CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara missing NOT condition for XMRig C2s
Closed this issue · 1 comments
fjordhunter commented
rule CobaltStrike_Resources_Beacon_Dll_v3_8
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.8"
hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
strings:
/*
48 dec eax; switch 76 cases
57 push edi
8B F9 mov edi, ecx
83 F8 4B cmp eax, 4Bh
0F 87 5D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F9 83 F8 4B 0F 87 5D 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
// XMRig uses a v3.8 sample to trick sandboxes into running their code.
// These samples are the same and useless. This string removes many
// of them from our detection
$xmrig_srcpath = "C:/Users/SKOL-NOTE/Desktop/Loader/script.go"
// To remove others, we look for known xmrig C2 domains in the config:
$c2_1 = "ns7.softline.top" xor
$c2_2 = "ns8.softline.top" xor
$c2_3 = "ns9.softline.top" xor
//$a = /[A-Za-z]{1020}.{4}$/
condition:
$version_sig and $decoder and (2 of ($c2_*) or $xmrig_srcpath)
}
I believe the intention here was to add a NOT condition before the XMRig C2 domains and srcpath. Proposed rule:
rule CobaltStrike_Resources_Beacon_Dll_v3_8
{
meta:
description = "Cobalt Strike's resources/beacon.dll Versions 3.8"
hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603"
author = "gssincla@google.com"
reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse"
date = "2022-11-18"
strings:
/*
48 dec eax; switch 76 cases
57 push edi
8B F9 mov edi, ecx
83 F8 4B cmp eax, 4Bh
0F 87 5D 03 00 00 ja def_1000100F; jumptable 1000100F default case, cases 6-8,26,30
FF 24 ?? jmp ds:jpt_1000100F[eax*4]; switch jump
*/
$version_sig = { 48 57 8B F9 83 F8 4B 0F 87 5D 03 00 00 FF 24 }
/*
80 B0 [4] 69 xor byte_1002E020[eax], 69h
40 inc eax
3D 00 10 00 00 cmp eax, 1000h
7C F1 jl short loc_10008741
*/
$decoder = { 80 B0 [4] ?? 40 3D 00 10 00 00 7C F1 }
// XMRig uses a v3.8 sample to trick sandboxes into running their code.
// These samples are the same and useless. This string removes many
// of them from our detection
$xmrig_srcpath = "C:/Users/SKOL-NOTE/Desktop/Loader/script.go"
// To remove others, we look for known xmrig C2 domains in the config:
$c2_1 = "ns7.softline.top" xor
$c2_2 = "ns8.softline.top" xor
$c2_3 = "ns9.softline.top" xor
//$a = /[A-Za-z]{1020}.{4}$/
condition:
$version_sig and $decoder and not (2 of ($c2_*) or $xmrig_srcpath)
}
gssincla-g commented
Thank you for noticing that. It should be fixed now.