I deal with CobaltStrike pretty much every day in my job and in my experience it is by far the most commonly abused C2 framework. CobaltStrike isn’t new and there is already a huge collection of public research and detections available; Google, for example, published an extensive collection of YARA rules in 2022. One aspect that I did not find a public rule for though was the PowerShell Beacon loader:
rule MAL_CobaltStrike_Powershell_loader {
meta:
description = "Matches strings found in CobaltStrike PowerShell loader samples."
last_modified = "2024-02-09"
author = "@petermstewart"
DaysofYara = "40/100"
sha256 = "9c9e8841d706406bc23d05589f77eec6f8df6d5e4076bc6a762fdb423bfe8c24"
sha256 = "6881531ab756d62bdb0c3279040a5cbe92f9adfeccb201cca85b7d3cff7158d3"
ref = "https://medium.com/@cybenfolland/deobfuscating-a-powershell-cobalt-strike-beacon-loader-c650df862c34"
ref = "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/"
strings:
$a1 = "=New-Object IO.MemoryStream("
$a2 = "[Convert]::FromBase64String("
$a3 = "IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()"
$b1 = "Set-StrictMode -Version 2"
$b2 = "$DoIt = @'"
$b3 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($DoIt))"
$b4 = "start-job { param($a) IEX $a }"
condition:
all of ($a*) or
all of ($b*)
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 