100020D1
80 ?? 3E FE 0D cmp byte ptr [esi+edi-2], 0Dh
*/
$socket_recv = {
FF [1-5]
83 ?? FF
74 ??
85 C0
(74 | 76) ??
03 ??
83 ?? 02
72 ??
80 ?? 3E FF 0A
75 ??
80 ?? 3E FE 0D
}
// distinctive regex (sscanf) format string
$fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]"
condition:
all of them
}/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x
{
meta:
description = "Cobalt Strike's resources/browserpivot.x64.bin from v1.48 to v3.14 and sleeve/browserpivot.x64.dll from v4.0 to at least v4.4"
hash = "0ad32bc4fbf3189e897805cec0acd68326d9c6f714c543bafb9bc40f7ac63f55"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "a5dfae85-ff9c-5ca5-9ac0-041c6108a6ed"
strings:
/*
FF 15 [4] call cs:recv
83 ?? FF cmp eax, 0FFFFFFFFh
74 ?? jz short loc_1800018FB
85 ?? test eax, eax
74 ?? jz short loc_1800018FB
03 ?? add ebx, eax
83 ?? 02 cmp ebx, 2
72 ?? jb short loc_1800018F7
8D ?? FF lea eax, [rbx-1]
80 [2] 0A cmp byte ptr [rax+rdi], 0Ah
75 ?? jnz short loc_1800018F7
8D ?? FE lea eax, [rbx-2]
80 [2] 0D cmp byte ptr [rax+rdi], 0Dh
*/
$socket_recv = {
FF 15 [4]
83 ?? FF
74 ??
85 ??
74 ??
03 ??
83 ?? 02
72 ??
8D ?? FF
80 [2] 0A
75 ??
8D ?? FE
80 [2] 0D
}
// distinctive regex (sscanf) format string
$fmt = "%1024[^ ] %8[^:]://%1016[^/]%7168[^ ] %1024[^ ]"
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x
{
meta:
description = "Cobalt Strike's resources/bypassuac(-x86).dll from v1.49 to v3.14 (32-bit version) and sleeve/bypassuac.dll from v4.0 to at least v4.4"
hash = "91d12e1d09a642feedee5da966e1c15a2c5aea90c79ac796e267053e466df365"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "614046b5-cf81-56a5-8824-b3a7e14a8ed5"
strings:
/*
A1 [4] mov eax, fileop
6A 00 push 0
8B ?? mov ecx, [eax]
5? push edx
5? push eax
FF ?? 48 call dword ptr [ecx+48h]
85 ?? test eax, eax
75 ?? jnz short loc_10001177
A1 [4] mov eax, fileop
5? push eax
8B ?? mov ecx, [eax]
FF ?? 54 call dword ptr [ecx+54h]
*/
$deleteFileCOM = {
A1 [4]
6A 00
8B ??
5?
5?
FF ?? 48
85 ??
75 ??
A1 [4]
5?
8B ??
FF ?? 54
}
/*
A1 [4] mov eax, fileop
6A 00 push 0
FF ?? 08 push [ebp+copyName]
8B ?? mov ecx, [eax]
FF [5] push dstFile
FF [5] push srcFile
5? push eax
FF ?? 40 call dword ptr [ecx+40h]
85 ?? test eax, eax
75 ?? jnz short loc_10001026 // this line can also be 0F 85 <32-bit offset>
A1 [4] mov eax, fileop
5? push eax
8B ?? mov ecx, [eax]
FF ?? 54 call dword ptr [ecx+54h]
*/
$copyFileCOM = {
A1 [4]
6A 00
FF [2]
8B ??
FF [5]
FF [5]
5?
FF ?? 40
85 ??
[2 - 6]
A1 [4]
5?
8B ??
FF ?? 54
}
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x
{
meta:
description = "Cobalt Strike's resources/bypassuac-x64.dll from v3.3 to v3.14 (64-bit version) and sleeve/bypassuac.x64.dll from v4.0 to at least v4.4"
hash = "9ecf56e9099811c461d592c325c65c4f9f27d947cbdf3b8ef8a98a43e583aecb"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "eef83901-63d9-55a3-b115-03f420416177"
strings:
/*
48 8B 0D 07 A4 01 00 mov rcx, cs:fileop
45 33 C0 xor r8d, r8d
48 8B 01 mov rax, [rcx]
FF 90 90 00 00 00 call qword ptr [rax+90h]
85 C0 test eax, eax
75 D9 jnz short loc_180001022
48 8B 0D F0 A3 01 00 mov rcx, cs:fileop
48 8B 11 mov rdx, [rcx]
FF 92 A8 00 00 00 call qword ptr [rdx+0A8h]
85 C0 test eax, eax
*/
$deleteFileCOM = {
48 8B [5]
45 33 ??
48 8B ??
FF 90 90 00 00 00
85 C0
75 ??
48 8B [5]
48 8B ??
FF 92 A8 00 00 00
85 C0
}
/*
48 8B 0D 32 A3 01 00 mov rcx, cs:fileop
4C 8B 05 3B A3 01 00 mov r8, cs:dstFile
48 8B 15 2C A3 01 00 mov rdx, cs:srcFile
48 8B 01 mov rax, [rcx]
4C 8B CD mov r9, rbp
48 89 5C 24 20 mov [rsp+38h+var_18], rbx
FF 90 80 00 00 00 call qword ptr [rax+80h]
85 C0 test eax, eax
0F 85 7B FF FF FF jnz loc_1800010B0
48 8B 0D 04 A3 01 00 mov rcx, cs:fileop
48 8B 11 mov rdx, [rcx]
FF 92 A8 00 00 00 call qword ptr [rdx+0A8h]
*/
$copyFileCOM = {
48 8B [5]
4C 8B [5]
48 8B [5]
48 8B ??
4C 8B ??
48 89 [3]
FF 90 80 00 00 00
85 C0
0F 85 [4]
48 8B [5]
48 8B 11
FF 92 A8 00 00 00
}
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bypassuactoken_Dll_v3_11_to_v3_14
{
meta:
description = "Cobalt Strike's resources/bypassuactoken.dll from v3.11 to v3.14 (32-bit version)"
hash = "df1c7256dfd78506e38c64c54c0645b6a56fc56b2ffad8c553b0f770c5683070"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "b9f25fa5-bd1d-5ba0-9b1d-bb97e1dbf76b"
strings:
/*
5? push eax; ReturnLength
5? push edi; TokenInformationLength
5? push edi; TokenInformation
8B ?? mov ebx, ecx
6A 19 push 19h; TokenInformationClass
5? push ebx; TokenHandle
FF 15 [4] call ds:GetTokenInformation
85 C0 test eax, eax
75 ?? jnz short loc_10001100
FF 15 [4] call ds:GetLastError
83 ?? 7A cmp eax, 7Ah ; 'z'
75 ?? jnz short loc_10001100
FF [2] push [ebp+ReturnLength]; uBytes
5? push edi; uFlags
FF 15 [4] call ds:LocalAlloc
8B ?? mov esi, eax
8D [2] lea eax, [ebp+ReturnLength]
5? push eax; ReturnLength
FF [2] push [ebp+ReturnLength]; TokenInformationLength
5? push esi; TokenInformation
6A 19 push 19h; TokenInformationClass
5? push ebx; TokenHandle
FF 15 [4] call ds:GetTokenInformation
85 C0 test eax, eax
74 ?? jz short loc_10001103
FF ?? push dword ptr [esi]; pSid
FF 15 [4] call ds:GetSidSubAuthorityCount
8A ?? mov al, [eax]
FE C8 dec al
0F B6 C0 movzx eax, al
5? push eax; nSubAuthority
FF ?? push dword ptr [esi]; pSid
FF 15 [4] call ds:GetSidSubAuthority
B? 01 00 00 00 mov ecx, 1
5? push esi; hMem
81 ?? 00 30 00 00 cmp dword ptr [eax], 3000h
*/
$isHighIntegrityProcess = {
5?
5?
5?
8B ??
6A 19
5?
FF 15 [4]
85 C0
75 ??
FF 15 [4]
83 ?? 7A
75 ??
FF [2]
5?
FF 15 [4]
8B ??
8D [2]
5?
FF [2]
5?
6A 19
5?
FF 15 [4]
85 C0
74 ??
FF ??
FF 15 [4]
8A ??
FE C8
0F B6 C0
5?
FF ??
FF 15 [4]
B? 01 00 00 00
5?
81 ?? 00 30 00 00
}
/*
6A 3C push 3Ch ; '<'; Size
8D ?? C4 lea eax, [ebp+pExecInfo]
8B ?? mov edi, edx
6A 00 push 0; Val
5? push eax; void *
8B ?? mov esi, ecx
E8 [4] call _memset
83 C4 0C add esp, 0Ch
C7 [2] 3C 00 00 00 mov [ebp+pExecInfo.cbSize], 3Ch ; '<'
8D [2] lea eax, [ebp+pExecInfo]
C7 [2] 40 00 00 00 mov [ebp+pExecInfo.fMask], 40h ; '@'
C7 [6] mov [ebp+pExecInfo.lpFile], offset aTaskmgrExe; "taskmgr.exe"
C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpParameters], 0
5? push eax; pExecInfo
C7 [2] 00 00 00 00 mov [ebp+pExecInfo.lpDirectory], 0
C7 [6] mov [ebp+pExecInfo.lpVerb], offset aRunas; "runas"
C7 [2] 00 00 00 00 mov [ebp+pExecInfo.nShow], 0
FF 15 [4] call ds:ShellExecuteExW
FF 75 FC push [ebp+pExecInfo.hProcess]; Process
*/
$executeTaskmgr = {
6A 3C
8D ?? C4
8B ??
6A 00
5?
8B ??
E8 [4]
83 C4 0C
C7 [2] 3C 00 00 00
8D [2]
C7 [2] 40 00 00 00
C7 [6]
C7 [2] 00 00 00 00
5?
C7 [2] 00 00 00 00
C7 [6]
C7 [2] 00 00 00 00
FF 15 [4]
FF 75 FC
}
condition:
all of them
}/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14
{
meta:
description = "Cobalt Strike's resources/bypassuactoken.x64.dll from v3.11 to v3.14 (64-bit version)"
hash = "853068822bbc6b1305b2a9780cf1034f5d9d7127001351a6917f9dbb42f30d67"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "c89befcd-a622-5947-9ce3-a6031901a45a"
strings:
/*
83 F8 7A cmp eax, 7Ah ; 'z'
75 59 jnz short loc_1800014BC
8B 54 24 48 mov edx, dword ptr [rsp+38h+uBytes]; uBytes
33 C9 xor ecx, ecx; uFlags
FF 15 49 9C 00 00 call cs:LocalAlloc
44 8B 4C 24 48 mov r9d, dword ptr [rsp+38h+uBytes]; TokenInformationLength
8D 53 19 lea edx, [rbx+19h]; TokenInformationClass
48 8B F8 mov rdi, rax
48 8D 44 24 48 lea rax, [rsp+38h+uBytes]
48 8B CE mov rcx, rsi; TokenHandle
4C 8B C7 mov r8, rdi; TokenInformation
48 89 44 24 20 mov [rsp+38h+ReturnLength], rax; ReturnLength
FF 15 B0 9B 00 00 call cs:GetTokenInformation
85 C0 test eax, eax
74 2D jz short loc_1800014C1
48 8B 0F mov rcx, [rdi]; pSid
FF 15 AB 9B 00 00 call cs:GetSidSubAuthorityCount
8D 73 01 lea esi, [rbx+1]
8A 08 mov cl, [rax]
40 2A CE sub cl, sil
0F B6 D1 movzx edx, cl; nSubAuthority
48 8B 0F mov rcx, [rdi]; pSid
FF 15 9F 9B 00 00 call cs:GetSidSubAuthority
81 38 00 30 00 00 cmp dword ptr [rax], 3000h
*/
$isHighIntegrityProcess = {
83 ?? 7A
75 ??
8B [3]
33 ??
FF 15 [4]
44 [4]
8D [2]
48 8B ??
48 8D [3]
48 8B ??
4C 8B ??
48 89 [3]
FF 15 [4]
85 C0
74 ??
48 8B ??
FF 15 [4]
8D [2]
8A ??
40 [2]
0F B6 D1
48 8B 0F
FF 15 [4]
81 ?? 00 30 00 00
}
/*
44 8D 42 70 lea r8d, [rdx+70h]; Size
48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; void *
E8 2E 07 00 00 call memset
83 64 24 50 00 and [rsp+98h+pExecInfo.nShow], 0
48 8D 05 E2 9B 00 00 lea rax, aTaskmgrExe; "taskmgr.exe"
0F 57 C0 xorps xmm0, xmm0
66 0F 7F 44 24 40 movdqa xmmword ptr [rsp+98h+pExecInfo.lpParameters], xmm0
48 89 44 24 38 mov [rsp+98h+pExecInfo.lpFile], rax
48 8D 05 E5 9B 00 00 lea rax, aRunas; "runas"
48 8D 4C 24 20 lea rcx, [rsp+98h+pExecInfo]; pExecInfo
C7 44 24 20 70 00 00 00 mov [rsp+98h+pExecInfo.cbSize], 70h ; 'p'
C7 44 24 24 40 00 00 00 mov [rsp+98h+pExecInfo.fMask], 40h ; '@'
48 89 44 24 30 mov [rsp+98h+pExecInfo.lpVerb], rax
FF 15 05 9B 00 00 call cs:ShellExecuteExW
*/
$executeTaskmgr = {
44 8D ?? 70
48 8D [3]
E8 [4]
83 [3] 00
48 8D [5]
0F 57 ??
66 0F 7F [3]
48 89 [3]
48 8D [5]
48 8D [3]
C7 [3] 70 00 00 00
C7 [3] 40 00 00 00
48 89 [3]
FF 15
}
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x
{
meta:
description = "Cobalt Strike's resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x"
hash = "932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "c0b81deb-ed20-5f7e-8e15-e6a9e9362594"
strings:
// the command.ps1 and compress.ps1 are the same file. Between v3.7 and v3.8 the file was renamed from command to compress.
$ps1 = "$s=New-Object \x49O.MemoryStream(,[Convert]::\x46romBase64String(" nocase
$ps2 ="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();" nocase
condition:
all of them
}/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Covertvpn_Dll_v2_1_to_v4_x
{
meta:
description = "Cobalt Strike's resources/covertvpn.dll signature for version v2.2 to v4.4"
hash = "0a452a94d53e54b1df6ba02bc2f02e06d57153aad111171a94ec65c910d22dcf"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "a65b855c-5703-5b9f-bb57-da8ebf898f9b"
strings:
/*
5? push esi
68 [4] push offset ProcName; "IsWow64Process"
68 [4] push offset ModuleName; "kernel32"
C7 [3-5] 00 00 00 00 mov [ebp+var_9C], 0 // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x
FF 15 [4] call ds:GetModuleHandleA
50 push eax; hModule
FF 15 [4] call ds:GetProcAddress
8B ?? mov esi, eax
85 ?? test esi, esi
74 ?? jz short loc_1000298B
8D [3-5] lea eax, [ebp+var_9C] // the displacement bytes are only 3 in v2.x, 5 in v3.x->v4.x
5? push eax
FF 15 [4] call ds:GetCurrentProcess
50 push eax
*/
$dropComponentsAndActivateDriver_prologue = {
5?
68 [4]
68 [4]
C7 [3-5] 00 00 00 00
FF 15 [4]
50
FF 15 [4]
8B ??
85 ??
74 ??
8D [3-5]
5?
FF 15 [4]
50
}
/*
6A 00 push 0; AccessMode
5? push esi; FileName
E8 [4] call __access
83 C4 08 add esp, 8
83 F8 FF cmp eax, 0FFFFFFFFh
74 ?? jz short loc_100028A7
5? push esi
68 [4] push offset aWarningSExists; "Warning: %s exists\n" // this may not exist in v2.x samples
E8 [4] call nullsub_1
83 C4 08 add esp, 8 // if the push doesnt exist, then this is 04, not 08
// v2.x has a PUSH ESI here... so we need to skip that
6A 00 push 0; hTemplateFile
68 80 01 00 00 push 180h; dwFlagsAndAttributes
6A 02 push 2; dwCreationDisposition
6A 00 push 0; lpSecurityAttributes
6A 05 push 5; dwShareMode
68 00 00 00 40 push 40000000h; dwDesiredAccess
5? push esi; lpFileName
FF 15 [4] call ds:CreateFileA
8B ?? mov edi, eax
83 ?? FF cmp edi, 0FFFFFFFFh
75 ?? jnz short loc_100028E2
FF 15 [4] call ds:GetLastError
5? push eax
*/
$dropFile = {
6A 00
5?
E8 [4]
83 C4 08
83 F8 FF
74 ??
5?
[0-5]
E8 [4]
83 C4 ??
[0-2]
6A 00
68 80 01 00 00
6A 02
6A 00
6A 05
68 00 00 00 40
5?
FF 15 [4]
8B ??
83 ?? FF
75 ??
FF 15 [4]
5?
}
$nfp = "npf.sys" nocase
$wpcap = "wpcap.dll" nocase
condition:
all of them
}/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49
{
meta:
description = "Cobalt Strike's resources/covertvpn-injector.exe signature for version v1.44 to v2.0.49"
hash = "d741751520f46602f5a57d1ed49feaa5789115aeeba7fa4fc7cbb534ee335462"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "48485ae2-1d99-5fa8-b8e8-0047e92ef447"
strings:
/*
C7 04 24 [4] mov dword ptr [esp], offset aKernel32; "kernel32"
E8 [4] call GetModuleHandleA
83 EC 04 sub esp, 4
C7 44 24 04 [4] mov dword ptr [esp+4], offset aIswow64process; "IsWow64Process"
89 04 24 mov [esp], eax; hModule
E8 59 14 00 00 call GetProcAddress
83 EC 08 sub esp, 8
89 45 ?? mov [ebp+var_C], eax
83 7D ?? 00 cmp [ebp+var_C], 0
74 ?? jz short loc_4019BA
E8 [4] call GetCurrentProcess
8D [2] lea edx, [ebp+fIs64bit]
89 [3] mov [esp+4], edx
89 04 24 mov [esp], eax
*/
$dropComponentsAndActivateDriver_prologue = {
C7 04 24 [4]
E8 [4]
83 EC 04
C7 44 24 04 [4]
89 04 24
E8 59 14 00 00
83 EC 08
89 45 ??
83 7D ?? 00
74 ??
E8 [4]
8D [2]
89 [3]
89 04 24
}
/*
C7 44 24 04 00 00 00 00 mov dword ptr [esp+4], 0; AccessMode
8B [2] mov eax, [ebp+FileName]
89 ?? 24 mov [esp], eax; FileName
E8 [4] call _access
83 F8 FF cmp eax, 0FFFFFFFFh
74 ?? jz short loc_40176D
8B [2] mov eax, [ebp+FileName]
89 ?? 24 04 mov [esp+4], eax
C7 04 24 [4] mov dword ptr [esp], offset aWarningSExists; "Warning: %s exists\n"
E8 [4] call log
E9 [4] jmp locret_401871
C7 44 24 18 00 00 00 00 mov dword ptr [esp+18h], 0; hTemplateFile
C7 44 24 14 80 01 00 00 mov dword ptr [esp+14h], 180h; dwFlagsAndAttributes
C7 44 24 10 02 00 00 00 mov dword ptr [esp+10h], 2; dwCreationDisposition
C7 44 24 0C 00 00 00 00 mov dword ptr [esp+0Ch], 0; lpSecurityAttributes
C7 44 24 08 05 00 00 00 mov dword ptr [esp+8], 5; dwShareMode
C7 44 24 04 00 00 00 40 mov dword ptr [esp+4], 40000000h; dwDesiredAccess
8B [2] mov eax, [ebp+FileName]
89 04 24 mov [esp], eax; lpFileName
E8 [4] call CreateFileA
83 EC 1C sub esp, 1Ch
89 45 ?? mov [ebp+hFile], eax
*/
$dropFile = {
C7 44 24 04 00 00 00 00
8B [2]
89 ?? 24
E8 [4]
83 F8 FF
74 ??
8B [2]
89 ?? 24 04
C7 04 24 [4]
E8 [4]
E9 [4]
C7 44 24 18 00 00 00 00
C7 44 24 14 80 01 00 00
C7 44 24 10 02 00 00 00
C7 44 24 0C 00 00 00 00
C7 44 24 08 05 00 00 00
C7 44 24 04 00 00 00 40
8B [2]
89 04 24
E8 [4]
83 EC 1C
89 45 ??
}
$nfp = "npf.sys" nocase
$wpcap = "wpcap.dll" nocase
condition:
all of them
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x
{
meta:
description = "Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x"
hash = "10f946b88486b690305b87c14c244d7bc741015c3fef1c4625fa7f64917897f1"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "e1b0e368-9bcf-5d9b-b2b3-8414742f213e"
strings:
/*
31 ?? xor eax, eax
AC lodsb
C1 ?? 0D ror edi, 0Dh
01 ?? add edi, eax
38 ?? cmp al, ah
75 ?? jnz short loc_10000054
03 [2] add edi, [ebp-8]
3B [2] cmp edi, [ebp+24h]
75 ?? jnz short loc_1000004A
5? pop eax
8B ?? 24 mov ebx, [eax+24h]
01 ?? add ebx, edx
66 8B [2] mov cx, [ebx+ecx*2]
8B ?? 1C mov ebx, [eax+1Ch]
01 ?? add ebx, edx
8B ?? 8B mov eax, [ebx+ecx*4]
01 ?? add eax, edx
89 [3] mov [esp+28h+var_4], eax
5? pop ebx
5? pop ebx
*/
$apiLocator = {
31 ??
AC
C1 ?? 0D
01 ??
38 ??
75 ??
03 [2]
3B [2]
75 ??
5?
8B ?? 24
01 ??
66 8B [2]
8B ?? 1C
01 ??
8B ?? 8B
01 ??
89 [3]
5?
5?
}
// the signature for the stagers overlap significantly. Looking for dnsstager.bin specific bytes helps delineate sample types
$dnsapi = { 68 64 6E 73 61 }
condition:
$apiLocator and $dnsapi
}
/*
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule CobaltStrike_Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x
{
meta:
description = "Cobalt Strike's resources/elevate.dll signature for v3.0 to v3.14 and sleeve/elevate.dll for v4.x"
hash = "6deeb2cafe9eeefe5fc5077e63cc08310f895e9d5d492c88c4e567323077aa2f"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "170f62a2-ba4f-5be8-9ec5-402eb7bbde4e"
strings:
/*
6A 00 push 0; lParam
6A 28 push 28h ; '('; wParam
68 00 01 00 00 push 100h; Msg
5? push edi; hWnd
C7 [5] 01 00 00 00 mov dword_10017E70, 1
FF ?? call esi ; PostMessageA
6A 00 push 0; lParam
6A 27 push 27h ; '''; wParam
68 00 01 00 00 push 100h; Msg
5? push edi; hWnd
FF ?? call esi ; PostMessageA
6A 00 push 0; lParam
6A 00 push 0; wParam
68 01 02 00 00 push 201h; Msg
5? push edi; hWnd
FF ?? call esi ; PostMessageA
*/
$wnd_proc = {
6A 00
6A 28
68 00 01 00 00
5?
C7 [5] 01 00 00 00
FF ??
6A 00
6A 27
68 00 01 00 00
5?
FF ??
6A 00
6A 00
68 01 02 00 00
5?
FF ??
}
condition:
$wnd_proc
}
rule CobaltStrike_Resources_Beacon_x64_v3_7
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.7"
hash = "81296a65a24c0f6f22208b0d29e7bb803569746ce562e2fa0d623183a8bcca60"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "27fad98a-2882-5c52-af6e-c7dcf5559624"
strings:
/*
48 89 5C 24 08 mov [rsp+arg_0], rbx
57 push rdi
48 83 EC 20 sub rsp, 20h
41 8B D8 mov ebx, r8d
48 8B FA mov rdi, rdx
83 F9 28 cmp ecx, 28h ; '('
0F 87 7F 03 00 00 ja loc_18000D148
0F 84 67 03 00 00 jz loc_18000D136
83 F9 15 cmp ecx, 15h
0F 87 DB 01 00 00 ja loc_18000CFB3
0F 84 BF 01 00 00 jz loc_18000CF9D
*/
$version_sig = { 48 89 5C 24 08 57 48 83 EC 20 41 8B D8 48 8B FA 83 F9 28
0F 87 7F 03 00 00 0F 84 67 03 00 00 83 F9 15
0F 87 DB 01 00 00 0F 84 BF 01 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_180016ECA
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule CobaltStrike_Resources_Beacon_x64_v3_8
{
meta:
description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.8"
hash = "547d44669dba97a32cb9e95cfb8d3cd278e00599e6a11080df1a9d09226f33ae"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
id = "89809d81-9a8b-5cf3-a251-689bf52e98e0"
strings:
/*
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi
E8 7A 52 00 00 call sub_18001269C
EB 0D jmp short loc_18000D431
45 33 C0 xor r8d, r8d
8B D3 mov edx, ebx
48 8B CF mov rcx, rdi; Src
E8 8F 55 00 00 call sub_1800129C0
*/
$version_sig = { 8B D3 48 8B CF E8 7A 52 00 00 EB 0D 45 33 C0 8B D3 48 8B CF
E8 8F 55 00 00 }
/*
80 34 28 ?? xor byte ptr [rax+rbp], 69h
48 FF C0 inc rax
48 3D 00 10 00 00 cmp rax, 1000h
7C F1 jl short loc_18001772E
*/
$decoder = { 80 34 28 ?? 48 FF C0 48 3D 00 10 00 00 7C F1 }
condition:
all of them
}
rule Certutil_Decode_OR_Download {
meta:
description = "Certutil Decode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
score = 40
date = "2017-08-29"
modified = "2026-04-01"
id = "63bdefd2-225a-56d5-b615-5e236c97f050"
strings:
$a1 = "certutil -decode " ascii wide
$a2 = "certutil -decode " ascii wide
$a3 = "certutil.exe -decode " ascii wide
$a4 = "certutil.exe -decode " ascii wide
$a5 = "certutil -urlcache -split -f http" ascii wide
$a6 = "certutil.exe -urlcache -split -f http" ascii wide
$fp_msi = { 52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 }
$fp_doc = "https://docs.aws.amazon.com" ascii
condition:
filesize < 700KB
and 1 of ($a*)
and not 1 of ($fp*)
}
rule APT_Cloaked_CERTUTIL {
meta:
description = "Detects a renamed certutil.exe utility that is often used to decode encoded payloads"
author = "Florian Roth (Nextron Systems)"
reference = "Internal Research"
date = "2018-09-14"
modified = "2022-06-27"
id = "13943cda-6bb1-5c6c-8e55-e8d4bba1ffef"
strings:
$s1 = "-------- CERT_CHAIN_CONTEXT --------" fullword ascii
$s5 = "certutil.pdb" fullword ascii
$s3 = "Password Token" fullword ascii
condition:
uint16(0) == 0x5a4d and all of them
and not filename contains "certutil"
and not filename contains "CertUtil"
and not filename contains "Certutil"
and not filepath contains "\\Bromium\\"
}
rule Binary_Drop_Certutil {
meta:
description = "Drop binary as base64 encoded cert trick"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://goo.gl/9DNn8q"
date = "2015-07-15"
score = 70
id = "19791e51-d041-524d-80fa-9f3ec54eb084"
strings:
$s0 = "echo -----BEGIN CERTIFICATE----- >" ascii
$s1 = "echo -----END CERTIFICATE----- >>" ascii
$s2 = "certutil -decode " ascii
condition:
filesize < 10KB and all of them
}
rule HKTL_PowerSploit {
meta:
description = "Detects default strings used by PowerSploit to establish persistence"
author = "Markus Neis"
reference = "https://www.hybrid-analysis.com/sample/16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75?environmentId=100" /*MuddyWater*/
date = "2018-06-23"
hash1 = "16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75"
id = "8cb0753c-c5bb-56fc-b492-4e785f4bdaf4"
strings:
$ps = "function" nocase ascii wide
$s1 = "/Create /RU system /SC ONLOGON" ascii wide
$s2 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide
condition:
all of them
}
rule ShadowPad_nssock2 {
meta:
description = "Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/shadowpad-in-corporate-networks/81432/"
date = "2017-08-15"
hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
hash2 = "c45116a22cf5695b618fcdf1002619e8544ba015d06b2e1dbf47982600c7545f"
hash3 = "696be784c67896b9239a8af0a167add72b1becd3ef98d03e99207a3d5734f6eb"
hash4 = "515d3110498d7b4fdb451ed60bb11cd6835fcff4780cb2b982ffd2740e1347a0"
hash5 = "536d7e3bd1c9e1c2fd8438ab75d6c29c921974560b47c71686714d12fb8e9882"
hash6 = "637fa40cf7dd0252c87140f7895768f42a370551c87c37a3a77aac00eb17d72e"
id = "47ecc7f8-065a-558b-9bba-300fd28f4eab"
condition:
( uint16(0) == 0x5a4d and
filesize < 500KB and
(
pe.imphash() == "c67de089f2009b21715744762fc484e8" or
pe.imphash() == "11522f7d4b2fc05acba8f534ca1b828a"
)
)
}
rule APT_APT41_POISONPLUG_3 {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 80
hash1 = "70c03ce5c80aca2d35a5555b0532eedede24d4cc6bdb32a2c8f7e630bba5f26e"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "Rundll32.exe \"%s\", DisPlay 64" fullword ascii
$s2 = "tcpview.exe" fullword ascii
$s3 = "nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" fullword ascii /* reversed goodware string 'Software\\Microsoft\\Windows\\CurrentVersion\\Run' */
$s4 = "AxEeulaVteSgeR" fullword ascii /* reversed goodware string 'RegSetValueExA' */
$s5 = "%04d-%02d-%02d_%02d-%02d-%02d.dmp" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 900KB and 3 of them
}
rule APT_APT41_POISONPLUG_SHADOW {
meta:
description = "Detects APT41 malware POISONPLUG SHADOW"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
condition:
uint16(0) == 0x5a4d and filesize < 500KB and pe.imphash() == "c67de089f2009b21715744762fc484e8"
}
rule APT_APT41_CRACKSHOT {
meta:
description = "Detects APT41 malware CRACKSHOT"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "993d14d00b1463519fea78ca65d8529663f487cd76b67b3fd35440bcdf7a8e31"
id = "4ec34a77-dc7f-5f27-9f0a-c98438389018"
strings:
$x1 = ";procmon64.exe;netmon.exe;tcpview.exe;MiniSniffer.exe;smsniff.exe" ascii
$s1 = "RunUrlBinInMem" fullword ascii
$s2 = "DownRunUrlFile" fullword ascii
$s3 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36" fullword ascii
$s4 = "%s|%s|%s|%s|%s|%s|%s|%dx%d|%04x|%08X|%s|%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 250KB and ( 1 of ($x*) or 2 of them )
}
rule APT_APT41_POISONPLUG_2 {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 70
hash1 = "0055dfaccc952c99b1171ce431a02abfce5c6f8fb5dc39e4019b624a7d03bfcb"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "ma_lockdown_service.dll" fullword wide
$s2 = "acbde.dll" fullword ascii
$s3 = "MA lockdown Service" fullword wide
$s4 = "McAfee Agent" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 11000KB and all of them
}
rule APT_APT41_POISONPLUG {
meta:
description = "Detects APT41 malware POISONPLUG"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 80
hash1 = "2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd"
hash2 = "5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90"
hash3 = "f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661"
hash4 = "3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f"
id = "e150dd69-c611-53de-9c7d-de28d3a208dc"
strings:
$s1 = "TSMSISrv.DLL" fullword wide
$s2 = "[-]write failed[%d]" fullword ascii
$s3 = "[-]load failed" fullword ascii
$s4 = "Remote Desktop Services" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 10000KB and (
pe.imphash() == "1b074ef7a1c0888ef31337c8ad2f2e0a" or
2 of them
)
}
rule APT_APT41_HIGHNOON {
meta:
description = "Detects APT41 malware HIGHNOON"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
hash2 = "4aa6970cac04ace4a930de67d4c18106cf4004ba66670cfcdaa77a4c4821a213"
id = "6611fb04-7237-52d1-b29f-941c3853aeca"
strings:
$x1 = "workdll64.dll" fullword ascii
$s1 = "\\Fonts\\Error.log" ascii
$s2 = "[%d/%d/%d/%d:%d:%d]" fullword ascii
$s3 = "work_end" fullword ascii
$s4 = "work_start" fullword ascii
$s5 = "\\svchost.exe" ascii
$s6 = "LoadAppInit_DLLs" fullword ascii
$s7 = "netsvcs" fullword ascii
$s8 = "HookAPIs ...PID %d " fullword ascii
$s9 = "SOFTWARE\\Microsoft\\HTMLHelp" fullword ascii
$s0 = "DllMain_mem" fullword ascii
$s10 = "%s\\NtKlRes.dat" fullword ascii
$s11 = "Global\\%s-%d" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and ( 1 of ($x*) or 4 of them )
}
rule APT_APT41_HIGHNOON_2 {
meta:
description = "Detects APT41 malware HIGHNOON"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
hash1 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
id = "1e48d859-2da9-583e-80e5-8d59054cfb85"
strings:
$x1 = "H:\\RBDoor\\" ascii
$s1 = "PlusDll.dll" fullword ascii
$s2 = "ShutDownEvent.dll" fullword ascii
$s3 = "\\svchost.exe" ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
pe.exports("DllMain_mem") or
$x1 or 3 of them
)
}
rule APT_APT41_HIGHNOON_BIN {
meta:
description = "Detects APT41 malware HIGHNOON.BIN"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 90
hash1 = "490c3e4af829e85751a44d21b25de1781cfe4961afdef6bb5759d9451f530994"
hash2 = "79190925bd1c3fae65b0d11db40ac8e61fb9326ccfed9b7e09084b891089602d"
id = "c8bd62b4-b882-5c04-aace-76dd4a21a784"
strings:
$s1 = "PlusDll.dll" fullword ascii
$s2 = "\\Device\\PORTLESS_DeviceName" wide
$s3 = "%s%s\\Security" fullword ascii
$s4 = "%s\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" fullword ascii
$s5 = "%s%s\\Enum" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 600KB and (
pe.imphash() == "b70358b00dd0138566ac940d0da26a03" or
3 of them
)
}
rule APT_APT41_HIGHNOON_BIN_2 {
meta:
description = "Detects APT41 malware HIGHNOON.BIN"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 85
hash1 = "63e8ed9692810d562adb80f27bb1aeaf48849e468bf5fd157bc83ca83139b6d7"
hash2 = "c51c5bbc6f59407286276ce07f0f7ea994e76216e0abe34cbf20f1b1cbd9446d"
id = "37d6a44d-7811-5e87-84e2-b2a8b3da3124"
strings:
$x1 = "\\Double\\Door_wh\\" ascii
$x2 = "[Stone] Config --> 2k3 TCP Positive Logout." fullword ascii
$x3 = "\\RbDoorX64.pdb" ascii
$x4 = "RbDoor, Version 1.0" fullword wide
$x5 = "About RbDoor" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and 1 of them
}
rule APT_APT41_RevokedCert_Aug19_1 {
meta:
description = "Detects revoked certificates used by APT41 group"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html"
date = "2019-08-07"
score = 60
id = "f107cc42-58ec-500d-b1c3-27e9e00826aa"
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].serial == "0b:72:79:06:8b:eb:15:ff:e8:06:0d:2c:56:15:3c:35" or
pe.signatures[i].serial == "63:66:a9:ac:97:df:4d:e1:73:66:94:3c:9b:29:1a:aa" or
pe.signatures[i].serial == "01:00:00:00:00:01:30:73:85:f7:02" or
pe.signatures[i].serial == "14:0d:2c:51:5e:8e:e9:73:9b:b5:f1:b2:63:7d:c4:78" or
pe.signatures[i].serial == "7b:d5:58:18:c5:97:1b:63:dc:45:cf:57:cb:eb:95:0b" or
pe.signatures[i].serial == "53:0c:e1:4c:81:f3:62:10:a1:68:2a:ff:17:9e:25:80" or
pe.signatures[i].serial == "54:c6:c1:40:6f:b4:ac:b5:d2:06:74:e9:93:92:c6:3e" or
pe.signatures[i].serial == "fd:f2:83:7d:ac:12:b7:bb:30:ad:05:8f:99:9e:cf:00" or
pe.signatures[i].serial == "18:63:79:57:5a:31:46:e2:6b:ef:c9:0a:58:0d:1b:d2" or
pe.signatures[i].serial == "5c:2f:97:a3:1a:bc:32:b0:8c:ac:01:00:59:8f:32:f6" or
pe.signatures[i].serial == "4c:0b:2e:9d:2e:f9:09:d1:52:70:d4:dd:7f:a5:a4:a5" or
pe.signatures[i].serial == "58:01:5a:cd:50:1f:c9:c3:44:26:4e:ac:e2:ce:57:30" or
pe.signatures[i].serial == "47:6b:f2:4a:4b:1e:9f:4b:c2:a6:1b:15:21:15:e1:fe" or
pe.signatures[i].serial == "30:d3:c1:67:26:5b:52:0c:b8:7f:25:84:4f:95:cb:04" or
pe.signatures[i].serial == "1e:52:bb:f5:c9:0e:c1:64:d0:5b:e0:e4:16:61:52:5f" or
pe.signatures[i].serial == "25:f8:78:22:de:56:d3:98:21:59:28:73:ea:09:ca:37" or
pe.signatures[i].serial == "67:24:34:0d:db:c7:25:2f:7f:b7:14:b8:12:a5:c0:4d"
)
}
rule APT_APT41_CN_ELF_Speculoos_Backdoor {
meta:
description = "Detects Speculoos Backdoor used by APT41"
author = "Florian Roth (Nextron Systems)"
reference = "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/"
date = "2020-04-14"
score = 90
hash1 = "6943fbb194317d344ca9911b7abb11b684d3dca4c29adcbcff39291822902167"
hash2 = "99c5dbeb545af3ef1f0f9643449015988c4e02bf8a7164b5d6c86f67e6dc2d28"
id = "efe2b368-33af-5382-a5f0-0e7dd7f4dea4"
strings:
$xc1 = { 2F 70 72 69 76 61 74 65 2F 76 61 72 00 68 77 2E
70 68 79 73 6D 65 6D 00 68 77 2E 75 73 65 72 6D
65 6D 00 4E 41 2D 4E 41 2D 4E 41 2D 4E 41 2D 4E
41 2D 4E 41 00 6C 6F 30 00 00 00 00 25 30 32 78
2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D
25 30 32 78 2D 25 30 32 78 0A 00 72 00 4E 41 00
75 6E 61 6D 65 20 2D 76 }
$s1 = "badshell" ascii fullword
$s2 = "hw.physmem" ascii fullword
$s3 = "uname -v" ascii fullword
$s4 = "uname -s" ascii fullword
$s5 = "machdep.tsc_freq" ascii fullword
$s6 = "/usr/sbin/config.bak" ascii fullword
$s7 = "enter MessageLoop..." ascii fullword
$s8 = "exit StartCBProcess..." ascii fullword
$sc1 = { 72 6D 20 2D 72 66 20 22 25 73 22 00 2F 70 72 6F
63 2F }
condition:
uint16(0) == 0x457f and
filesize < 600KB and
1 of ($x*) or 4 of them
}
rule HKTL_NATBypass_Dec22_1 : T1090 {
meta:
description = "Detects NatBypass tool (also used by APT41)"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/cw1997/NATBypass"
date = "2022-12-27"
score = 80
hash1 = "4550635143c9997d5499d1d4a4c860126ee9299311fed0f85df9bb304dca81ff"
id = "54af4d84-72f7-5ec4-b0bf-7ba228fdf508"
strings:
$x1 = "nb -slave 127.0.0.1:3389 8.8.8.8:1997" ascii
$x2 = "| Welcome to use NATBypass Ver" ascii
$s1 = "main.port2host.func1" ascii fullword
$s2 = "start to transmit address:" ascii
$s3 = "^(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])\\.(\\d{1,2}|1\\d\\d|2[0-4]\\d|25[0-5])"
condition:
filesize < 8000KB
and (
1 of ($x*)
or 2 of them
) or 3 of them
}
rule MAL_APT_Operation_ShadowHammer_MalSetup {
meta:
description = "Detects a malicious file used by BARIUM group in Operation ShadowHammer"
date = "2019-03-25"
author = "Florian Roth (Nextron Systems)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
score = 80
hash1 = "ac0711afee5a157d084251f3443a40965fc63c57955e3a241df866cfc7315223"
hash2 = "9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8"
hash3 = "bca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82"
hash4 = "c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596"
hash5 = "6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74"
hash6 = "cfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd"
reference = "https://securelist.com/operation-shadowhammer/89992/"
id = "000f840a-848d-5f82-84bf-70690efbd4de"
strings:
$x1 = "\\AsusShellCode\\Release" ascii
$x2 = "\\AsusShellCode\\Debug"
condition:
uint16(0) == 0x5a4d and 1 of them
}
rule WINNTI_KingSoft_Moz_Confustion {
meta:
description = "Detects Barium sample with Copyright confusion"
author = "Markus Neis"
reference = "https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/"
date = "2018-04-13"
hash1 = "070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496"
id = "0c45c1ff-6734-504f-91d1-cf5d6744252f"
condition:
uint16(0) == 0x5a4d and filesize < 3000KB and (
pe.imphash() == "7f01b23ccfd1017249c36bc1618d6892" or
(
pe.version_info["LegalCopyright"] contains "Mozilla Corporation"
and pe.version_info["ProductName"] contains "Kingsoft"
)
)
}
rule HKTL_RedMimicry_WinntiLoader {
meta:
date = "2020-06-22"
modified = "2023-01-10"
author = "mirar@chaosmail.org"
sharing = "tlp:white"
description = "matches the Winnti 'Cooper' loader version used for the RedMimicry breach emulation"
reference = "https://redmimicry.com"
id = "a8be1377-faa0-560d-a12c-0369b1f91180"
strings:
$s0 = "Cooper" ascii fullword
$s1 = "stone64.dll" ascii fullword
/* $s2 = "XML" ascii fullword */
/*
.text:0000000180004450 loc_180004450: ; CODE XREF: sub_1800043F0+80?j
.text:0000000180004450 49 63 D0 movsxd rdx, r8d
.text:0000000180004453 43 8D 0C 01 lea ecx, [r9+r8]
.text:0000000180004457 41 FF C0 inc r8d
.text:000000018000445A 42 32 0C 1A xor cl, [rdx+r11]
.text:000000018000445E 0F B6 C1 movzx eax, cl
.text:0000000180004461 C0 E9 04 shr cl, 4
.text:0000000180004464 C0 E0 04 shl al, 4
.text:0000000180004467 02 C1 add al, cl
.text:0000000180004469 42 88 04 1A mov [rdx+r11], al
.text:000000018000446D 44 3B 03 cmp r8d, [rbx]
.text:0000000180004470 72 DE jb short loc_180004450
*/
$decoding_loop = { 49 63 D0 43 8D 0C 01 41 FF C0 42 32 0C 1A 0F B6 C1 C0 E9 04 C0 E0 04 02 C1 42 88 04 1A 44 3B 03 72 DE }
condition:
all of them
}
rule MAL_Winnti_Sample_May18_1 {
meta:
description = "Detects malware sample from Burning Umbrella report - Generic Winnti Rule"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://401trg.pw/burning-umbrella/"
date = "2018-05-04"
hash1 = "528d9eaaac67716e6b37dd562770190318c8766fa1b2f33c0974f7d5f6725d41"
id = "c2f3339e-269f-5a51-8db6-06e54a707b3a"
strings:
$s1 = "wireshark" fullword wide
$s2 = "procexp" fullword wide
condition:
uint16(0) == 0x5a4d and filesize < 100KB and all of them
}
rule MAL_Winnti_BR_Report_TwinPeaks {
meta:
description = "Detects Winnti samples"
author = "@br_data repo"
reference = "https://github.com/br-data/2019-winnti-analyse"
date = "2019-07-24"
id = "2e4e2b88-fdb4-5adc-8192-a304d71ca851"
strings:
$cooper = "Cooper"
$pattern = { e9 ea eb ec ed ee ef f0}
condition:
uint16(0) == 0x5a4d and $cooper and ($pattern in (@cooper[1]..@cooper[1]+100))
}
rule MAL_Winnti_BR_Report_MockingJay {
meta:
description = "Detects Winnti samples"
author = "@br_data repo"
reference = "https://github.com/br-data/2019-winnti-analyse"
date = "2019-07-24"
id = "9aff9d65-3827-59de-9dc3-38f227155d3d"
strings:
$load_magic = { C7 44 ?? ?? FF D8 FF E0 }
$iter = { E9 EA EB EC ED EE EF F0 }
$jpeg = { FF D8 FF E0 00 00 00 00 00 00 }
condition:
uint16(0) == 0x5a4d and
$jpeg and
($load_magic or $iter in (@jpeg[1]..@jpeg[1]+200)) and
for any i in (1..#jpeg): ( uint8(@jpeg[i] + 11) != 0 )
}
rule APT_MAL_WinntiLinux_Dropper_AzazelFork_May19 : azazel_fork {
meta:
description = "Detection of Linux variant of Winnti"
author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
version = "1.0"
date = "2019-05-15"
TLP = "White"
sha256 = "4741c2884d1ca3a40dadd3f3f61cb95a59b11f99a0f980dbadc663b85eb77a2a"
id = "d641de9a-e563-5067-b7e4-0aa83a087ed4"
strings:
$config_decr = { 48 89 45 F0 C7 45 EC 08 01 00 00 C7 45 FC 28 00 00 00 EB 31 8B 45 FC 48 63 D0 48 8B 45 F0 48 01 C2 8B 45 FC 48 63 C8 48 8B 45 F0 48 01 C8 0F B6 00 89 C1 8B 45 F8 89 C6 8B 45 FC 01 F0 31 C8 88 02 83 45 FC 01 }
$export1 = "our_sockets"
$export2 = "get_our_pids"
condition:
uint16(0) == 0x457f and all of them
}
rule APT_MAL_WinntiLinux_Main_AzazelFork_May19 {
meta:
description = "Detection of Linux variant of Winnti"
author = "Silas Cutler (havex [@] chronicle.security), Chronicle Security"
version = "1.0"
date = "2019-05-15"
TLP = "White"
sha256 = "ae9d6848f33644795a0cc3928a76ea194b99da3c10f802db22034d9f695a0c23"
id = "a1693e2d-4d89-5cc7-ab14-c8feb000638a"
strings:
$uuid_lookup = "/usr/sbin/dmidecode | grep -i 'UUID' |cut -d' ' -f2 2>/dev/null"
$dbg_msg = "[advNetSrv] can not create a PF_INET socket"
$rtti_name1 = "CNetBase"
$rtti_name2 = "CMyEngineNetEvent"
$rtti_name3 = "CBufferCache"
$rtti_name4 = "CSocks5Base"
$rtti_name5 = "CDataEngine"
$rtti_name6 = "CSocks5Mgr"
$rtti_name7 = "CRemoteMsg"
condition:
uint16(0) == 0x457f and ( ($dbg_msg and 1 of ($rtti*)) or (5 of ($rtti*)) or ($uuid_lookup and 2 of ($rtti*)) )
}
rule Winnti_signing_cert {
meta:
description = "Detects a signing certificate used by the Winnti APT group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/"
date = "2015-10-10"
score = 75
hash1 = "a9a8dc4ae77b1282f0c8bdebd2643458fc1ceb3145db4e30120dd81676ff9b61"
hash2 = "9001572983d5b1f99787291edaadbb65eb2701722f52470e89db2c59def24672"
id = "0cf185eb-fb8d-5e1f-9089-4f36eb4798de"
strings:
$s1 = "Guangzhou YuanLuo Technology Co." ascii
$s2 = "Guangzhou YuanLuo Technology Co.,Ltd" ascii
$s3 = "$Asahi Kasei Microdevices Corporation0" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 700KB and 1 of them
}